User Tools

Site Tools


faq

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
Next revisionBoth sides next revision
faq [2016/07/18 01:55] – [Where can I find good wordlists ?] Added password list mister_xfaq [2021/06/08 01:38] – My driver doesn't work anymore, or it does something weird, how to debug? mister_x
Line 6: Line 6:
 ===== What is the best wireless card to buy ?  ===== ===== What is the best wireless card to buy ?  =====
  
-Which card to purchase is a hard question to answer.  Each person's criteria is somewhat different, such as one may require 802.11n capability, or may require it to work via virtualisation.  However, having said that, if money is not a constraint then the following cards are considered the best in class:+Which card to purchase is a hard question to answer.  Each person's criteria is somewhat different, such as one may require 802.11ax capability, or may require it to work via virtualization.  However, having said that, then the following cards are considered the best in class
 + 
 +  * Alfa AWUS036ACH (a/b/g/n/ac) is the best performing card, but the driver can be unstable enough to crash your kernel 
 +  * Alfa AWUS036ACM (a/b/g/n/ac) is the highest performing of the STABLE devices, but it requires kernel 4.19.5 or higher, and the driver doesn't work on the Raspberry Pi 3 yet; it works on the Raspberry Pi 4. 
 + 
 +Runner ups:
  
   * Alfa AWUS036H [b/g USB]   * Alfa AWUS036H [b/g USB]
Line 12: Line 17:
   * Ubiquiti SRX [a/b/g ExpressCard]   * Ubiquiti SRX [a/b/g ExpressCard]
   * Airpcap series [USB]   * Airpcap series [USB]
-  * TP-Link TL-WN722N [b/g/n USB]+  * TP-Link TL-WN722N v1 [b/g/n USB] - Beware, if version is not specified by vendor, it is **NOT** v1 
 +  * Alfa AWUS036NHA [b/g/n USB]
   * Alfa AWUS051NH v2 [a/b/g/n USB]   * Alfa AWUS051NH v2 [a/b/g/n USB]
 +  * MiniPCIe: anything that uses [[https://wikidevi.com/wiki/Ath9k|ath9k]], especially AR92xx and AR93xx (ability to do [[https://wireless.wiki.kernel.org/en/users/drivers/ath9k/spectral_scan|spectral scan]])
  
-If money is a constraint then consider purchasing a card with a RTL8187L or Atheros chipset, also read [[compatibility_drivers#which_is_the_best_card_to_buy|this]] first before purchasing. There are many available on the market for fairly low prices.  You are simply trading off distance, sensitivity and performance for cost.+Also read [[compatibility_drivers#which_is_the_best_card_to_buy|this]] first before purchasing. There are many available on the market for fairly low prices.  You are simply trading off distance, sensitivity and performance for cost.
  
 If you want to know if your existing card is compatible then use this page: [[compatible_cards|Tutorial: Is My Wireless Card Compatible?]] If you want to know if your existing card is compatible then use this page: [[compatible_cards|Tutorial: Is My Wireless Card Compatible?]]
Line 23: Line 30:
  
 The [[tutorial|Tutorials]] page has many tutorials specific to the aircrack-ng suite.  If your question is not answered on this FAQ page, be sure to check out these other resources: The [[tutorial|Tutorials]] page has many tutorials specific to the aircrack-ng suite.  If your question is not answered on this FAQ page, be sure to check out these other resources:
-  * The [[http://forum.aircrack-ng.org|Forum]]+  * The [[https://forum.aircrack-ng.org|Forum]]
   * [[User Docs|User Documentation by platform (Linux, Windows)]]   * [[User Docs|User Documentation by platform (Linux, Windows)]]
  
 The [[links]] page also generic wireless information and tutorials. The [[links]] page also generic wireless information and tutorials.
 +
 +===== Any GPS recommendation ?  =====
 +
 +The following 2 devices have been tested and work fine:
 +
 +  * BU-353
 +  * NL-402U USB
 +
 +However, anything that is [[http://www.catb.org/gpsd/hardware.html|compatible with GPSd]] will work. 
  
 ===== "command not found" error message  ===== ===== "command not found" error message  =====
Line 35: Line 51:
 ===== How do I crack a static WEP key ?  ===== ===== How do I crack a static WEP key ?  =====
  
-The basic idea is to capture as much encrypted traffic as possible using airodump-ng. Each WEP data packet has an associated 3-byte Initialization Vector (IV): after a sufficient number of data packets have been collected, run aircrack-ng on the resulting capture file. aircrack-ng will then perform a set of statistical attacks developed by a talented hacker named [[http://www.netstumbler.org/showthread.php?postid=89036#post89036|KoreK]].+The basic idea is to capture as much encrypted traffic as possible using airodump-ng. Each WEP data packet has an associated 3-byte Initialization Vector (IV): after a sufficient number of data packets have been collected, run aircrack-ng on the resulting capture file. aircrack-ng will then perform a set of statistical attacks developed by a talented hacker named [[https://web.archive.org/web/20070711093523/http://www.netstumbler.org/showthread.php?postid=89036#post89036|KoreK]].
  
 Since that time, the PTW approach (Pychkine, Tews, Weinmann) has been developed. The main advantage of the PTW approach is that very few data packets are required to crack the WEP key.  Since that time, the PTW approach (Pychkine, Tews, Weinmann) has been developed. The main advantage of the PTW approach is that very few data packets are required to crack the WEP key. 
Line 45: Line 61:
 There is no way to know the WEP key length: this information is kept hidden and never announced, either in management or data packets; as a consequence, airodump-ng can not report the WEP key length. Thus, it is recommended to run aircrack-ng twice: when you have 250,000 IVs, start aircrack-ng with "-n 64" to crack 40-bit WEP. Then if the key is not found, restart aircrack-ng (without the -n option) to crack 104-bit WEP. There is no way to know the WEP key length: this information is kept hidden and never announced, either in management or data packets; as a consequence, airodump-ng can not report the WEP key length. Thus, it is recommended to run aircrack-ng twice: when you have 250,000 IVs, start aircrack-ng with "-n 64" to crack 40-bit WEP. Then if the key is not found, restart aircrack-ng (without the -n option) to crack 104-bit WEP.
  
-The figures above are based on using the Korek method.  With the introduction of the [[http://www.cdc.informatik.tu-darmstadt.de/aircrack-ptw/|PTW technique]] in aircrack-ng 0.9 and above, the number of **data packets** required to crack WEP is dramatically lowered. Using this technique, 40-bit WEP (64 bit key) can be cracked with as few as 20,000 data packets and 104-bit WEP (128 bit key) with 40,000 data packets.  PTW is limited to 40 and 104 bit keys lengths.  Keep in mind that it can take 100K packets or more even using the PTW method.  Additionally, PTW only works properly with [[supported_packets|selected packet types]].  Aircrack-ng defaults to the PTW method and you must manually specify the Korek method in order to use it.\\+The figures above are based on using the Korek method.  With the introduction of the [[https://web.archive.org/web/20070406172251/http://www.cdc.informatik.tu-darmstadt.de:80/aircrack-ptw/|PTW technique]] in aircrack-ng 0.9 and above, the number of **data packets** required to crack WEP is dramatically lowered. Using this technique, 40-bit WEP (64 bit key) can be cracked with as few as 20,000 data packets and 104-bit WEP (128 bit key) with 40,000 data packets.  PTW is limited to 40 and 104 bit keys lengths.  Keep in mind that it can take 100K packets or more even using the PTW method.  Additionally, PTW only works properly with [[supported_packets|selected packet types]].  Aircrack-ng defaults to the PTW method and you must manually specify the Korek method in order to use it.\\
  
  
Line 70: Line 86:
 ===== Where can I find good wordlists ?  ===== ===== Where can I find good wordlists ?  =====
  
-The easiest way is do an Internet search for word lists and dictionaries. Also check out web sites for password cracking tools. Many times they have references to word lists. A few sources follow. Please add comments or additions to this thread: http://forum.aircrack-ng.org/index.php?topic=1373.0.+The easiest way is do an Internet search for word lists and dictionaries. Also check out web sites for password cracking tools. Many times they have references to word lists. A few sources follow. Please add comments or additions to this thread: https://forum.aircrack-ng.org/index.php?topic=1373.0.
  
-Remember that valid passwords are 8 to 63 characters in length. The [[http://aircrack-ng.org/doku.php?id=aircrack-ng#other_tips|Aircrack-ng Other Tips]] page has a script to eliminate passwords which are invalid in terms of length.+Remember that valid passwords are 8 to 63 characters in length. The [[aircrack-ng#other_tips|Aircrack-ng Other Tips]] page has a script to eliminate passwords which are invalid in terms of length.
  
   * OpenWall:   * OpenWall:
     * ftp://ftp.openwall.com/pub/wordlists/     * ftp://ftp.openwall.com/pub/wordlists/
-    * http://www.openwall.com/mirrors/ +    * https://www.openwall.com/mirrors/ 
-    http://ftp.sunet.se/pub/security/tools/net/Openwall/wordlists/ +  GitHub 
-  ftp://ftp.ox.ac.uk/pub/wordlists/ +    https://github.com/danielmiessler/SecLists/tree/master/Passwords 
-  * http://gdataonline.com/downloads/GDict/ +    https://github.com/berzerk0/Probable-Wordlists 
-  http://www.theargon.com/achilles/wordlists+    https://github.com/search?q=wordlist
-  http://theargon.com/achilles/wordlists/theargonlists/+
   * ftp://ftp.cerias.purdue.edu/pub/dict/   * ftp://ftp.cerias.purdue.edu/pub/dict/
-  * http://www.outpost9.com/files/WordLists.html +  * https://www.outpost9.com/files/WordLists.html
-  * http://www.securinfos.info/wordlists_dictionnaires.php+
   * http://www.vulnerabilityassessment.co.uk/passwords.htm   * http://www.vulnerabilityassessment.co.uk/passwords.htm
-  * http://packetstormsecurity.org/Crackers/wordlists/ +  * https://packetstormsecurity.com/Crackers/wordlists/ 
-  * http://www.ai.uga.edu/ftplib/natural-language/moby/ +  * http://ai1.ai.uga.edu/ftplib/natural-language/moby/ 
-  * http://www.insidepro.com/eng/download.shtml +  * http://wordlist.aspell.net/
-  * http://www.word-list.com/ +
-  * http://www.cotse.com/tools/wordlists1.htm +
-  * http://www.cotse.com/tools/wordlists2.htm +
-  * http://wordlist.sourceforge.net/ +
-  * https://github.com/danielmiessler/SecLists/tree/master/Passwords +
- +
-==== Build your own ==== +
- +
-Here are a few resources to build your own lists.  There are many, many more available if you search the Internet. +
- +
-  *[[https://code.goto10.org/svn/unpacked/sh/etemenanki/etemenanki.sh|Etemenanki]] is a shell script that "builds word dictionaries based on remote and local (hyper)text repositories"+
-  *[[http://awlg.org/index.gen|Associative Word List Generator]] allows you to build custom lists based on a "root" word. +
-  *[[http://forum.aircrack-ng.org/index.php?topic=4580.0|Password Generator]] is a program that generates all the variations of a string of characters based on the length of the string. +
-  *[[http://forum.aircrack-ng.org/index.php?topic=4877.msg27435#msg27435|Password Generator]] is a program that goes through standard and arbitrary permutations of strings. +
-  * [[http://forums.remote-exploit.org/programming/26847-coding-bruteforce-dictionary-generator.html|BackTrack thread]] regarding bruteforce dictionary generators.+
  
 ===== How do I recover my WEP/WPA key in windows ? ===== ===== How do I recover my WEP/WPA key in windows ? =====
Line 143: Line 142:
   * Shared Key Authentication: The client has to encrypt a challenge before association is granted by the AP. This mode is flawed and leads to keystream recovery, so it's never enabled by default.   * Shared Key Authentication: The client has to encrypt a challenge before association is granted by the AP. This mode is flawed and leads to keystream recovery, so it's never enabled by default.
  
-The [[http://documentation.netgear.com/reference/fra/wireless/TOC.html|NetGear Wireless Basics Manual]] has a good description of [[http://documentation.netgear.com/reference/fra/wireless/WirelessNetworkingBasics-3-06.html|WEP Wireless Security]] including diagrams of the packet flows.+The [[https://web.archive.org/web/20070813043726/http://documentation.netgear.com:80/reference/fra/wireless/TOC.html|NetGear Wireless Basics Manual]] has a good description of [[https://web.archive.org/web/20070813183512/http://documentation.netgear.com:80/reference/fra/wireless/WirelessNetworkingBasics-3-06.html|WEP Wireless Security]] including diagrams of the packet flows in its subsections.
  
  
 ===== How do I merge multiple capture files ?  ===== ===== How do I merge multiple capture files ?  =====
  
-You may use File -> Merge... in Wireshark or Ethereal.+You may use File -> Merge... in Wireshark or Ethereal. Make sure to export in pcap format.
  
 From the command line you may use the //mergecap// program to merge //.cap// files (part of the Wireshark/Ethereal package or the win32 distribution):  From the command line you may use the //mergecap// program to merge //.cap// files (part of the Wireshark/Ethereal package or the win32 distribution): 
Line 170: Line 169:
 ===== Can I use Wireshark/Ethereal to capture 802.11 packets ? ===== ===== Can I use Wireshark/Ethereal to capture 802.11 packets ? =====
  
-Under Linux, simply setup the card in monitor mode with the [[airmon-ng]] script. Under Windows, Wireshark can capture 802.11 packets using [[http://www.cacetech.com/products/airpcap.htm|AirPcap]].  Except in very rare cases, Ethereal cannot capture 802.11 packets under Windows.+Under Linux, simply setup the card in monitor mode with the [[airmon-ng]] script. Under Windows, Wireshark can capture 802.11 packets using [[https://support.riverbed.com/content/support/software/steelcentral-npm/airpcap.html|AirPcap]].  Except in very rare cases, Ethereal cannot capture 802.11 packets under Windows.
  
  
Line 181: Line 180:
 Wireshark 0.99.5 and above can decrypt WPA as well. Go to Edit -> Preferences -> Protocols -> IEEE 802.11, select "Enable decryption", and fill in the key according to the instructions in the preferences window.  You can also select "Decryption Keys..." from the wireless toolbar if it's displayed. Wireshark 0.99.5 and above can decrypt WPA as well. Go to Edit -> Preferences -> Protocols -> IEEE 802.11, select "Enable decryption", and fill in the key according to the instructions in the preferences window.  You can also select "Decryption Keys..." from the wireless toolbar if it's displayed.
  
-Many times in this forum and on the wiki we suggest using Wireshark to review packets.  There are two books which are available specifically for learning how to use Wireshark in detail.  The books are are listed [[http://forum.aircrack-ng.org/index.php?topic=2806|here]].+Many times in this forum and on the wiki we suggest using Wireshark to review packets.  There are two books which are available specifically for learning how to use Wireshark in detail.
  
-The good news is that they have made Chapter 6 of  the "Wireshark & Ethereal Network Protocol Analyzer Toolkit" covering wireless packets available online in PDF format.  Here is the link to [[http://www.willhackforsushi.com/books/377_eth_2e_06.pdf|Chapter 6]].  As well, see this [[http://wiki.wireshark.org/Wi-Fi|section]] on the Wireshark Wiki.+The good news is that they have made Chapter 6 of  the "Wireshark & Ethereal Network Protocol Analyzer Toolkit" covering wireless packets available online in PDF format.  Here is the link to [[http://www.willhackforsushi.com/books/377_eth_2e_06.pdf|Chapter 6]].  As well, see this [[https://wiki.wireshark.org/Wi-Fi|section]] on the Wireshark Wiki.
  
  
 ==== What are the different wireless filter expressions ? ==== ==== What are the different wireless filter expressions ? ====
  
-The [[http://www.wireshark.org/docs/dfref/|Wireshark display filter reference]] lists [[http://www.wireshark.org/docs/dfref/w/wlan.html|wlan]] (general 802.11), [[http://www.wireshark.org/docs/dfref/w/wlan_mgt.html|wlan_mgmt]] (802.11 management), [[http://www.wireshark.org/docs/dfref/w/wlancap.html|wlancap]] (AVS capture header), [[http://www.wireshark.org/docs/dfref/w/wlancertextn.html|wlancertextn]] (802.11 certificate extensions), and [[http://www.wireshark.org/docs/dfref/r/radiotap.html|radiotap]] (radiotap header)+The [[https://www.wireshark.org/docs/dfref/|Wireshark display filter reference]] lists [[https://www.wireshark.org/docs/dfref/w/wlan.html|wlan]] (general 802.11), [[https://www.wireshark.org/docs/dfref/w/wlan_mgt.html|wlan_mgmt]] (802.11 management), [[https://www.wireshark.org/docs/dfref/w/wlancap.html|wlancap]] (AVS capture header), [[https://www.wireshark.org/docs/dfref/w/wlancertextn.html|wlancertextn]] (802.11 certificate extensions), and [[https://www.wireshark.org/docs/dfref/r/radiotap.html|radiotap]] (radiotap header)
  
-([[http://www.remote-exploit.org/research/etherealwirelessfilters.html|Ethereal Wireless Filters]] from www.remote-exploit.org)+===== How do I change my card's MAC address ?  =====
  
-See the previous item for detailed instructions on using Wireshark. +**Note:** It is not necessary to change the MAC address anymore to perform attacks; this can, in some cases, confuse the driver.
- +
- +
- +
- +
-===== How do I change my card'MAC address ?  =====+
  
 Under linux, the following information applies. Under linux, the following information applies.
Line 209: Line 203:
 Be aware that the example above does not work with every driver. Be aware that the example above does not work with every driver.
  
-The easier way is to use the macchanger package.  The documentation and download is at: [[http://www.alobbs.com/macchanger|macchanger]].  This link tends to be slow or not answer.  You can do an Internet search for "macchanger" or here are some alternate links: +The easier way is to use the macchanger package.  The documentation and download is at: [[https://github.com/alobbs/macchanger|macchanger]].
-  *http://mirrors.usc.edu/pub/gnu/macchanger/ +
-  *http://ftp.gnu.org/gnu/macchanger/+
  
 If you are using mac80211 drivers and have a mon0 interface then: If you are using mac80211 drivers and have a mon0 interface then:
Line 319: Line 311:
 Under Windows, you may use: Under Windows, you may use:
  
-  *[[http://www.gorlani.com/publicprj/macmakeup/macmakeup.asp|macmakeup]] +  *[[https://www.gorlani.com/software/mmkup.php|macmakeup]] 
-  *[[http://tmac.technitium.com/tmac/index.html|Technitium MAC Address Changer]] +  *[[https://technitium.com/tmac/|Technitium MAC Address Changer]]
-  *[[http://amac.paqtool.com|ChangeMacAddress]] (There is cost for this product)+
  
 Troubleshooting Tip: A normal MAC address looks like this: 00:09:5B:EC:EE:F2.  The first half (00:09:5B) of each MAC address is the manufacturer.  The second half (EC:EE:F2) is unique to each network card.  Many access points will ignore invalid MAC addresses.  So make sure to use a valid wireless card manufacturer code when you make up MAC addresses.  Otherwise your packets may be ignored. Troubleshooting Tip: A normal MAC address looks like this: 00:09:5B:EC:EE:F2.  The first half (00:09:5B) of each MAC address is the manufacturer.  The second half (EC:EE:F2) is unique to each network card.  Many access points will ignore invalid MAC addresses.  So make sure to use a valid wireless card manufacturer code when you make up MAC addresses.  Otherwise your packets may be ignored.
Line 368: Line 359:
 ===== How can I resolve MAC addresses to IP addresses ? ===== ===== How can I resolve MAC addresses to IP addresses ? =====
  
-You can try [[http://freshmeat.net/projects/netdiscover/|netdiscover]] or [[http://freshmeat.net/projects/arptools|ARP tools]]+You can try [[https://github.com/alexxy/netdiscover|netdiscover]] or [[https://github.com/burghardt/arptools|ARP tools]]
  
  
Line 381: Line 372:
  
 To determine the frequency that a channel uses (or vice versa), check out: To determine the frequency that a channel uses (or vice versa), check out:
-[[http://www.cisco.com/en/US/docs/wireless/technology/channel/deployment/guide/Channel.html#wp134132|Wifi Channels]].  Or check out [[http://en.wikipedia.org/wiki/802.11_channels|Wikipedia List of WLAN Channels]].  This is a nice [[http://www.air-stream.org.au/files/agder_56.gif|graphic]] showing the channel assignments and their overlap.+[[https://web.archive.org/web/20070712140843/http://www.cisco.com:80/en/US/docs/wireless/technology/channel/deployment/guide/Channel.html#wp134132|Wifi Channels]].  Or check out [[https://en.wikipedia.org/wiki/802.11_channels|Wikipedia List of WLAN Channels]].  This is a nice [[https://web.archive.org/web/20070831213930/http://www.air-stream.org.au/files/agder_56.gif|graphic]] showing the channel assignments and their overlap.
  
  
Line 389: Line 380:
 Here are some conversion links.  Remember to put % in front of each hex character when going from hex to ascii. Here are some conversion links.  Remember to put % in front of each hex character when going from hex to ascii.
  
-  *http://centricle.com/tools/ascii-hex/+  *https://www.rapidtables.com/convert/number/hex-to-ascii.html
   *http://www.mikezilla.com/exp0012.html   *http://www.mikezilla.com/exp0012.html
  
-LatinSuD has developed a very useful tool - [[http://www.latinsud.com/wepconv.html|Javascript WEP Conversion Tool]].  It can perform a variety of WEP, ASCII and passphrase conversions.+LatinSuD has developed a very useful tool - [[https://www.latinsud.com/wepconv.html|Javascript WEP Conversion Tool]].  It can perform a variety of WEP, ASCII and passphrase conversions.
  
  
Line 414: Line 405:
  
  
-===== Why do I have bad speeds when i'm too close to the access point? =====+===== Why do I have bad speeds when I'm too close to the access point? =====
  
 Problem: The wireless card behaves badly if the signal is too strong. If you are too close (1-2m) to the access point, you get high quality signal but actual transmission rates drop (down to 5-11Mbps or less). The net result is TCP throughput of about 600KB/s.  Problem: The wireless card behaves badly if the signal is too strong. If you are too close (1-2m) to the access point, you get high quality signal but actual transmission rates drop (down to 5-11Mbps or less). The net result is TCP throughput of about 600KB/s. 
Line 434: Line 425:
  
 This usually happens because the linux headers don't match your current running kernel. In this situation, grab the kernel sources or just recompile a fresh kernel, install it and reboot. Then, try again compiling the driver. See this [[http://www.tldp.org/HOWTO/Encrypted-Root-Filesystem-HOWTO/preparing-system.html|HOWTO]] for more details about kernel compilation. This usually happens because the linux headers don't match your current running kernel. In this situation, grab the kernel sources or just recompile a fresh kernel, install it and reboot. Then, try again compiling the driver. See this [[http://www.tldp.org/HOWTO/Encrypted-Root-Filesystem-HOWTO/preparing-system.html|HOWTO]] for more details about kernel compilation.
- 
- 
-===== Why can't I compile airodump-ng and aireplay-ng on other OSs ?  ===== 
- 
-Both airodump-ng and aireplay-ng sources are Linux-specific. 
  
  
Line 456: Line 442:
 ===== Why does my computer lock up when injecting packets ? Is there a solution? ==== ===== Why does my computer lock up when injecting packets ? Is there a solution? ====
  
-See http://forum.aircrack-ng.org/index.php?topic=901.0+See [[https://web.archive.org/web/20090804021133/http://forum.aircrack-ng.org:80/index.php?topic=901.0|Airmon-ng arpreplay functions freeze with rt2x00 & rt2570 1.4.0 (wusb54g)]] in the Forum.
  
  
Line 463: Line 449:
 Yes, aircrack-ng suite successfully been run under VMware.  One thing about doing VMware, you can't use PCMCIA or PCI cards.  You can **ONLY** use compatible USB wireless cards.  Some limited additional information is available here: Yes, aircrack-ng suite successfully been run under VMware.  One thing about doing VMware, you can't use PCMCIA or PCI cards.  You can **ONLY** use compatible USB wireless cards.  Some limited additional information is available here:
  
-  * [[http://forum.aircrack-ng.org/index.php?topic=1654.0|VMWare tips and tricks]]+  * [[https://web.archive.org/web/20090804021040/http://forum.aircrack-ng.org:80/index.php?topic=1654.0|VMWare tips and tricks]]
  
-A virtual machine is available, see [[main#virtual_machine1|this page]] for more information.+Kali is available as a [[https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image-download/|virtual machine]].
  
  
Line 508: Line 494:
 ===== What is the format of a valid MAC address ?  ===== ===== What is the format of a valid MAC address ?  =====
  
-A normal MAC address looks like this: 00:09:5B:EC:EE:F2.  It is composed of six octets.  The first half (00:09:5B) of each MAC address is known as the Organizationally Unique Identifier (OUI).  Simply put, it is the card manufacturer. The second half (EC:EE:F2) is known as the extension identifier and is unique to each network card within the specific OUI. Many access points will ignore MAC addresses with invalid OUIs. So make sure you use a valid OUI code when you make up MAC addresses. Otherwise, your packets may be ignored by the Access Point.  The current list of OUIs may be found [[http://standards.ieee.org/regauth/oui/oui.txt|here]]. +A normal MAC address looks like this: 00:09:5B:EC:EE:F2.  It is composed of six octets.  The first half (00:09:5B) of each MAC address is known as the Organizationally Unique Identifier (OUI).  Simply put, it is the card manufacturer. The second half (EC:EE:F2) is known as the extension identifier and is unique to each network card within the specific OUI. Many access points will ignore MAC addresses with invalid OUIs. So make sure you use a valid OUI code when you make up MAC addresses. Otherwise, your packets may be ignored by the Access Point.  The current list of OUIs may be found [[http://standards-oui.ieee.org/oui.txt|here]]. 
  
 Make sure that that the last bit of first octet is 0.  This corresponds to unicast addresses.  If it is set to 1, this indicates a group address, which is normally exclusively used by multicast traffic.  MAC addresses with a source set to multicast are invalid and will be dropped. Make sure that that the last bit of first octet is 0.  This corresponds to unicast addresses.  If it is set to 1, this indicates a group address, which is normally exclusively used by multicast traffic.  MAC addresses with a source set to multicast are invalid and will be dropped.
Line 532: Line 518:
 RSSI means Received Signal Strength Indication. RSSI is a measurement of the received radio signal strength. It is the received signal strength in a wireless environment, in arbitrary units. RSSI means Received Signal Strength Indication. RSSI is a measurement of the received radio signal strength. It is the received signal strength in a wireless environment, in arbitrary units.
  
-For more information, see http://en.wikipedia.org/wiki/RSSI+For more information, see https://en.wikipedia.org/wiki/RSSI
  
  
Line 560: Line 546:
 Most cards have 100mW when combined with the antenna (2dBi antenna). Most cards have 100mW when combined with the antenna (2dBi antenna).
  
-In 802.11a and 802.11g, the output power is 30mW due to modulation (it's a bit harder to use [[http://en.wikipedia.org/wiki/OFDM|OFDM]] than [[http://en.wikipedia.org/wiki/CCK|CCK]]) +In 802.11a and 802.11g, the output power is 30mW due to modulation (it's a bit harder to use [[https://en.wikipedia.org/wiki/OFDM|OFDM]] than [[https://en.wikipedia.org/wiki/CCK|CCK]]) 
  
  
Line 570: Line 556:
 ===== How do I choose an antenna?  ===== ===== How do I choose an antenna?  =====
  
-You should see [[http://www.macwireless.com/html/help/antenna.html|Antenna help]], Selecting a [[http://www.radiolabs.com/Articles/wifi-antenna.html|Wifi Antenna]] and [[http://netstumbler.org/showthread.php?t=2751&page=1|Netstumbler forum]].+You should see [[https://web.archive.org/web/20041117142847/http://www.macwireless.com:80/html/help/antenna.html|Antenna help]], Selecting a [[https://www.radiolabs.com/Articles/wifi-antenna.html|Wifi Antenna]].
  
  
Line 586: Line 572:
 If you have a very new USB device, sometimes the device ID has not been included in the driver.  The following article describes how to do this for a specific driver.  The technique can be used for all USB drivers. If you have a very new USB device, sometimes the device ID has not been included in the driver.  The following article describes how to do this for a specific driver.  The technique can be used for all USB drivers.
  
-[[http://www.linuxwireless.org/en/users/Drivers/zd1211rw/AddID|Adding new device IDs to zd1211rw]]+[[https://wireless.wiki.kernel.org/en/users/drivers/zd1211rw/addid|Adding new device IDs to zd1211rw]]
  
  
Line 602: Line 588:
   * stty columns 86   * stty columns 86
   * stty rows 39   * stty rows 39
 +
 +=====How much does Aircrack-ng cost?=====
 +
 +Aircrack-ng is "free software"; you can download it without paying any license fee. The version of Aircrack-ng you download isn't a "demo" version, with limitations not present in a "full" version; it is the full version.
 +The license under which Aircrack-ng is issued is mostly the GNU General Public License version 2. See the GNU GPL FAQ for some more information. 
 +
 +You may also want to check out the OpenSSL license included in our source code download.
 +
 +=====But I just paid someone on eBay for a copy of Aircrack-ng! Did I get ripped off?=====
 +
 +That depends. Did they provide any sort of value-added product or service, such as installation support, installation media, training, trace file analysis, or funky-colored socks? Probably not.
 +Aircrack-ng is available for anyone to download, absolutely free, at any time. Paying for a copy implies that you should get something for your money.
 +
 +=====Can I use Aircrack-ng commercially?=====
 +
 +Yes, if, for example, you mean "I work for a commercial organization; can I use Aircrack-ng to capture and asses WiFi network security in our company's networks or in our customer's networks?"
 +
 +If you mean "Can I use Aircrack-ng as part of my commercial product?", see the next entry in the FAQ.
 +
 +=====Can I use Aircrack-ng as part of my commercial product?=====
 +
 +As noted, Aircrack-ng is licensed under the GNU General Public License, version 2. The GPL imposes conditions on your use of GPL'ed code in your own products; you cannot, for example, make a "derived work" from Aircrack-ng, by making modifications to it, and then sell the resulting derived work and not allow recipients to give away the resulting work. You must also make the changes you've made to the Aircrack-ng source available to all recipients of your modified version; those changes must also be licensed under the terms of the GPL. See the GPL FAQ for more details; in particular, note the answer to the question about modifying a GPLed program and selling it commercially, and the question about linking GPLed code with other code to make a proprietary program.
 +You can combine a GPLed program such as Aircrack-ng and a commercial program as long as they communicate "at arm's length", as per this item in the GPL FAQ.
 +
 +We recommend keeping Aircrack-ng and your product completely separate.
 +
 +You may also want to check out the OpenSSL license included in our source code download.
 +
 +===== Can I take screenshots of Aircrack-ng and use them in my own publications? =====
 +
 +Yes. As long as you take the screenshots yourself. If you are using someone else's, you may need to obtain their authorization to use them.
 +
 +===== How do I deal with rfkill hard blocks? =====
 +
 +A hard block usually is a physical switch on the computer. It can either be a flip switch on the side of the computer, a key combination to press on the keyboard or a setting to enable in the BIOS.
 +
 +In some cases, if wireless was disabled before Windows was powered off, it will appear like a hard block and the trick is to enable wireless in Windows then reboot.
 +
 +===== "ath10k_pci 0000:03:00.0: firmware: failed to load ath10k/pre-cal-pci-0000:03:00.0.bin" and similar in dmesg  =====
 +
 +TL;DR: even if it sounds bad, don't worry about it.
 +
 +If a firmware is missing, then your card won't work at all: no interface, scanning or any other function. Firmware may have issues/bugs but that's a different story.
 +
 +On desktop/laptop cards, the above mentioned file is stored in a dedicated EEPROM on the card itself, so it's not needed. That data is typically only needed on embedded devices, such as routers, or AP, that are lacking the EEPROM, and in that case, it is stored on the filesystem. The reason behind it is cheaper to store it, than adding extra components.
 +
 +The driver doesn't have any way of knowing if the card has it or not, so it is displaying the message anyway.
 +
 +===== Why does using aircrack-ng with "-p 1" use 2 CPUs =====
 +
 +The "-p" parameter controls the amount of threads used for bruteforcing the passphrase; Aircrack-ng has other tasks using the CPU as well.
 +
 +===== "device descriptor read/64, error -110" with Ralink rt28xx driver in dmesg =====
 +
 +Prior to this message, it can be seen that the device connected on a USB port with xhci_hcd, indicating USB 3.0.
 +
 +This issue happens mostly in virtual machines, when the USB port is set to 3.0. To work around the issue, power off the virtual machine, edit USB settings of the VM and set it to 2.0.
 +
 +===== "xhci_hcd 0000:15:00.0: WARN Set TR Deq Ptr cmd failed due to incorrect slot or ep state" or similar in dmesg =====
 +
 +The following may be present in dmesg instead: 
 +
 +  xhci_hcd 0000:00:14.0: WARN Cannot submit Set TR Deq Ptr
 +  xhci_hcd 0000:00:14.0: A Set TR Deq Ptr command is pending.
 +
 +For mt76x0u, you may see any of the following messages as well:
 +
 +  mt76x0u 1-1:1.0: rx urb failed: -71
 +  mt7601u 1-2:1.0: Error: mt7601u_mcu_wait_resp timed out
 +  mt7601u 1-2:1.0: Vendor request req:07 off:0080 failed:-71
 +  mt7601u: probe of 1-2:1.0 failed with error -110
 +
 +And for rt2800usb:
 +
 +  rt2x00usb_vendor_request: Error - Vendor Request 0x06 failed for offset 0x0404 with error -71
 +  rt2800_wait_csr_ready: Error - Unstable hardware
 +  rt2800usb_set_device_state: Error - Device failed to enter state 4 (-5)
 +
 +This [[https://bugzilla.kernel.org/show_bug.cgi?id=202541|bug]] affects kernels >= 4.20. It happens mostly when connecting certain USB 2.0 devices on a USB 3.0 port but it can happen with USB 3.0 devices as well. It isn't WiFi adapter's driver's fault, but an issue in the USB subsystem code.
 +
 +Until the bug is fixed, the workaround for USB 2.0 devices is to plug the device on a USB 2.0 port. If you are using a virtual machine, power off the virtual machine, and change USB port settings to 2.0.
 +
 +===== Where can I find airmon-ng on Windows or MacOS? =====
 +
 +[[airmon-ng]] is a Linux/FreeBSD script only. There is no version for Windows, MacOS, or other OS at this time.
 +
 +===== My driver doesn't work anymore, or it does something weird, how to debug? =====
 +
 +We are assuming it used to work in the past, and that you have checked that network managers were killed prior to putting the card in monitor mode.
 +
 +The next step would be to look into 'dmesg' to see if the driver outputs any error or warnings. 
 +If the card is USB, clearing it using 'dmesg -c' before plugging the adapter may help, by decreasing the amount of messages you have to go through.
 +
faq.txt · Last modified: 2024/01/10 16:40 by mister_x