Total Pageviews

Tuesday, 17 June 2008

How to Aircrack-ng 0.9.3 / 1.0 RC1

Aircrack-ng is a set of tools for auditing wireless networks

· airodump: 802.11 packet capture program
· aireplay: 802.11 packet injection program
· aircrack: static WEP and WPA-PSK key cracker
· airdecap: decrypts WEP/WPA capture files

Aircrack-ng is the next generation of aircrack with lots of new features.

How do I crack a static WEP key ?

The basic idea is to capture as much encrypted traffic as possible using
airodump.Each WEP data packet has an associated 3-byte Initialization
Vector (IV): after a sufficient number of data packets have been collected,
run aircrack on the resulting capture file. aircrack will then perform a
set of statistical attacks developped by a talented hackernamed KoreK.

How do I know my WEP key is correct ?

There are two authentication modes for WEP:

Open-System Authentication: this is the default mode. All clients
are accepted by the AP,and the key is never checked: association
is always granted. However if your key is incorrectyou won't be able to
receive or send packets (because decryption will fail), so DHCP,ping etc
will timeout.

Shared-Key Authentication: the client has to encrypt a challenge before
association is granted by the AP. This mode is flawed and leads to
keystream recovery, so it's never enabled by default.

In summary, just because you seem to have successfully connected
to the access point doesn't mean your WEP key is correct ! To check
your WEP key, try to decrypt a capture file with the airdecap program.

How many IVs are required to crack WEP ?

WEP cracking is not an exact science. The number of required IVs
depends on the WEP key length, and it also depends on your luck.
Usually, 40-bit WEP can be cracked with 300.000 IVs,and 104-bit
WEP can be cracked with 1.000.000 IVs; if you're out of luck you may
need two million IVs, or more.

There's no way to know the WEP key length: this information is kept
hidden and never announced, either in management or data packets;
as a consequence, airodump can not report the WEP key length. Thus,
it is recommended to run aircrack twice: when you have 250.000 IVs,
start aircrack with "-n 64" to crack 40-bit WEP. Then if the key
isn't found, restart aircrack (without the -n option) to crack 104-bit WEP.

What's New in 0.9.3 Stable Release:

· This release fixes endianness issues in airodump-ng and aireplay-ng.
· There are several small bugfixes.
· The rtl8187 patch has been updated.

Download Aircrack-ng

No comments: