(Aircrack)Yet another WEP cracking tool for Linux - Page 13

devine · 10-21-2004

Quote:

Originally Posted by G8tK33per

I get "page unavailable".

Well. Shit happens

G8tK33per · 10-21-2004

Quote:

Originally Posted by devine

Well. Shit happens

gee, thanks...I'll say that the next time a bunch of unrelated shit mysteriously finds it's way into this thread.

Clyde Vargus2 · 10-21-2004

Sorry, another noob question.

How do I make Aircrack 2.1 work?

I went to a friend's house, who has 4 PC's all on a wireless network. We had previously found his network with his XP laptop and an orinoco gold classic card and netstumbler. He has good reception in his house, and in most of his yard. Doesn't reach all the way into his back yard, which is a couple acres big with trees and a big garage.

Anyhow, I called and told him about this Aircrack 2.1 thing, which I thought would be good for setting up and testing his WEP encryption (linksys wireless AP and DSL). So we downloaded 2.1 on his laptop, and read everything we could find, and turned it on...

And we can't get it to do anything.

We entered his MAC address in the 00:00:00:00:00:00 format, based on the numbers and letters that Netstumbler gave us.

When we click on the desktop shortcut to aircrack, all the screen shows is the regular list, with #'s 5,4,3,2,1 and 0.

Here's our problems with each option:

5 - debug key - what the hell is that?
4 - fudge factor - we tried 2 and 0. Nothing happened.
3 - MAC address - the one thing we think we did right. Got it from netstumbler, but nothing else happens.
2 - WEP key length - we left it at 128 bits
1 - read IV's from a pcap file - don't you have to SCAN for IV's and get some to get a pcap file going? WTF?
0 - start cracking - It says "not enough IV's". Well, how the hell do we even know if its scanning? There's no chart or screen that pops up and shows how many have been scanned, so we have no way of knowing if its even scanning at all!

We had his kids and wife on 3 of the 4 computers in the house doing internet stuff, so there definitely was traffic to scan.

So my basic questions are, how do we make aircrack do ANYTHING and see the progress as it scans? Then how do we make a pcap file and use it? And, how do we do pretty much everything else to try and crack test his WEP encryption?

The files that come with aircrack tell you what it does, but it doesn't say HOW to make it do anything.

I shall put on my fireproof suit now. Blast away (but answer the questions in the process).

_watcher · 10-21-2004

Quote:

Originally Posted by devine

Are you generating traffic ? (ping flood, file transfers, etc.) When using another program (Kismet for example), does the same beahviour also occurs ?

There is plenty of traffic moving.. I get about 1K packets in about 2 minutes. I usually get 15 IV's in the first minute running it in XP/2000. But like I said.. it stops collecting randomly before it hits 1000 IV Packets. (Same thing happened on my Linksys Dual Band a/b/g).

I leave the thing running all night.. over 650K packets go through but it just stops like I said randomly before it hits 1K IV Packets.

Linux.. I can't get it to save any running it all night.
Airsnort does the same thing. What do you think the problem could be man?

I really like yah program.. just wish it wouldn't stop!

My card isn't orinico.. it's a atheros. Does that matter?

devine · 10-22-2004

Well, how the hell do we even know if its scanning?

There's a program called airodump which you should use for the purpose of collecting IVs. Then you have a huge .cap file you feed to aircrack.

There's no chart or screen that pops up and shows how many have been scanned, so we have no way of knowing if its even scanning at all!

Right, and there's no "click here to break your neighbour's WEP key" button too. Definitely not on my TODO list.

Clyde Vargus2 · 10-22-2004

I don't need to get into his AP, I have my own high speed cable modem at home that I pay $60 a month for. We want to do this purely for testing purposes and security setup. To see if we can find a security code / password that takes a lot longer to break than others.

So now I have to get airodump, and then somehow feed that file to aircrack... This is quickly becoming more trouble than its worth.

And why is there no instruction manual? Is a first timer supposed to GUESS his way through all this until it works?

joswr1ght · 10-22-2004

Quote:

Originally Posted by Clyde Vargus2

I don't need to get into his AP, I have my own high speed cable modem at home that I pay $60 a month for. We want to do this purely for testing purposes and security setup. To see if we can find a security code / password that takes a lot longer to break than others.

So now I have to get airodump, and then somehow feed that file to aircrack... This is quickly becoming more trouble than its worth.

And why is there no instruction manual? Is a first timer supposed to GUESS his way through all this until it works?

Yeah, it's more trouble than it's worth. You probably shouldn't bother, since your time could be used for more valuable efforts.

-Josh

wrzwaldo · 10-22-2004

Quote:

Originally Posted by Clyde Vargus2

I don't need to get into his AP, I have my own high speed cable modem at home that I pay $60 a month for. We want to do this purely for testing purposes and security setup. To see if we can find a security code / password that takes a lot longer to break than others.

So now I have to get airodump, and then somehow feed that file to aircrack... This is quickly becoming more trouble than its worth.

And why is there no instruction manual? Is a first timer supposed to GUESS his way through all this until it works?

Then you are going about it the wrong way. You need to work from the other end. Anyway without changing the key length I really doubt you will find a key that offers a marked improvement in protection.

mcirsta · 10-30-2004

Quote:

Originally Posted by Clyde Vargus2

I don't need to get into his AP, I have my own high speed cable modem at home that I pay $60 a month for. We want to do this purely for testing purposes and security setup. To see if we can find a security code / password that takes a lot longer to break than others.

Well all you need is security go for a WPA encription + a radius server autentification . That should be pretty secure , right ? . For now that is ....

cvk_ · 11-01-2004

I'm interested in using aircrack on NetBSD (2.0rc4) with tcpdump. I'm using:

# ifconfig wi0 ssid mywifinetworkname
# tcpdump -i wi0 -ne -w dump.pcap

I thought the output from tcpdump would be sufficient input for aircrack (tcpdump definitely captures all the traffic), but aircrack complains:

unsupported pcap header linktype 1
are you sure this is a 802.11 capture ?

...so I added -y IEEE802_11 to the tcpdump options. That allows aircrack to process tcpdump's output, but after I run it I get:

bash-2.05# ./aircrack -f 1 -n 128 -m (my AP's MAC) home.pcap
Opening pcap file home.pcap
Reading packets: total = 488502, usable = 0
Not enough IVs, exiting.

I generated the packets with 'ping -f (AP's IP)' from a laptop connected to my AP with the correct 128-bit key and captured the tcpdump output using a third machine with a PRISM-2.5-based card configured as specified above.

Any idea what I'm doing wrong and how I can use tcpdump output with aircrack? (Unfortunately, airosniff isn't an option for NetBSD ATM.)

Thanks for any advice.

devine · 11-02-2004

Quote:

Originally Posted by cvk_

unsupported pcap header linktype 1

FWI, linktype 1 == Ethernet. This usually happens because the card wasn't put in Monitor mode. I've no idea on how you could do this on NetBSD. Also, could you send me a sample of the captured cap file ?

joswr1ght · 11-02-2004

Quote:

Originally Posted by cvk_

I'm interested in using aircrack on NetBSD (2.0rc4) with tcpdump. I'm using:

# ifconfig wi0 ssid mywifinetworkname
# tcpdump -i wi0 -ne -w dump.pcap

I thought the output from tcpdump would be sufficient input for aircrack (tcpdump definitely captures all the traffic), but aircrack complains:

unsupported pcap header linktype 1
are you sure this is a 802.11 capture ?

...so I added -y IEEE802_11 to the tcpdump options.

Adding -y to the tcpdump options just changes the datalink type - it does not actually capture traffic in DLT_IEEE802_11 mode, it just sets the datalink type to this value.

You need to place your wireless card in RFMON mode and initiate the ping flood from a second station. Sorry, I'm not sure how to do this as I don't use FreeBSD (check "man wi").

-Josh

cvk_ · 11-02-2004

Actually, it is in monitor mode.

In NetBSD you can use:

Code:

ifconfig wi0 mediaopt monitor

...for an 802.11 device. My ifconfig output looks like this for wi0:

Code:

bash-2.05# ifconfig wi0
wi0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
        ssid ""
        powersave off
        chan 11
        address: (my MAC here)
        media: IEEE802.11 autoselect monitor (DS2 monitor)
        status: active

One thing that's weird is that if I don't use -y IEEE802_11 with tcpdump, I don't get any output at all. If I do use -y, I get all the output I would expect.

devine, I sent you a 1000-packet pcap via PM. Thanks for offering to have a look at it!

devine · 11-02-2004

tcpdump -s 0 -i wi0 -en -y IEEE802_11 -w /home/cvk/home.pcap -c 1000

After looking at your pcap file, I can confirm it is indeed a 802.11 capture. There are some frames that look like WEP data packets, but the WEP flag isn't set in the header, so aircrack skips those packets.

More precisely, 802.11 WEP data packets begin with [08 42 ...] (type=data from_ds=1 to_ds=0 wep=on) or [08 41 ...] (same but from_ds=1 to_ds=0) whereas your packets begin with [08 02 ...] (type=data from_ds=1 to_ds=0 wep=off).

You can modify aircrack.c to ignore the WEP flag check; simply uncomment line 214:

/* if( ( h80211[1] & 0x40 ) != 0x40 ) continue; */

post-edit: typo corrected

cvk_ · 11-02-2004

It worked! Thanks, devine!

The change you proposed allowed it to process my file. I'm running aircrack on a Cobalt Qube 2 (250MHz QED MIPS processor, NetBSD 2.0rc4), so I'm only getting about 70 keys/minute with ~470k unique IV's, but that's pretty fast for such a tiny processor! I'm going to try it on my Alpha PWS500a workstation and my desktop (Athlon XP @ 2.4 GHz) which are also running NetBSD to see what kind of performance difference I find. It should be pretty big!

Do you think aircrack should have an option like '-w: disable WEP flag check' for compatibility purposes?

I haven't used aircrack much, but I already love it. Thanks.

11-01-2004	#190 (permalink)
cvk_ Registered Member Join Date: Nov 2004 Posts: 6	aircrack and tcpdump I'm interested in using aircrack on NetBSD (2.0rc4) with tcpdump. I'm using: # ifconfig wi0 ssid mywifinetworkname # tcpdump -i wi0 -ne -w dump.pcap I thought the output from tcpdump would be sufficient input for aircrack (tcpdump definitely captures all the traffic), but aircrack complains: unsupported pcap header linktype 1 are you sure this is a 802.11 capture ? ...so I added -y IEEE802_11 to the tcpdump options. That allows aircrack to process tcpdump's output, but after I run it I get: bash-2.05# ./aircrack -f 1 -n 128 -m (my AP's MAC) home.pcap Opening pcap file home.pcap Reading packets: total = 488502, usable = 0 Not enough IVs, exiting. I generated the packets with 'ping -f (AP's IP)' from a laptop connected to my AP with the correct 128-bit key and captured the tcpdump output using a third machine with a PRISM-2.5-based card configured as specified above. Any idea what I'm doing wrong and how I can use tcpdump output with aircrack? (Unfortunately, airosniff isn't an option for NetBSD ATM.) Thanks for any advice. Last edited by cvk_ : 11-01-2004 at 10:56 PM.

11-02-2004	#193 (permalink)
cvk_ Registered Member Join Date: Nov 2004 Posts: 6	tcpdump, monitor mode in NetBSD Actually, it is in monitor mode. In NetBSD you can use: Code: ifconfig wi0 mediaopt monitor ...for an 802.11 device. My ifconfig output looks like this for wi0: Code: bash-2.05# ifconfig wi0 wi0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500 ssid "" powersave off chan 11 address: (my MAC here) media: IEEE802.11 autoselect monitor (DS2 monitor) status: active One thing that's weird is that if I don't use -y IEEE802_11 with tcpdump, I don't get any output at all. If I do use -y, I get all the output I would expect. devine, I sent you a 1000-packet pcap via PM. Thanks for offering to have a look at it!

11-02-2004	#194 (permalink)
devine Emergence Join Date: Jul 2004 Location: Paris Posts: 389	tcpdump -s 0 -i wi0 -en -y IEEE802_11 -w /home/cvk/home.pcap -c 1000 After looking at your pcap file, I can confirm it is indeed a 802.11 capture. There are some frames that look like WEP data packets, but the WEP flag isn't set in the header, so aircrack skips those packets. More precisely, 802.11 WEP data packets begin with [08 42 ...] (type=data from_ds=1 to_ds=0 wep=on) or [08 41 ...] (same but from_ds=1 to_ds=0) whereas your packets begin with [08 02 ...] (type=data from_ds=1 to_ds=0 wep=off). You can modify aircrack.c to ignore the WEP flag check; simply uncomment line 214: /* if( ( h80211[1] & 0x40 ) != 0x40 ) continue; / post-edit: typo corrected Last edited by devine : 11-02-2004 at 09:10 AM.*

11-02-2004	#195 (permalink)
cvk_ Registered Member Join Date: Nov 2004 Posts: 6	The proposed change to aircrack.c worked It worked! Thanks, devine! The change you proposed allowed it to process my file. I'm running aircrack on a Cobalt Qube 2 (250MHz QED MIPS processor, NetBSD 2.0rc4), so I'm only getting about 70 keys/minute with ~470k unique IV's, but that's pretty fast for such a tiny processor! I'm going to try it on my Alpha PWS500a workstation and my desktop (Athlon XP @ 2.4 GHz) which are also running NetBSD to see what kind of performance difference I find. It should be pretty big! Do you think aircrack should have an option like '-w: disable WEP flag check' for compatibility purposes? I haven't used aircrack much, but I already love it. Thanks. Last edited by cvk_ : 11-02-2004 at 10:31 AM.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

10-21-2004	#183 (permalink)
Clyde Vargus2 Registered Member Join Date: Sep 2004 Posts: 28	Sorry, another noob question. How do I make Aircrack 2.1 work? I went to a friend's house, who has 4 PC's all on a wireless network. We had previously found his network with his XP laptop and an orinoco gold classic card and netstumbler. He has good reception in his house, and in most of his yard. Doesn't reach all the way into his back yard, which is a couple acres big with trees and a big garage. Anyhow, I called and told him about this Aircrack 2.1 thing, which I thought would be good for setting up and testing his WEP encryption (linksys wireless AP and DSL). So we downloaded 2.1 on his laptop, and read everything we could find, and turned it on... And we can't get it to do anything. We entered his MAC address in the 00:00:00:00:00:00 format, based on the numbers and letters that Netstumbler gave us. When we click on the desktop shortcut to aircrack, all the screen shows is the regular list, with #'s 5,4,3,2,1 and 0. Here's our problems with each option: 5 - debug key - what the hell is that? 4 - fudge factor - we tried 2 and 0. Nothing happened. 3 - MAC address - the one thing we think we did right. Got it from netstumbler, but nothing else happens. 2 - WEP key length - we left it at 128 bits 1 - read IV's from a pcap file - don't you have to SCAN for IV's and get some to get a pcap file going? WTF? 0 - start cracking - It says "not enough IV's". Well, how the hell do we even know if its scanning? There's no chart or screen that pops up and shows how many have been scanned, so we have no way of knowing if its even scanning at all! We had his kids and wife on 3 of the 4 computers in the house doing internet stuff, so there definitely was traffic to scan. So my basic questions are, how do we make aircrack do ANYTHING and see the progress as it scans? Then how do we make a pcap file and use it? And, how do we do pretty much everything else to try and crack test his WEP encryption? The files that come with aircrack tell you what it does, but it doesn't say HOW to make it do anything. I shall put on my fireproof suit now. Blast away (but answer the questions in the process).

10-22-2004	#185 (permalink)
devine Emergence Join Date: Jul 2004 Location: Paris Posts: 389	Well, how the hell do we even know if its scanning? There's a program called airodump which you should use for the purpose of collecting IVs. Then you have a huge .cap file you feed to aircrack. There's no chart or screen that pops up and shows how many have been scanned, so we have no way of knowing if its even scanning at all! Right, and there's no "click here to break your neighbour's WEP key" button too. Definitely not on my TODO list.

10-22-2004	#186 (permalink)
Clyde Vargus2 Registered Member Join Date: Sep 2004 Posts: 28	I don't need to get into his AP, I have my own high speed cable modem at home that I pay $60 a month for. We want to do this purely for testing purposes and security setup. To see if we can find a security code / password that takes a lot longer to break than others. So now I have to get airodump, and then somehow feed that file to aircrack... This is quickly becoming more trouble than its worth. And why is there no instruction manual? Is a first timer supposed to GUESS his way through all this until it works?