Airolib-ng

Airolib-ng is an aircrack-ng suite tool designed to store and manage essid and password lists, compute their Pairwise Master Keys (PMKs) and use them in WPA/WPA2 cracking. The program uses the lightweight SQLite3 database as the storage mechanism which is available on most platforms. The SQLite3 database was selected taking in consideration platform availability plus management, memory and disk overhead.

WPA/WPA2 cracking involves calculating the pairwise master key, from which the private transient key (PTK) is derived. Using the PTK, we can compute the frame message identity code (MIC) for a given packet and will potentially find the MIC to be identical to the packet's thus the PTK was correct therefore the PMK was correct as well.

Calculating the PMK is very slow since it uses the pbkdf2 algorithm. Yet the PMK is always the same for a given ESSID and password combination. This allows us to pre-compute the PMK for given combinations and speed up cracking the wpa/wpa2 handshake. Tests have shown that using this technique in aircrack-ng can check more than 50 000 passwords per second using pre-computed PMK tables.

Computing the PMK is still required, yet we can:

• Precompute it for later and/or shared use.
• Use distributed machines to generate the PMK and use their value elsewhere.

To learn more about WPA/WPA2:

• See the WPA/WPA2 Information section on the wiki links page.

To learn more about coWPAtty:

• Will Hack For SUSHI > CoWPAtty
• Wireless Defense CoWPAtty writeup

As stated above, this program requires the SQLite3 database environment. You must be running version 3.3.17 or above. You may obtain the latest version from the SQLite download page.

Usage: airolib <database> <operation> [options]

Where:

• database is name of the database file. Optionally specify the full path.
• operation specifies the action you would like taken on the database. See below for a complete list.
• options may be required depending on the operation specified

Here are the valid operations:

• - -stats - Output some information about the database.
• - -sql {sql} - Execute the specified SQL statement.
• - -clean [all] - Perform steps to clean the database from old junk. The option 'all' will also reduce file size if possible and run an integrity check.
• - -batch - Start batch-processing all combinations of ESSIDs and passwords. This must be run prior to using the database within aircrack-ng or after you have added additional SSIDs or passwords.
• - -verify [all] - Verify a set of randomly chosen PMKs. If the option 'all' is given, all(!) PMKs in the database are verified and the incorrect ones are deleted.
• - -export cowpatty {essid} {file} - Export to a cowpatty file.
• - -import cowpatty {file} - Import a cowpatty file and create the database if it does not exist.
• - -import {essid|passwd} {file} - Import a text flat file as a list of either ESSIDs or passwords and create the database if it does not exist. This file must contain one essid or password per line. Lines should be terminated with line feeds. Meaning press “enter” at the end of each line when entering the values.

Here are usage examples for each operation.

Enter:

 airolib-ng testdb --stats

Where:

• testdb is the name of the database to be created.
• - -stats is the operation to be performed.

The system responds:

 statsThere are 2 ESSIDs and 232 passwords in the database. 464 out of 464 possible combinations have been computed (100%).
 
 ESSID   Priority        Done
 Harkonen        64      100.0
 teddy   64      100.0

The following example will give the SSID “VeryImportantESSID” maximum priority.

Enter:

 airolib-ng testdb --sql 'update essid set prio=(select min(prio)-1 from essid) where essid="VeryImportantESSID";'

The system responds:

 update essid set prio=(select min(prio)-1 from essid) where essid="VeryImportantESSID";
 Query done. 1 rows affected.

The following example will look for very important patterns in the pmk.

Enter:

 airolib-ng testdb --sql 'select hex(pmk) from pmk where hex(pmk) like "%DEADBEEF%"'

The system responds:

 hex(pmk) BF3F122D3CE9ED6C6E7E1D7D13505E0A41EC4C5A3DEADBEEFFEFF597387AFCE3

To do a basic cleaning, enter:

 airolib-ng testdb --clean

The system responds:

 cleanDeleting invalid ESSIDs and passwords...
 Deleting unreferenced PMKs...
 Analysing index structure...
 Done.

To do a basic cleaning, reduce the file size if possible and run an integrity check., enter:

 airolib-ng testdb --clean all

The system responds:

 cleanDeleting invalid ESSIDs and passwords...
 Deleting unreferenced PMKs...
 Analysing index structure...
 Vacuum-cleaning the database. This could take a while...
 Checking database integrity...
 integrity_check
 ok
 Query done. 2 rows affected.
 Done.

Enter:

 airolib-ng testdb --batch

The system responds:

 Computed 464 PMK in 10 seconds (46 PMK/s, 0 in buffer). No free ESSID found. Will try determining new ESSID in 5 minutes...

To verify a 1000 random PMKs, enter:

 airolib-ng testdb --verify

The system responds:

 verifyChecking ~10.000 randomly chosen PMKs...
 ESSID   CHECKED STATUS
 Harkonen        233     OK
 teddy   233     OK

To verify all PMKs, enter:

 airolib-ng testdb --verify all

The system responds:

 verifyChecking all PMKs. This could take a while...
 ESSID   PASSWORD        PMK_DB  CORRECT

Enter:

 airolib-ng testdb --export cowpatty test cowexportoftest

The system responds:

 exportExporting...
 Done.

To import an ascii list of SSIDs and create the database if it does not exist, enter:

 airolib-ng testdb --import essid ssidlist.txt

Where:

• testdb is the name of the database to be updated and it will be created if it does not exist.
• - -import is the operation to be performed.
• essid indicates it is a list of SSIDs.
• ssidlist.txt is the file name containing the SSIDs. One per line. It can optionally be fully qualified.

The system responds:

 importReading...
 Writing...
 Done.

To import an ascii list of passwords and create the database if it does not exist, enter:

 airolib-ng testdb --import passwd password.lst

Where:

• testdb is the name of the database to be updated and it will be created if it does not exist.
• - -import is the operation to be performed.
• passwd indicates it is a list of passwords.
• password.list is the file name. One per line. It can optionally be fully qualified.

The system responds:

 importReading...
 Writing... read, 1814 invalid lines ignored.
 Done.

Imports a cowpatty table and create the database if it does not exist, enter:

 airolib-ng testdb --import cowpatty  cowexportoftest

Where:

• testdb is the name of the database to be updated and it will be created if it does not exist.
• - -import is the operation to be performed.
• cowpatty indicates it is a cowpatty table.
• cowexportoftest is the file name. One per line. It can optionally be fully qualified.

The system responds:

 importReading header...
 Reading...
 Updating references...
 Writing...

The ultimate objective is to speed up WPA/WPA2 cracking under aircrack-ng. To use the tables you have built using airolib-ng then use the “-r” option to specify the database containing the pre-calculated PMKs.

Enter:

 aircrack-ng  -r testdb  wpa2.eapol.cap

Where:

• -r specifies that a pre-computed PMK database will be used.
• testdb is the name of the database file and may optionally be fully qualified.
• wpa2.eapol.cap is capture file containing the WPA/WPA2 handshake.

Note: All the other standard options which are applicable to WPA/WPA2 may also be used. This is a very limited example.

To test the tool yourself…

• get yourself the sqlite3 library and headers (latest version is recommended)
• get yourself the 1.0dev version of the aircrack-ng suite
• import an essid, e.g. “echo Harkonen | airolib-ng testdb –import essid -”

 Database <testdb> does not already exist, creating it...
 Database <testdb> sucessfully created
 Reading file...
 Writing...
 Done.

• import a password, e.g. “echo 12345678 | airolib-ng testdb –import passwd -”

 Reading file...
 Writing...
 Done.

• start the batch process (“airolib-ng testdb –batch”), wait for it to run out of work or pause it with Ctrl-C

 Computed 1 PMK in 0 seconds (1 PMK/s, 0 in buffer). All ESSID processed.

• Check the database to confirm everything has been computed (“airolib-ng testdb –stats”)

 There are 1 ESSIDs and 1 passwords in the database. 1 out of 1 possible combinations have been computed (100%).
 
 ESSID   Priority        Done
 Harkonen        64      100.0

• crack your WPA/WPA2 handshake, e.g. “aircrack-ng -r testdb -e Harkonen wpa2.eapol.cap”

 KEY FOUND! [ 12345678 ]

Another way to test for yourself is to download a pre-made database called passphrases.db. This file is also located in the test directory of the aircrack-ng sources. Then try this database with the two test WPA/WPA2 files supplied in the test directory of the aircrack-ng sources. The WPA/WPA2 test files are called “wpa.cap” and “wpa2.eapol.cap”.

The commands are either of:

 aircrack-ng -r passphrases.db wpa.cap
 aircrack-ng -r passphrases.db wpa2.eapol.cap

This should give you the passphase. Success indicates that your setup is working correctly.

Airolib-ng is not compiled by default. To enable compiling, do “make sqlite=true” and “make sqlite=true install”.

Although this is not a usage troubleshooting tip, it is a common problem during the compilation of the 1.0dev version. As a reminder, SQLite must be version 3.3.13 or above. This is the compile error you receive when your version of SQLite is less then the requirement:

gcc -g -W -Wall -Werror -O3 -D_FILE_OFFSET_BITS=64 -D_REVISION=`../evalrev` -I/usr/local/include -Iinclude -DHAVE_SQLITE   -c -o airolib-ng.o airolib-ng.c
airolib-ng.c: In function `sql_prepare':
airolib-ng.c:129: warning: implicit declaration of function `sqlite3_prepare_v2'
make[1]: *** [airolib-ng.o] Error 1
make[1]: Leaving directory `/root/1.0-dev/src'
make: *** [all] Error 2

The SQLite patch included with aircrack-ng sources is only needed when compiling under Windows. It is required to remove some elements which will not compile under windows and are not required.

It is not required for linux installations.

On windows only, opening/creating a database doesn't work when airolib-ng is in directories containing special characters like 'ç', 'é', 'è', 'à', … (directories containing spaces are not affected).

The solution is to move airolib-ng and its database in another directory without these special characters.

This error message may occur when importing passwords or ESSIDs. It is the number of records with invalid passwords or ESSIDs lengths. The valid lengths are:

• Passwords must have a length of 8 through 63 characters
• ESSIDs must have a length of 1 through 32 characters

If you subsequently run aircrack-ng and only receive “Quitting aircrack-ng…” then the ESSID is missing from the database. You need to load it plus rerun the batch option.