aircrack-ng
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
aircrack-ng [2010/01/02 22:05] – darkaudax | aircrack-ng [2018/07/11 21:53] – Fixed displaying page mister_x | ||
---|---|---|---|
Line 24: | Line 24: | ||
==== How does it work? ==== | ==== How does it work? ==== | ||
- | The first method is the PTW method (Pyshkin, Tews, Weinmann). The PTW method is fully described in the paper found on [[http:// | + | The first method is the PTW method (Pychkine, Tews, Weinmann). The PTW method is fully described in the paper found on [[http:// |
The second method is the FMS/Korek method which incorporates multiple techniques. | The second method is the FMS/Korek method which incorporates multiple techniques. | ||
Line 87: | Line 87: | ||
You can specify multiple input files (either in .cap or .ivs format) or use file name wildcarding. | You can specify multiple input files (either in .cap or .ivs format) or use file name wildcarding. | ||
- | Here's a summary of all available | + | === Options === |
+ | == Common | ||
^Option^Param.^Description^ | ^Option^Param.^Description^ | ||
- | |-a|amode|Force attack mode (1 = static WEP, 2 = WPA/ | + | |-a|amode|Force attack mode (1 = static WEP, 2 = WPA/ |
- | |-b|bssid|Long version --bssid. Select the target network based on the access point' | + | |-e|essid|If set, all IVs from networks with the same ESSID will be used. This option is also required for WPA/ |
- | |-e|essid|If set, all IVs from networks with the same ESSID will be used. This option is also required for WPA/ | + | |-b|bssid|Long version -'''' |
- | |-p|nbcpu|On SMP systems: # of CPU to use. This option is invalid on non-SMP systems.| | + | |-p|nbcpu|On SMP systems: # of CPU to use. This option is invalid on non-SMP systems| |
- | |-q|// | + | |-q|// |
- | |-c|//none//|(WEP cracking) Restrict the search space to alpha-numeric characters only (0x20 - 0x7F).| | + | |-C|MACs|Long version -'''' |
- | |-t|// | + | |-l|file name|(Lowercase L, ell) logs the key to the file specified. |
- | |-h|// | + | |
- | |-d|start|(WEP cracking) | + | |
- | |-m|maddr|(WEP cracking) MAC address to filter WEP data packets. Alternatively, | + | |
- | |-M|number|(WEP cracking) Sets the maximum number of ivs to use.| | + | |
- | |-n|nbits|(WEP cracking) Specify the length of the key: 64 for 40-bit WEP, 128 for 104-bit WEP, etc. The default value is 128.| | + | |
- | |-i|index|(WEP cracking) Only keep the IVs that have this key index (1 to 4). The default behaviour is to ignore the key index.| | + | |
- | |-f|fudge|(WEP cracking) By default, this parameter is set to 2 for 104-bit WEP and to 5 for 40-bit WEP. Specify a higher value to increase the bruteforce level: cracking will take more time, but with a higher likelyhood of success.| | + | |
- | |-H|// | + | |
- | |-l|file name|(Lowercase L, ell) logs the key to the file specified.| | + | |
- | |-K|// | + | |
- | |-k|korek|(WEP cracking) There are 17 korek statistical attacks. Sometimes one attack creates a huge false positive that prevents the key from being found, even with lots of IVs. Try -k 1, -k 2, ... -k 17 to disable each attack selectively.| | + | |
- | |-p|threads|Allow the number of threads for cracking even if you have a non-SMP computer.| | + | |
- | |-r|database|Utilizes a database generated by airolib-ng as input to determine the WEP key. Outputs an error message if aircrack-ng has not been compiled with sqlite support.| | + | |
- | |-x/ | + | |
- | |-x1|// | + | |
- | |-x2|// | + | |
- | |-X|// | + | |
- | |-y|// | + | |
- | |-u|// | + | |
- | |-w|words|(WPA cracking) Path to a wordlist or " | + | |
- | |-z|// | + | |
- | |-P|// | + | |
- | |-C|MACs|Long version --combine. | + | |
- | |-D|// | + | |
- | |-V|// | + | |
- | |-1|// | + | |
+ | == Static WEP cracking options == | ||
+ | |||
+ | ^Option^Param.^Description^ | ||
+ | |-c|// | ||
+ | |-t|// | ||
+ | |-h|// | ||
+ | |-d|start|Long version --debug. | ||
+ | |-m|maddr|MAC address to filter WEP data packets. Alternatively, | ||
+ | |-n|nbits|Specify the length of the key: 64 for 40-bit WEP, 128 for 104-bit WEP, etc. The default value is 128| | ||
+ | |-i|index|Only keep the IVs that have this key index (1 to 4). The default behaviour is to ignore the key index| | ||
+ | |-f|fudge|By default, this parameter is set to 2 for 104-bit WEP and to 5 for 40-bit WEP. Specify a higher value to increase the bruteforce level: cracking will take more time, but with a higher likelyhood of success| | ||
+ | |-k|korek|There are 17 korek statistical attacks. Sometimes one attack creates a huge false positive that prevents the key from being found, even with lots of IVs. Try -k 1, -k 2, ... -k 17 to disable each attack selectively| | ||
+ | |-x/ | ||
+ | |-x1|// | ||
+ | |-x2|// | ||
+ | |-X|// | ||
+ | |-s|// | ||
+ | |-y|// | ||
+ | |-z|// | ||
+ | |-P|number|Long version -'''' | ||
+ | |-K|// | ||
+ | |-D|// | ||
+ | |-1|// | ||
+ | |-M|number|(WEP cracking) Specify the maximum number of IVs to use| | ||
+ | |-V|// | ||
+ | |||
+ | == WEP and WPA-PSK cracking options == | ||
+ | |||
+ | ^Option^Param.^Description^ | ||
+ | |-w|words|Path to a wordlists or " | ||
+ | |-N|file|Create a new cracking session and save it to the specified file| | ||
+ | |-R|file|Restore cracking session from the specified file| | ||
+ | |||
+ | == WPA-PSK options == | ||
+ | |||
+ | ^Option^Param.^Description^ | ||
+ | |-E|file> | ||
+ | |-j|file|Create Hashcat v3.6+ Capture file (HCCAPX)| | ||
+ | |-J|file|Create Hashcat Capture file| | ||
+ | |-S|// | ||
+ | |-Z|sec|WPA cracking speed test execution length in seconds| | ||
+ | |-r|database|Utilizes a database generated by [[airolib-ng]] as input to determine the WPA key. Outputs an error message if aircrack-ng has not been compiled with sqlite support| | ||
+ | |||
+ | == SIMD Selection == | ||
+ | |||
+ | ^Option^Param.^Description^ | ||
+ | |--simd|optimization|Use user-specified SIMD optimization instead of the fastest one| | ||
+ | |--simd-list|// | ||
+ | |||
+ | == Other options == | ||
+ | |||
+ | ^Option^Param.^Description^ | ||
+ | |-H|// | ||
+ | |-u|// | ||
===== Usage Examples ===== | ===== Usage Examples ===== | ||
Line 218: | Line 247: | ||
Probability: | Probability: | ||
- | Lets look at a PTW attack example. | + | Lets look at a PTW attack example. |
Enter the following command: | Enter the following command: | ||
Line 225: | Line 254: | ||
Where: | Where: | ||
- | * -z means use the PTW methodology to crack the wep key. | + | * -z means use the PTW methodology to crack the wep key. //Note:// in v1.x, this is the default attack mode; use -K to revert to Korek. |
* ptw*.cap are the capture files to use. | * ptw*.cap are the capture files to use. | ||
Line 300: | Line 329: | ||
Now you have the passphrase and can connect to the network. | Now you have the passphrase and can connect to the network. | ||
+ | |||
+ | === SIMD === | ||
+ | |||
+ | Aircrack-ng is compiled with multiple optimizations based on CPU features we call crypto engines. CPU features are different based on the type of CPU. | ||
+ | |||
+ | On x86 (and 64 bit), typically SSE2, AVX and AVX2 are available (AVX512 can be compiled in but it should only be done if the current CPU supports it). On ARM, neon and ASIMD are usually available and on PowerPC, ASIMD and altivec. A generic optimization is always available no matter what architecture it is compiled on or for. A limited set of optimizations may be available depending on the OS/ | ||
+ | |||
+ | When running aircrack-ng, | ||
+ | |||
+ | In order to override, the option -'''' | ||
+ | |||
+ | aircrack-ng --simd=avx wpa.cap -w password.lst | ||
+ | |||
+ | In order to list all the available SIMD optimization, | ||
+ | |||
+ | aircrack-ng --simd-list | ||
+ | |||
+ | will display "avx2 avx sse2 generic" | ||
+ | |||
+ | ==== Cracking session ==== | ||
+ | |||
+ | Cracking can sometimes take a very long time and it is sometimes necessary to turn off the computer or put it to sleep for a while. In order to handle this kind of situation, a new set of option has been created. | ||
+ | |||
+ | It will create and/or update a session file saving the current status of the cracking (every 10 minutes) as well as all the options used, wordlists and capture files used. Multiple wordlists can be used and it works with WEP and WPA. | ||
+ | |||
+ | aircrack-ng --new-session current.session -w password.lst, | ||
+ | |||
+ | In order to restore the session, use -'''' | ||
+ | |||
+ | aircrack-ng --restore-session current.session | ||
+ | |||
+ | It will keep updating // | ||
+ | |||
+ | Limitations: | ||
+ | * The wordlist must be files. For now, they cannot be //stdin// or [[airolib-ng]] databases | ||
+ | * Session has to be restored from the same directory as when first using -'''' | ||
+ | * No new options can be added when restoring session | ||
===== Usage Tips ===== | ===== Usage Tips ===== | ||
==== General approach to cracking WEP keys ==== | ==== General approach to cracking WEP keys ==== | ||
+ | |||
+ | //FIXME This needs updating for v1.x!// | ||
Clearly, the simplest approach is just to enter " | Clearly, the simplest approach is just to enter " | ||
- | If you are capturing arp request/ | + | If you are capturing arp request/ |
The overriding technique is capture as much data as possible. | The overriding technique is capture as much data as possible. | ||
Line 395: | Line 463: | ||
Although it is not part of aircrack-ng, | Although it is not part of aircrack-ng, | ||
- | | + | |
Line 407: | Line 475: | ||
* http:// | * http:// | ||
- | Another technique is to use Wireshark / tskark. You can mark packets then same them to a separate file. | + | Another technique is to use Wireshark / tshark. You can mark packets then same them to a separate file. |
Line 482: | Line 550: | ||
So just use -e "< | So just use -e "< | ||
- | |||
- | |||
- | You have successfully captured a handshake then when you run aircrack-ng, | ||
- | |||
- | | ||
- | Read 4 packets. | ||
- | |||
- | # | ||
- | 1 | ||
- | | ||
- | |||
- | An ESSID is required. Try option -e. | ||
- | |||
- | Solution: You need to specify the real essid, otherwise the key cannot be calculated, as the essid is used as salt when generating the pairwise master key (PMK) out of the pre-shared key (PSK). | ||
- | |||
- | So just use -e "< | ||
==== The PTW method does not work ==== | ==== The PTW method does not work ==== | ||
- | One particularly important constraint is that it only works against arp request/ | + | One particularly important constraint is that it only works against arp request/ |
- | + | ||
- | ==== Error message "fixed channel" | + | |
- | + | ||
- | Notice the message "fixed channel wlan0: 8" on the first line below on the right-hand side. It references channel 8 but the channel on the left says 9. | + | |
- | + | ||
- | | + | |
- | + | ||
- | BSSID PWR RXQ Beacons | + | |
- | + | ||
- | 00: | + | |
- | + | ||
- | BSSID STATION | + | |
- | + | ||
- | In the case where you start airodump-ng with a fixed channel (not channel hopping) and then you or some process changes the wireless channel, then this message appears. | + | |
- | + | ||
- | An example of starting airodump-ng on a fixed channel is as follows: | + | |
- | + | ||
- | | + | |
- | + | ||
- | To resolve this, first identify what changed the wireless channel. | + | |
- | + | ||
- | Once the problem has been resolved, reset the channel to the correct one and restart airodump-ng. | + | |
==== Error message " | ==== Error message " | ||
Line 542: | Line 572: | ||
If you are sure your capture file contains a valid handshake then use Wireshark or an equivalent piece of software and manually pull out the beacon packet plus a set of handshake packets. | If you are sure your capture file contains a valid handshake then use Wireshark or an equivalent piece of software and manually pull out the beacon packet plus a set of handshake packets. | ||
- | There is an open [[http://trac.aircrack-ng.org/ticket/651|trac ticket]] to correct this incorrect behavior. | + | There is an open [[https://github.com/ |
aircrack-ng.txt · Last modified: 2019/09/18 22:39 by mister_x