(Aircrack)Yet another WEP cracking tool for Linux - Page 14

cvk_ · 11-02-2004

Update: My Cobalt Qube found the key in 19 seconds with 476,963 unique IV's (1,000,000-packet pcap).

That's incredibly impressive!

aalok · 11-06-2004

i don't know how to use aircrack, but would like to. can anyone help me?

cvk_ · 11-06-2004

If you're running Linux or Windows, these instructions work:

http://www.cr0.net:8040/code/network/aircrack/

If you're running some other Unix-ish OS, it's not too hard to get it working, especially if you post problems here. I'm using aircrack with pcaps from tcpdump on NetBSD/cobalt and NetBSD/i386. I get compile errors on NetBSD/alpha that I haven't looked into yet.

If you're running NetBSD-2.0_RC4 or later, there's support for monitor mode on wi devices. Just use this to get your adapter into monitor mode:

# ifconfig wi0 chan 6 (or whatever channel you want to monitor)
# ifconfig wi0 mediaopt monitor

...then use tcpdump with normal options and -y IEEE802_11. Finally, for this setup aircrack-2.1 requires commenting out line 214 as described previously in this thread.

grcore · 11-09-2004

I have been using/testing the current linux and windows version with some success. Will there be a new version soon?

Particularly, can the wlan-ng drivers be patched to use aireplay?

If you need someone to test, let me know.

g

devine · 11-09-2004

I have been using/testing the current linux and windows version with some success. Will there be a new version soon?

Hopefully yes.

Particularly, can the wlan-ng drivers be patched to use aireplay?

I intend to add support for both (patched) hostap and wlan-ng in aireplay 2.2.

minghia · 11-09-2004

Guys, I have 3 basic questions regarding aircrack.

1)
Last night I was running 'airodump eth1', and on 1 wireless network (my own) I had like 250k weak IV's, and another wireless network visible from my wireless card had like 20 weak IV's. Now overnight, my linux machine crashed for some reason (I suspect low on hdd space).

Now today, I see that the test.cap file is 80mb. So I try to run 'aircrack test.cap' and it reports 4302 unique IV's, far less than what I saw last night while airodump was working.

My point is, is aircrack trying to crack the other ssid (not my own) from the pcap file? Is there any way to specify which ssid to crack from the pcap file?

Am I doing anything wrong from what I described?

2) Any way to resume saving to the same pcap file when running airodump?

3) Can I run aireplay and airodump on the same machine? I'd like to create traffic with aireplay, and capture those weak IV's with airodump on the same machine using same wireless card. Possible?

Thanks guys, leaned a lot from this forum.

real · 11-09-2004

1) you can filter the originating MAC address with the -m option followed by the mac address.

2) i think if you just start capturing again and then join the files togeather, it will work just fine

3) no its not possible with the same interface. If its in monitor mode, its not capable of sending data.

Kronk · 11-11-2004

Here is what I have used numerous times in the last 3 months for my wireless assessments.

1) Some flavor of Linux (RedHat 7/8 or YellowDogLinux for PPC seems to work best)
2) Two wireless adapters, 1 PCMCIA (prism based) 1 USB (prism based)
3) Patched hostap drivers for the PCMCIA wireless card
4) Wlan-ng linux drivers for the USB dongle only; You must disable pcmcia support when compiling and installing this driver or the driver will conflict with the hostap driver !!!! RPM install won't work in this case.

I use the PCMCIA card with the hostap drivers for replay attack and the USB adapter for capturing the data. I have been using Kismet together with its MAC address filtering capabilities to capture only the traffic from the target AP.

I can capture enough packets in about an hour to crack any 128-bit WEP key assuming I have captured a valid ARP packet to replay.

cvk_ · 11-11-2004

Kronk, what company made your USB adapter? I've been looking for a good Prism-based USB adapter, but it's really hard to find out which adapters have the Prism chipset.

Do you know which version of the Prism chipset it uses?

Kronk · 11-11-2004

I have used both a Linksys WUSB12 and D-Link DWL-122 USB adapter. They are prism based, but I don't know if they are v2.5 or v3. The D-Link seems to work the best and I usually capture about 700 packets/second using Kismet during a replay attack.

bobier · 11-11-2004

Hi,

I will like to know whether how much packets that I need to capture to crack a 40bits WEP key (say like 12345abcdef with numbers and alpabelts).How long normally will Aircrak takes to break the WEP key with the captured packets?

I have succeeded to break a key just with numbers (0123456789). I only need 400000 packets to break in with Aircrack and Aircrack just take 1 second to break it! I understand because this maybe an easy key.

Actually what is Aircrack depends to break the WEP key? The IV or the numbers of packet?

Thank you

Frankie

devine · 11-12-2004

I will like to know whether how much packets that I need to capture to crack a 40bits WEP key

For 40-bit WEP, it usually takes between 100000-200000 packets, provided you have increased the fudge factor to 4.

I understand because this maybe an easy key.

Actually there doesn't seem to be "easy keys". During my tests, whatever the key it takes roughly the same amount of IVs to break it. Depending on the way the IVs are generated you usually need between 500k and a million IVs (for 104-bit WEP). As a rule of thumb, IVs closer to 0x000000 are 2x more useful for the attack than IVs close to 0xffffff (IVs that leak keybytes are more "dense" near 0). IVs incremented in a little-endian manner are also a bit more efficient than IVs incremented in a big-endian manner. Anyway, when you reach the 2M IVs limit your chances of cracking the key in less than 30s is near 99%; lack of success may indicate the wlan uses some sort of temporary key exchange, like 802.1X.

bobier · 11-12-2004

Thanks for your advice. Yes, I agree that what you say is true. It is all depends on the IVs and the length of the WEP key.

Thank you.

grcore · 11-12-2004

Quote:

Originally Posted by Kronk

4) Wlan-ng linux drivers for the USB dongle only; You must disable pcmcia support when compiling and installing this driver or the driver will conflict with the hostap driver !!!! RPM install won't work in this case.

Do you have any tips on how to do this(are you disableing pcmcia in the kernel?) This is exactly what I need to do, I have the same setup.

Thanks

g

Kronk · 11-12-2004

Disabling PCMCIA support in the wlan-ng drivers is done during compile setup. You need to answer "n" when the setup script prompts you to build support for PCMCIA devices and "y" when prompted to build support for USB devices.

11-06-2004	#198 (permalink)
cvk_ Registered Member Join Date: Nov 2004 Posts: 6	Using aircrack If you're running Linux or Windows, these instructions work: http://www.cr0.net:8040/code/network/aircrack/ If you're running some other Unix-ish OS, it's not too hard to get it working, especially if you post problems here. I'm using aircrack with pcaps from tcpdump on NetBSD/cobalt and NetBSD/i386. I get compile errors on NetBSD/alpha that I haven't looked into yet. If you're running NetBSD-2.0_RC4 or later, there's support for monitor mode on wi devices. Just use this to get your adapter into monitor mode: # ifconfig wi0 chan 6 (or whatever channel you want to monitor) # ifconfig wi0 mediaopt monitor ...then use tcpdump with normal options and -y IEEE802_11. Finally, for this setup aircrack-2.1 requires commenting out line 214 as described previously in this thread.

11-09-2004	#199 (permalink)
grcore Member at large Join Date: Aug 2004 Posts: 121	new version? I have been using/testing the current linux and windows version with some success. Will there be a new version soon? Particularly, can the wlan-ng drivers be patched to use aireplay? If you need someone to test, let me know. g

11-11-2004	#203 (permalink)
Kronk Registered Member Join Date: Jul 2004 Posts: 13	Best (Linux) Setup for Aircrack Here is what I have used numerous times in the last 3 months for my wireless assessments. 1) Some flavor of Linux (RedHat 7/8 or YellowDogLinux for PPC seems to work best) 2) Two wireless adapters, 1 PCMCIA (prism based) 1 USB (prism based) 3) Patched hostap drivers for the PCMCIA wireless card 4) Wlan-ng linux drivers for the USB dongle only; You must disable pcmcia support when compiling and installing this driver or the driver will conflict with the hostap driver !!!! RPM install won't work in this case. I use the PCMCIA card with the hostap drivers for replay attack and the USB adapter for capturing the data. I have been using Kismet together with its MAC address filtering capabilities to capture only the traffic from the target AP. I can capture enough packets in about an hour to crack any 128-bit WEP key assuming I have captured a valid ARP packet to replay.

11-11-2004	#204 (permalink)
cvk_ Registered Member Join Date: Nov 2004 Posts: 6	What kind of USB adapter? Kronk, what company made your USB adapter? I've been looking for a good Prism-based USB adapter, but it's really hard to find out which adapters have the Prism chipset. Do you know which version of the Prism chipset it uses?

11-11-2004	#206 (permalink)
bobier Registered Member Join Date: Oct 2004 Posts: 2	Aircrack to break WEP Hi, I will like to know whether how much packets that I need to capture to crack a 40bits WEP key (say like 12345abcdef with numbers and alpabelts).How long normally will Aircrak takes to break the WEP key with the captured packets? I have succeeded to break a key just with numbers (0123456789). I only need 400000 packets to break in with Aircrack and Aircrack just take 1 second to break it! I understand because this maybe an easy key. Actually what is Aircrack depends to break the WEP key? The IV or the numbers of packet? Thank you Frankie

11-02-2004	#196 (permalink)
cvk_ Registered Member Join Date: Nov 2004 Posts: 6	Update: My Cobalt Qube found the key in 19 seconds with 476,963 unique IV's (1,000,000-packet pcap). That's incredibly impressive!

11-06-2004	#197 (permalink)
aalok Registered Member Join Date: Nov 2004 Posts: 1	i don't know how to use aircrack, but would like to. can anyone help me?

11-09-2004	#200 (permalink)
devine Emergence Join Date: Jul 2004 Location: Paris Posts: 389	I have been using/testing the current linux and windows version with some success. Will there be a new version soon? Hopefully yes. Particularly, can the wlan-ng drivers be patched to use aireplay? I intend to add support for both (patched) hostap and wlan-ng in aireplay 2.2.

11-09-2004	#201 (permalink)
minghia Registered Member Join Date: Nov 2004 Posts: 1	Guys, I have 3 basic questions regarding aircrack. 1) Last night I was running 'airodump eth1', and on 1 wireless network (my own) I had like 250k weak IV's, and another wireless network visible from my wireless card had like 20 weak IV's. Now overnight, my linux machine crashed for some reason (I suspect low on hdd space). Now today, I see that the test.cap file is 80mb. So I try to run 'aircrack test.cap' and it reports 4302 unique IV's, far less than what I saw last night while airodump was working. My point is, is aircrack trying to crack the other ssid (not my own) from the pcap file? Is there any way to specify which ssid to crack from the pcap file? Am I doing anything wrong from what I described? 2) Any way to resume saving to the same pcap file when running airodump? 3) Can I run aireplay and airodump on the same machine? I'd like to create traffic with aireplay, and capture those weak IV's with airodump on the same machine using same wireless card. Possible? Thanks guys, leaned a lot from this forum.

11-09-2004	#202 (permalink)
real Registered Member Join Date: Jan 2004 Posts: 2	1) you can filter the originating MAC address with the -m option followed by the mac address. 2) i think if you just start capturing again and then join the files togeather, it will work just fine 3) no its not possible with the same interface. If its in monitor mode, its not capable of sending data.

11-11-2004	#205 (permalink)
Kronk Registered Member Join Date: Jul 2004 Posts: 13	I have used both a Linksys WUSB12 and D-Link DWL-122 USB adapter. They are prism based, but I don't know if they are v2.5 or v3. The D-Link seems to work the best and I usually capture about 700 packets/second using Kismet during a replay attack.

11-12-2004	#207 (permalink)
devine Emergence Join Date: Jul 2004 Location: Paris Posts: 389	I will like to know whether how much packets that I need to capture to crack a 40bits WEP key For 40-bit WEP, it usually takes between 100000-200000 packets, provided you have increased the fudge factor to 4. I understand because this maybe an easy key. Actually there doesn't seem to be "easy keys". During my tests, whatever the key it takes roughly the same amount of IVs to break it. Depending on the way the IVs are generated you usually need between 500k and a million IVs (for 104-bit WEP). As a rule of thumb, IVs closer to 0x000000 are 2x more useful for the attack than IVs close to 0xffffff (IVs that leak keybytes are more "dense" near 0). IVs incremented in a little-endian manner are also a bit more efficient than IVs incremented in a big-endian manner. Anyway, when you reach the 2M IVs limit your chances of cracking the key in less than 30s is near 99%; lack of success may indicate the wlan uses some sort of temporary key exchange, like 802.1X. Last edited by devine : 11-12-2004 at 06:17 AM. Reason: typo

11-12-2004	#208 (permalink)
bobier Registered Member Join Date: Oct 2004 Posts: 2	Thanks for your advice. Yes, I agree that what you say is true. It is all depends on the IVs and the length of the WEP key. Thank you.

11-12-2004	#210 (permalink)
Kronk Registered Member Join Date: Jul 2004 Posts: 13	Disabling PCMCIA support in the wlan-ng drivers is done during compile setup. You need to answer "n" when the setup script prompts you to build support for PCMCIA devices and "y" when prompted to build support for USB devices.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode