User Tools

Site Tools


faq

Table of Contents

FAQ

What is the best wireless card to buy ?

Which card to purchase is a hard question to answer. Each person's criteria is somewhat different, such as one may require 802.11n capability, or may require it to work via virtualisation. However, having said that, if money is not a constraint then the following cards are considered the best in class:

  • Alfa AWUS036H [b/g USB]
  • Ubiquiti SRC [a/b/g Cardbus]
  • Ubiquiti SRX [a/b/g ExpressCard]
  • Airpcap series [USB]

If money is a constraint then consider purchasing a card with a RTL8187L, RT73 or Atheros chipset, also read this first before purchasing . There are many available on the market for fairly low prices. You are simply trading off distance, sensitivity and performance for cost.

If you want to know if your existing card is compatible then use this page: Tutorial: Is My Wireless Card Compatible?

What tutorials are available ?

The Tutorials page has many tutorials specific to the aircrack-ng suite. If your question is not answered on this FAQ page, be sure to check out these other resources:

The links page also generic wireless information and tutorials.

"command not found" error message

After you enter “make install” then try to use any of the aircrack-ng suite commands, you get the error message “command not found” or similar. See the tip with the same message in troubleshooting tips.

How do I crack a static WEP key ?

The basic idea is to capture as much encrypted traffic as possible using airodump-ng. Each WEP data packet has an associated 3-byte Initialization Vector (IV): after a sufficient number of data packets have been collected, run aircrack-ng on the resulting capture file. aircrack-ng will then perform a set of statistical attacks developed by a talented hacker named KoreK.

Since that time, the PTW approach (Pychkine, Tews, Weinmann) has been developed. The main advantage of the PTW approach is that very few data packets are required to crack the WEP key.

How many IVs are required to crack WEP ?

WEP cracking is not an exact science. The number of required IVs depends on the WEP key length, and it also depends on your luck. Usually, 40-bit WEP (64 bit key) can be cracked with 300,000 IVs, and 104-bit WEP (128 bit key) can be cracked with 1,500,000 IVs; if you're out of luck you may need two million IVs, or more.

There is no way to know the WEP key length: this information is kept hidden and never announced, either in management or data packets; as a consequence, airodump-ng can not report the WEP key length. Thus, it is recommended to run aircrack-ng twice: when you have 250,000 IVs, start aircrack-ng with ”-n 64” to crack 40-bit WEP. Then if the key is not found, restart aircrack-ng (without the -n option) to crack 104-bit WEP.

The figures above are based on using the Korek method. With the introduction of the PTW technique in aircrack-ng 0.9 and above, the number of data packets required to crack WEP is dramatically lowered. Using this technique, 40-bit WEP (64 bit key) can be cracked with as few as 20,000 data packets and 104-bit WEP (128 bit key) with 40,000 data packets. PTW is limited to 40 and 104 bit keys lengths. Keep in mind that it can take 100K packets or more even using the PTW method. Additionally, PTW only works properly with selected packet types. Aircrack-ng defaults to the PTW method and you must manually specify the Korek method in order to use it.

How can I know what is the key length ?

You can't know what's the key length, there's no information at all in wireless packets, that's why you have to try different lengths. Most of the time, it's a 128 bit key.

How do I know my WEP key is correct ?

Just because you seem to have successfully connected to the access point doesn't mean your WEP key is correct! To check your WEP key, the best way is to decrypt a capture file with the airdecap-ng program.

How can I crack a WPA-PSK network ?

You must sniff until a handshake takes place between a wireless client and the access point. To force the client to reauthenticate, you can start a deauth attack with aireplay-ng. Also, a good dictionary is required.

FYI, it's not possible to pre-compute large tables of Pairwise Master Keys like rainbowcrack does, since the passphrase is salted with the ESSID.

Where can I find good wordlists ?

Build your own

Here are a few resources to build your own lists. There are many, many more available if you search the Internet.

  • Etemenanki is a shell script that “builds word dictionaries based on remote and local (hyper)text repositories”.
  • Associative Word List Generator allows you to build custom lists based on a “root” word.
  • Password Generator is a program that generates all the variations of a string of characters based on the length of the string.
  • Password Generator is a program that goes through standard and arbitrary permutations of strings.
  • BackTrack thread regarding bruteforce dictionary generators.

How do I recover my WEP/WPA key in windows ?

You have to use WZcook

Will WPA be cracked in the future ?

It's extremely unlikely that WPA will be cracked just like WEP was.

The major problem with WEP is that the shared key is appended to the IV; the result is directly used to feed RC4. This overly simple construction is prone to a statistical attack, since the first ciphertext bytes are strongly correlated with the shared key (see Andrew Roos' paper). There are basically two counter-measures against this attack:

  1. Mix the IV and the shared key using a hash function or
  2. Discard the first 256 bytes of RC4's output.

There has been some disinformation in the news about the “flaws” of TKIP:

For now, TKIP is reasonably secure but it is also living on borrowed time since it still relies on the same RC4 algorithm that WEP relied on.

Actually, TKIP (WPA1) is not vulnerable: for each packet, the 48-bit IV is mixed with the 128-bit pairwise temporal key to create a 104-bit RC4 key, so there's no statistical correlation at all. Furthermore, WPA provides counter-measures against active attacks (traffic reinjection), includes a stronger message integrity code (michael), and has a very robust authentication protocol (the 4-way handshake). The only vulnerability so far is a dictionary attack, which fails if the passphrase is robust enough.

WPA2 (aka 802.11i) is exactly the same as WPA1, except that CCMP (AES in counter mode) is used instead of RC4 and HMAC-SHA1 is used instead of HMAC-MD5 for the EAPOL MIC. Bottom line, WPA2 is a bit better than WPA1, but neither are going to be cracked in the near future.

How do I learn more about WPA/WPA2?

See the links page.

How do I decrypt a capture file ?

You may use the airdecap-ng program

What are the authentication modes for WEP ?

There are two authentication modes for WEP:

  • Open System Authentication: This is the default mode. All clients are accepted by the AP, and the key is never checked meaning association is always granted. However if your key is incorrect you won't be able to receive or send packets (because decryption will fail), so DHCP, ping etc. will timeout.
  • Shared Key Authentication: The client has to encrypt a challenge before association is granted by the AP. This mode is flawed and leads to keystream recovery, so it's never enabled by default.

The NetGear Wireless Basics Manual has a good description of WEP Wireless Security including diagrams of the packet flows.

How do I merge multiple capture files ?

You may use File → Merge… in Wireshark or Ethereal.

From the command line you may use the mergecap program to merge .cap files (part of the Wireshark/Ethereal package or the win32 distribution):

mergecap -w out.cap test1.cap test2.cap test3.cap 

It will merge test1.cap, test2.cap and test3.cap into out.cap

You may use the ivstools program to merge .ivs files (part of aircrack-ng package)

Can I convert cap files to ivs files ?

You may use the ivstools program (part of aircrack-ng package)

Can I use Wireshark/Ethereal to capture 802.11 packets ?

Under Linux, simply setup the card in monitor mode with the airmon-ng script. Under Windows, Wireshark can capture 802.11 packets using AirPcap. Except in very rare cases, Ethereal cannot capture 802.11 packets under Windows.

Can Wireshark/Ethereal decode WEP or WPA data packets ?

Recent versions of Ethereal and Wireshark can decrypt WEP. Go to Edit → Preferences → Protocols → IEEE 802.11, select 1 in the “WEP key count” and enter your WEP key below.

Wireshark 0.99.5 and above can decrypt WPA as well. Go to Edit → Preferences → Protocols → IEEE 802.11, select “Enable decryption”, and fill in the key according to the instructions in the preferences window. You can also select “Decryption Keys…” from the wireless toolbar if it's displayed.

Many times in this forum and on the wiki we suggest using Wireshark to review packets. There are two books which are available specifically for learning how to use Wireshark in detail. The books are are listed here.

The good news is that they have made Chapter 6 of the “Wireshark & Ethereal Network Protocol Analyzer Toolkit” covering wireless packets available online in PDF format. Here is the link to Chapter 6. As well, see this section on the Wireshark Wiki.

What are the different wireless filter expressions ?

The Wireshark display filter reference lists wlan (general 802.11), wlan_mgmt (802.11 management), wlancap (AVS capture header), wlancertextn (802.11 certificate extensions), and radiotap (radiotap header)

(Ethereal Wireless Filters from www.remote-exploit.org)

See the previous item for detailed instructions on using Wireshark.

How do I change my card's MAC address ?

Under linux, the following information applies.

One method is:

ifconfig ath0 down
ifconfig ath0 hw ether 00:11:22:33:44:55
ifconfig ath0 up

Be aware that the example above does not work with every driver.

The easier way is to use the macchanger package. The documentation and download is at: macchanger. This link tends to be slow or not answer. You can do an Internet search for “macchanger” or here are some alternate links:

If you are using mac80211 drivers and have a mon0 interface then:

 ifconfig mon0 down
 
 macchanger -a mon0
 Current MAC: 00:0f:b5:88:ac:82 (Netgear Inc)
 Faked MAC:   00:b0:80:3b:1e:1f (Mannesmann Ipulsys B.v.)
 
 ifconfig mon0 up
 macchanger -s mon0
 Current MAC: 00:b0:80:3b:1e:1f (Mannesmann Ipulsys B.v.)

IMPORTANT In the following scripts, newer versions of the madwifi-ng have deprecated (meaning discontinued) the ”-bssid” option. If you get a warning to this effect, then use ”-uniquebssid”.

Here are scripts which use the macchanger package and work well with madwifi-ng drivers:

Script 1 - Invoked with “macc.sh XX:XX:XX:XX:XX:XX”

 #!/bin/sh
 cardctl eject
 cardctl insert
 wlanconfig ath0 destroy
 ifconfig wifi0 up
 ifconfig wifi0 down
 macchanger wifi0 -m $1
 wlanconfig ath0 create wlandev wifi0 wlanmode monitor -bssid

Script 2 - For madwifi-ng driver devices

 #!/bin/sh
 # by darkAudax
 # Change the following variables to match your requirements
 FAKEMAC="00:14:6C:71:41:32"
 IFACE="ath0"
 WIFACE="wifi0"
 #
 # The interface is brought up and down twice otherwise
 # it causes a system exception and the system freezes
 #
 ifconfig $IFACE down
 wlanconfig $IFACE destroy
 wlanconfig $IFACE create wlandev $WIFACE wlanmode monitor -bssid
 ifconfig $IFACE up
 ifconfig $IFACE down
 macchanger $WIFACE -m $FAKEMAC
 wlanconfig $IFACE destroy
 wlanconfig $IFACE create wlandev $WIFACE wlanmode monitor -bssid
 ifconfig $IFACE up
 ifconfig $IFACE
 iwconfig
 echo " "
 echo "The wireless card MAC has been set to $FAKEMAC"
 echo " "

Script 3 - For madwifi-ng driver devices

 #!/bin/bash
 #
 # athmacchange.sh - Atheros MAC Changer
 # by brad a
 # foundstone
 #
 
 if [ -z "$1" ]; then
    echo Atheros MAC Changer
    echo -----------------------
    echo IMPORTANT: this assumes we want to change the MAC of wifi0
    echo " if you want to change the MAC of another wifi interface"
    echo " (i.e. wifi1, wifi2, etc...) change the script!"
    echo
    echo usage: $0 [mac]
    echo
    exit
 fi
    
 echo Atheros MAC Changer
 echo -------------------------
 echo -Destroying VAPs:
    
 for i in $( ls /proc/net/madwifi ); do
    wlanconfig $i destroy 2>&1 /dev/null
    echo -e "\t$i - destroyed"
 done
  
 echo -Downing wifi0
 ifconfig wifi0 down
 
 echo -Using macchanger to change MAC of wifi0
 macchanger -m $1 wifi0
 
 echo -Bringing wifi0 back up
 ifconfig wifi0 up
 
 echo -Bringing up one VAP in station mode
 wlanconfig ath create wlandev wifi0 wlanmode monitor -bssid > /dev/null
 
 echo -All done!
 echo -Confirm your settings:
 echo ------------------------------------------------------
 ifconfig wifi0
 echo ------------------------------------------------------

Madwifi-ng Notes: The madwifi site has a detailed documentation page on changing the MAC address under madwifi-ng: How can I change the MAC address of my card? Starting in r2435 of the madwifi-ng driver, they changed the default way in which new VAPs get their MAC address. When creating a new VAP with wlanconfig, you must specify ”-bssid” to have it use the underlying MAC address. If you don't do this, then the new VAP gets a unique MAC. This will cause problems with various aircrack-ng commands.

Under Windows, you may use:

Troubleshooting Tip: A normal MAC address looks like this: 00:09:5B:EC:EE:F2. The first half (00:09:5B) of each MAC address is the manufacturer. The second half (EC:EE:F2) is unique to each network card. Many access points will ignore invalid MAC addresses. So make sure to use a valid wireless card manufacturer code when you make up MAC addresses. Otherwise your packets may be ignored.

Is my card compatible with airodump-ng / aireplay-ng ?

Read the Tutorial: Is My Wireless Card Compatible? tutorial. Then check the Compatible Cards page.

Can I have multiple instance of aireplay-ng running at the same time?

Yes, you can.

How to use spaces, double quote and single quote, etc. in AP names?

  • You have to prefix those special characters with a “\”. This is called escaping a special character. Examples: with\'singlequote, with\”doublequote.
  • You also need to handle the symbol ”&” the same way. Example: “A&B”.
  • You can use single quotes. Examples: 'with space', 'with”doublequote'.
  • As well, you can use double quotes. Examples: “with space”, “with'singlequote”.

NOTE: If you enclose the AP name in single or double quotes, then you don't also need to escape special characters within the single or double quotes.

IMPORTANT EXCEPTION: If the AP name contains ”!” then special care must be taken. The reason is that the bash interpreter thinks you want to repeat a previous command. Your options are:

  • Use single quotes as in 'name!with!bang'.
  • Escape the ”!” as in name\!with\!bang.
  • Use double quotes plus the escape as in “name\!with\!bang”

Sometimes the AP name contains leading or trailing spaces. These can be very hard to identify from the airodump-ng screen. Here are a few methods to deal with this situation:

  • The airodump-ng text file includes the SSID (AP name) length. So you can compare the length in the text file to the count of visible characters. If the airodump-ng text file count is greater then you know that the SSID has leading or trailing spaces.
  • Use wireshark to look at the beacon. Unless the SSID is hidden, the SSID is in quotes and you should be able to see leading/trailing spaces.
  • The 1.0rc1 version of aireplay-ng will automatically pull the correct SSID from the beacon for you assuming it is not hidden. Simply omit the SSID parameter from aireplay-ng.

What is the size of ARP packets ?

When captured through a wireless interface, 68 bytes is typical for arp packets originating from wireless clients. 86 bytes is typical for arp requests from wired clients.

On Ethernet, ARP packets when received are typically 60 bytes long. When this is then relayed by a wireless access point, they are 86 bytes. This is, of course, because of the wireless headers. If a wireless client sends an ARP, they are typically 42 bytes long and they become 68 when relayed by the AP.

How can I resolve MAC addresses to IP addresses ?

You can try netdiscover or ARP tools

What are the allowed rates ?

ModulationAllowed rates
DSSS / CCK1M, 2M, 5.5M, 11M
OFDM (a/g)6M, 9M, 12M, 24M, 36M, 48M, 54M

What is the frequency for each channel?

To determine the frequency that a channel uses (or vice versa), check out: Wifi Channels. Or check out Wikipedia List of WLAN Channels. This is a nice graphic showing the channel assignments and their overlap.

How do I convert the HEX characters to ASCII?

Here are some conversion links. Remember to put % in front of each hex character when going from hex to ascii.

LatinSuD has developed a very useful tool - Javascript WEP Conversion Tool. It can perform a variety of WEP, ASCII and passphrase conversions.

Does the aircrack-ng suite support Airpcap adaptor?

See airpcap.

I have a Prism2 card, but airodump-ng / aireplay-ng doesn't seem to work !

First, make sure you aren't using the orinoco driver. If the interface name is wlan0, then the driver is HostAP or wlan-ng. However if the interface name is eth0 or eth1, then the driver is orinoco and you must disable the driver. The easiest way to do this is to blacklist it in /etc/modprobe.d/blacklist.

Also, it can be a firmware problem. Old firmwares have trouble with test mode 0x0A (used by the HostAP / wlan-ng injection patches), so make sure yours is up to date (see Prism2 flashing for instructions). The recommended station firmware version is 1.7.4. If it doesn't work well (kismet or airodump-ng stalls after capturing a couple of packets), try STA 1.5.6 instead (either s1010506.hex for old Prism2 cards, or sf010506.hex for newer ones).

On a side note, test mode 0x0A is somewhat unstable with wlan-ng. If the card seems stuck, you will have to reset it, or use HostAP instead. Injection is currently broken on Prism2 USB devices with wlan-ng.

I have an Atheros card, and the madwifi patch crashes the kernel / aireplay-ng keeps saying enhanced RTC support isn't available

There are quite a few problems with some versions of the Linux 2.6 branch (especially before 2.6.11 was released) that will cause a kernel panic when injecting with madwifi. Also, on many 2.6 kernels enhanced RTC support is just broken. Thus, is it highly recommended to use either Linux 2.6.11.x or newer.

Why do I have bad speeds when i'm too close to the access point?

Problem: The wireless card behaves badly if the signal is too strong. If you are too close (1-2m) to the access point, you get high quality signal but actual transmission rates drop (down to 5-11Mbps or less). The net result is TCP throughput of about 600KB/s.

This is called antenna and receiver saturation. The signal coming in to the preamplifier is too strong and clips the input of the amplifier, causing signal degradation. This is a normal phenomenon with most 802.11 hardware.

So, is it a driver problem or is it my network hardware?

Neither, really. It's a physics problem. The only solution is to either decrease transmission power, use an antenna with a lower gain factor, or move the access point farther away from the station. You should use wired ethernet when you're close to the access point. If you don't want or you don't have a wire, you can also decrease output power of your Access point or your card.

How do I download and compile aircrack-ng?

See the wiki home page for links to the relevant sub-pages.

The driver won't compile

This usually happens because the linux headers don't match your current running kernel. In this situation, grab the kernel sources or just recompile a fresh kernel, install it and reboot. Then, try again compiling the driver. See this HOWTO for more details about kernel compilation.

Why can't I compile airodump-ng and aireplay-ng on other OSs ?

Both airodump-ng and aireplay-ng sources are Linux-specific.

Why do I get ioctl(SIOCGIFINDEX) failed: No such device ?

Double check that your device name is correct and that you haven't forgotten a parameter on the command line.

When using linux-wlan-ng driver, be sure to enable the interface first with airmon-ng.

Why do I get 'SIOCSIFFLAGS : No such file or directory' error message

Some drivers require a firmware to be loaded (b43, prism54, zd1211rw, …). The driver typically loads the firmware itself when started.
In this case, the driver didn't find it because the firmware was not in the right place or is missing from the computer. To find the firmware's correct location, read the driver documentation.

Why does my computer lock up when injecting packets ? Is there a solution?

Is VMware supported?

Yes, aircrack-ng suite successfully been run under VMware. One thing about doing VMware, you can't use PCMCIA or PCI cards. You can ONLY use compatible USB wireless cards. Some limited additional information is available here:

A virtual machine is available, see this page for more information.

What other tips do you have?

Windows GUI Error message

Running the Windows GUI gives an error message similar to “the application failed to initialize properly (0xc0000135). Click on OK to terminate the application”. To correct this, ensure you have the Microsoft .NET framework 2.0 installed.

My network card changes it's name from eth0 to eth1

Or even to eth2 or from wlan0 to wlan1 or … You know the symptoms mean if you suffer this problem. This happens when you change your MAC and UDEV thinks it has detected a new network card. UDEV keeps track of this so that your nwc-naming keeps mixed up even after a reboot.

Solution: Disable this function in UDEV

Open /etc/udev/persistent-net-generator.rules in your preferred text editor

Search for

 KERNEL=="eth*|ath*|wlan*|ra*|sta*", DRIVERS=="?*",\
 	IMPORT{program}="write_net_rules $attr{address}"

and change it to

 #KERNEL=="eth*|ath*|wlan*|ra*|sta*", DRIVERS=="?*",\
 #	IMPORT{program}="write_net_rules $attr{address}"

Save and close.

Open /etc/udev/rules.d/z25_persistent-net.rules in your preferred text editor (“z25_” may be something different on your system).

Search for the lines concerning your nwc and delete or just disable them by inserting a leading ”#”.

Reboot and everything should be back to normal and stay there.

Note: If you update udev to a newer revision you may have to do this again.

What is the format of a valid MAC address ?

A normal MAC address looks like this: 00:09:5B:EC:EE:F2. It is composed of six octets. The first half (00:09:5B) of each MAC address is known as the Organizationally Unique Identifier (OUI). Simply put, it is the card manufacturer. The second half (EC:EE:F2) is known as the extension identifier and is unique to each network card within the specific OUI. Many access points will ignore MAC addresses with invalid OUIs. So make sure you use a valid OUI code when you make up MAC addresses. Otherwise, your packets may be ignored by the Access Point. The current list of OUIs may be found here.

Make sure that that the last bit of first octet is 0. This corresponds to unicast addresses. If it is set to 1, this indicates a group address, which is normally exclusively used by multicast traffic. MAC addresses with a source set to multicast are invalid and will be dropped.

  • Examples of valid OUIs: 00:1B:23, 08:14:43, AA:00:04 because 0, 8 and A are even
  • Examples of invalid OUIs: 01:1B:23, 03:23:32

In particular, it is recommended that the first octet is 00.

What is ARP ?

The address resolution protocol (ARP) is explained in more detail here.

Is Mac OS X supported?

The aircrack-ng suite has limited Mac OS X support. Currently it only supports the following tools: aircrack-ng, packetforge-ng, ivstools and makeivs. Any program which requires opening a wireless interface is not supported.

What is RSSI?

RSSI means Received Signal Strength Indication. RSSI is a measurement of the received radio signal strength. It is the received signal strength in a wireless environment, in arbitrary units.

For more information, see http://en.wikipedia.org/wiki/RSSI

What is the difference with long and short preamble?

Every packet is sent with a preamble, which is just a known pattern of bits at the beginning of the packet so that the receiver can sync up and be ready for the real data. This preamble must be sent at the basic rate (1 Mbps), according to the official standard. But there are two different kinds of preambles, short and long. The long preamble has a field size of 128 bits, while the short preamble is only 56 bits.

Will I get better range with maximum output power?

No, this is a false assumption in most situations.

In a home environment, the best output power is not always the maximum. In most situations, 30mw is enough. However, if you are a long distance from the AP, then yes, maximum output power is the best.

Do wifi amplifiers have a better range?

No, amplifiers are not a very good idea because:

  1. Amplifiers also amplify noise and that's not a good thing for link quality
  2. With high amplification, you could get a headache

You are much better off purchasing a good antenna with high gain.

My card says that I have 20dBm (100mW) but i only have 18dBm, why?

Most cards have 100mW when combined with the antenna (2dBi antenna).

In 802.11a and 802.11g, the output power is 30mW due to modulation (it's a bit harder to use OFDM than CCK)

Will I have better reception with stronger transmit power?

No, the transmit power is not linked with receiving at all. For receiving, you should check the receive sensitivity of your card. As well, you are much better off purchasing a good antenna with high gain.

How do I choose an antenna?

You should see Antenna help, Selecting a Wifi Antenna and Netstumbler forum.

How Do I Put My Card Back Into Managed Mode

How Do I Check What Mode My Card Is In?

Use iwconfig to view the current speed setting of the wireless card. 1, 2, 5.5 and 11Mbit are 802.11b, 6, 9, 12, 18, 24, 36, 48, 54Mbit are 802.11a/g. Anything above 54Mbit is 802.11n.

How Do I Add a New USB Device ID to My Driver?

If you have a very new USB device, sometimes the device ID has not been included in the driver. The following article describes how to do this for a specific driver. The technique can be used for all USB drivers.

Adding new device IDs to zd1211rw

Why do I get "Error creating tap interface: Permission denied" or a similar message?

You receive one or both of the following errors:

 error creating tap interface: Permission denied
 error opening tap device: Permission denied

This is caused by SELinux (Security Enhanced Linux) preventing the interface from starting. To resolve, disable SELinux. See the support forums for your particular linux to determine how to do this.

Why airodump-ng doesn't display anything on Android terminal?

By default, in settings, stty rows and columns are set to 0. Here are the settings:

  • stty columns 86
  • stty rows 39
faq.txt · Last modified: 2013/12/06 22:47 by mister_x