Aircrack-ng

802_11_spec

2006-11-19T16:12:18+01:00

" Consider that you may have a card putting 15dBm (32mW) into a 2.2dBi antenna (on the AP), and thatyour card probably has an effective 2dBi gain antenna on it. Operating at 2.4GHz, at 1m, thereis 41dB of path loss between the two units. At 2m, you'll have another 6dB of path loss, for 47dB.So the signal leaves at 17dBm (from the AP), you lose 41dB due to LOS (Line of Sight) path lossat 1m, and the signal arrives at the antenna in your laptop at perhaps -24dBm, and is raisedto -22dBm by the ante…

acx

2009-05-03T21:45:17+01:00

Note: This page is about the older acx100/acx111 drivers. For the new mac80211-based driver, see acx1xx. WARNING!!! There is legal controversy surrounding the development of this driver, see the wireless mailing list for more information. See kernel inclusion section for some background information on the previous attempt to include it in the mainline kernel.

acx1xx

2009-05-12T22:31:31+01:00

This thread message contains the latest information about the mac80211 Acx driver. WARNING!!! There is legal controversy surrounding the development of this driver, see the wireless mailing list for more information. See kernel inclusion section for some background information on the previous attempt to include it in the mainline kernel.

agnx

2009-08-21T16:23:23+01:00

Currently this driver on kernel 2.6.29.4 is in staging mode. Once the device is inserted, wmaster0 appears but no wlan0. There is a legacy (ieee80211 stack dependent) driver available however the driver has never been finalised therefore there is very minimal support for anything let alone monitor + injection.

airbase-ng

2009-10-11T16:24:09+01:00

Description This documentation is still under development. There is quite a bit more work to be done on this documentation. Please post any comments or suggestions to this thread in the Forum. Airbase-ng is multi-purpose tool aimed at attacking clients as opposed to the Access Point (AP) itself. Since it is so versatile and flexible, summarizing it is a challenge. Here are some of the feature highlights:

aircrack-ng

2009-10-12T21:45:07+01:00

Description Aircrack-ng is an 802.11 WEP and WPA/WPA2-PSK key cracking program. Aircrack-ng can recover the WEP key once enough encrypted packets have been captured with airodump-ng. This part of the aircrack-ng suite determines the WEP key using two fundamental methods. The first method is via the PTW approach (Pyshkin, Tews, Weinmann). The default cracking method is PTW. This is done in two phases. In the first phase, aircrack-ng only uses ARP packets. If the key is not found, then it …

aircrack-ng_suite-under-windows_for_dummies

2007-04-16T20:01:42+01:00

Version: 1.02 December 18, 2007 By: darkAudax Introduction First and foremost, Windows is virtually useless for wireless activities due to the huge number of restrictions. The restrictions do not come from the aircrack-ng suite so please don't ask for enhancements.

airdecap-ng

2009-09-26T20:07:30+01:00

Description With airdecap-ng you can decrypt WEP/WPA/WPA2 capture files. As well, it can also be used to strip the wireless headers from an unencrypted wireless capture. It outputs a new file ending with ”-dec.cap” which is the decrypted/stripped version of the input file.

airdecap

2006-11-19T16:12:18+01:00

page moved to airdecap-ng

airdecloak-ng

2009-09-26T22:01:28+01:00

Description Airdecloak-ng is a tool that removes wep cloaking from a pcap file. Some WIPS (actually one) actively “prevent” cracking a WEP key by inserting chaff (fake wep frames) in the air to fool aircrack-ng. In some rare cases, cloaking fails and the key can be recovered without removing this chaff. In the cases where the key cannot be recovered, use this tool to filter out chaff.

airdriver-ng

2009-09-26T20:18:38+01:00

Description Airdriver-ng is a script that provides status information about the wireless drivers on your system plus the ability to load and unload the drivers. Additionally, airdriver-ng allows you to install and uninstall drivers complete with the patches required for monitor and injection modes. Plus a number of other functions.

aireplay-ng

2009-09-26T22:02:36+01:00

Description Aireplay-ng is used to inject frames. The primary function is to generate traffic for the later use in aircrack-ng for cracking the WEP and WPA-PSK keys. There are different attacks which can cause deauthentications for the purpose of capturing WPA handshake data, fake authentications, Interactive packet replay, hand-crafted ARP request injection and ARP-request reinjection. With the packetforge-ng tool it's possible to create arbitrary frames.

aireplay

2006-11-19T16:12:18+01:00

page moved to aireplay-ng

airgraph-ng

2009-04-05T19:14:53+01:00

Author: digitalpsyko Version: 1.01 Last modified on: 5 April 2009 Requirements * python * subversion * graphviz * make * aircrack-ng 1.0 (rc2 or better is recommended) * psyco is recommended but not mandatory Installing svn co http://trac.aircrack-ng.org/svn/trunk/airgraph-ng cd airgraph-ng make install Graph types * CAPR: Client to AP Relationship. This shows all the clients attached to a particular AP. * CPG: Common Probe Graph. This will show all probed SSID by clients…

airmon-ng

2009-08-14T19:05:59+01:00

Description This script can be used to enable monitor mode on wireless interfaces. It may also be used to go back from monitor mode to managed mode. Entering the airmon-ng command without parameters will show the interfaces status. Usage usage: airmon-ng [channel]

airodump-ng

2009-10-08T20:47:27+01:00

Description Airodump-ng is used for packet capturing of raw 802.11 frames and is particularly suitable for collecting WEP IVs (Initialization Vector) for the intent of using them with aircrack-ng. If you have a GPS receiver connected to the computer, airodump-ng is capable of logging the coordinates of the found access points. Additionally, airodump-ng writes out a text file containing the details of all access points and clients seen.

airodump

2006-11-19T16:12:18+01:00

page moved to airodump-ng

airolib-ng

2009-09-26T20:49:23+01:00

Description Airolib-ng is an aircrack-ng suite tool designed to store and manage essid and password lists, compute their Pairwise Master Keys (PMKs) and use them in WPA/WPA2 cracking. The program uses the lightweight SQLite3 database as the storage mechanism which is available on most platforms. The SQLite3 database was selected taking in consideration platform availability plus management, memory and disk overhead.

airpcap

2007-06-30T23:42:47+01:00

Quick presentation This wireless adapter is made by Cacetech works on Windows but is a bit special. That's not a wireless adapter like every USB stick you can buy, you can capture 802.11 packets as easily as you're capturing data with Wireshark. And you can capture on channel 1 to 14 included. Just plug it in, start the control panel to change some settings and then start capturing data with your favorite ethernet capture program aircrack-ng, wireshark, kismet, ...

airserv-ng

2009-09-26T20:46:04+01:00

Description Airserv-ng is a wireless card server which allows multiple wireless application programs to independently use a wireless card via a client-server TCP network connection. All operating system and wireless card driver specific code is incorporated into the server. This eliminates the need for each wireless application to contain the complex wireless card and driver logic. It is also supports multiple operating systems.

airtun-ng

2009-10-14T16:02:50+01:00

Description Airtun-ng is a virtual tunnel interface creator. There are two basic functions: * Allow all encrypted traffic to be monitored for wireless Intrusion Detection System (wIDS) purposes. * Inject arbitrary traffic into a network. In order to perform wIDS data gathering, you must have the encryption key and the bssid for the network you wish to monitor. Airtun-ng decrypts all the traffic for the specific network and passes it to a traditional IDS system such as snort.

arp-request_reinjection

2008-01-02T17:54:42+01:00

Description The classic ARP request replay attack is the most effective way to generate new initialization vectors (IVs), and works very reliably. The program listens for an ARP packet then retransmits it back to the access point. This, in turn, causes the access point to repeat the ARP packet with a new IV. The program retransmits the same ARP packet over and over. However, each ARP packet repeated by the access point has a new IVs. It is all these new IVs which allow you to determine th…

arp_amplification

2009-08-14T18:18:15+01:00

Version: 1.00 June 13, 2007 By: darkAudax Files linked to this tutorial: * arp-1x.cap * arp-2x.cap * arp-3x.cap Introduction This tutorial deals with how to dramatically increase the number of initialization vectors (IVs) generated per second. Capture rates up to 1300 data IVs per second have been achieved! This is done by increasing the number of data packets generated for each packet injected. It is intended for advanced users of the aircrack-ng suite.

arp_inject_capture

2009-02-16T23:51:12+01:00

Version: 1.03 February 16, 2009 By: darkAudax File linked to this tutorial: arpinjection.cap Introduction This is quick and dirty explanation of a sample capture file. It is a capture of an ARP request injection. To keep things simple, I have only included three rounds.

ath5k

2009-01-06T23:53:17+01:00

Ath5k is a new, completely FOSS driver for Atheros cards. Wireless-N-enabled Atheros chipsets should use ath9k instead. Unlike madwifi-ng, this driver is based on the new mac80211 stack, meaning that it requires aircrack-ng v1.0-rc1 or newer. Aircrack-ng support As of 2.6.27-rc2, ath5k can inject without patches (2.6.26 not tested, <=2.6.25 is known to be broken). However, injection support is a bit flakey, and speeds are limited to about 50~100pps. To improve injection speed, apply this patc…

ath9k

2009-06-11T17:09:07+01:00

ath9k This is the newest driver from for atheros chipsets. It DOES NOT SUPPORT INJECTION on older kernels. Starting with 2.6.29.4+ and 2.6.28.10+, injection success has been reported (Forum posting). Having said that it does not support injection on older kernels, there is an untested patch to allow for injection:

b43

2009-11-09T16:51:21+01:00

b43 is the new driver for wireless cards with Broadcom chipsets. It performs quite well in terms of monitoring and injection, although it has no support for the 802.11a wireless band. b43 is a mac80211 driver, so it requires at least Aircrack-ng 1.0-rc1.

book

2008-06-15T23:27:54+01:00

Todo * WPA Protokoll mit Details aufschreiben. * Klein, kann praktisch direkt so aus dem Buchkapitel übernommen werden. * Angriff auf WPA (Brute force mit Wörterbuch) aufschreiben. * Martin, ggf. WPA-Kapitel leicht anpassen, so dass man sieht was genau angegriffen wird.

broadcom

2008-12-28T14:35:53+01:00

As of 2.6.17, a driver for the Broadcom bcm43xx wireless chipset has been included in the kernel. Older kernels can sometimes be made to work, check out resources available here While this driver natively supports monitor mode, it requires patching before packet injection can be done. After testing aireplay-ng with the patches, please contribute to the forum thread by reporting any successes or failures there.

bugs

2007-01-31T01:40:12+01:00

The TRAC system provides information on any outstanding bugs as well a mechanism to submit new bugs. Prior to submitting a bug report: * Check the Trac to ensure the bug has not already been reported. * Try the latest development version () to ensure the bug has not already been fixed. * Check the Forum and this web site to ensure it is not a usage problem.

cafe-latte

2009-10-11T16:29:14+01:00

Description The Cafe Latte attack allows you to obtain a WEP key from a client system. Briefly, this is done by capturing an ARP packet from the client, manipulating it and then send it back to the client. The client in turn generates packets which can be captured by airodump-ng. Subsequently, aircrack-ng can be used to determine the WEP key.

cantenna_directional_antenna_with_gain

2007-02-24T18:41:47+01:00

Doc Revision: V1.0 Date: 28 Jan 2007 By: RF Peep Introduction Many people have been asking how to boost their wifi signal, here is my small contribution with an antenna I made and use successfully. The objective of this tutorial is explaining how to build & use a simple antenna system with USB adapter.

changelog

2008-06-09T23:43:48+01:00

Version 1.0 (changes from aircrack-ng 1.0-rc4) - Released 08 September 2009: * airserv-ng: Now works fine between 32 and 64bit OSes. * wesside-ng: Fixed some endianness bugs * airodump-ng-oui-update: Make sure the user is root when updating the file. * airmon-ng: Updated iw download link (0.9.17). * All: Fixed compilation with some gcc. * patches: Added missing patches from patches.aircrack-ng.org: mac80211_2.6.28-rc4-wl_frag+ack_v3.patch * manpage: Updated aireplay-ng manpage. *…

changelog_aircrack

2006-11-19T16:12:18+01:00

Aircrack Changelog Version 2.41 released on 2005-11-22. Changes from version 2.4: * airodump: show probing clients as “not associated” * airodump: don't substract the noise level unless madwifi * airodump: fixed channel hopping with old orinoco * airmon.sh: added detection of the zd1211 driver

chopchoptheory

2006-11-19T16:12:18+01:00

A 802.11 WEP frame consists of many fields: headers, data, ICV, etc. Let's consider only data and ICV, and assume a constant IV. ICV algorithm is an implementation of CRC32. It is calculated incrementally for every byte of data the frame has. Each step in C:

come_iniziare

2008-09-12T23:20:24+01:00

Version: 1.00 November 11, 2007 By: darkAudax Traduzione Settembre 12, 2008 By: David Barchiesi Introduction Molte persone si chiedono “Da dove devo iniziare?”. Questo tutorial e' stato creato per rispondere a quella domanda. Non e' inteso come un “How to” dettagliato, ma come una guida stradale necessaria per arrivare dal punto di partenza alla destinazione desiderata di aircrack-ng. Una volta che hai cominciato a muoverti, nel wiki ci sono una grande abbonzanza di documenti che copro…

compat-wireless

2009-10-16T02:16:19+01:00

Compat-wireless is a package which contains the development versions (pulled from the kernel's git repository) of the in-kernel wireless drivers and the mac80211 wireless stack. New packages are released pretty much every day. This package is mentioned quite often on the forums and the IRC channel because using it is very convenient. You can think of it (in fact, you should) as a sized-down version of the kernel tree, a one that contains only the sources of the wireless drivers and the wireless…

compatibility_drivers

2009-09-25T21:05:19+01:00

IMPORTANT: * Please read and understand the following prior to using this page: Tutorial: Is My Wireless Card Compatible? * Microsoft Windows and all variants are NOT officially supported at this point in time. * See this FAQ entry if your question is ”What is the best wireless card to buy?”.

compatible_cards

2009-09-25T21:07:33+01:00

Version: 1.08 September 25, 2009 By: darkAudax Introduction A common question that people ask is “I have model ABC wireless card, is it compatible with Aircrack-ng?” or “What card should I buy?” or “Can my card do injection?” and so on. This tutorial address these questions.

cracking_wpa

2009-09-25T21:20:51+01:00

Version: 1.18 September 25, 2009 By: darkAudax Introduction This tutorial walks you through cracking WPA/WPA2 networks which use pre-shared keys. I recommend you do some background reading to better understand what WPA/WPA2 is. The Wiki links page has a WPA/WPA2 section. The best document describing WPA is Wi-Fi Security - WEP, WPA and WPA2. This is the link to download the PDF directly. The WPA Packet Capture Explained tutorial is a companion to this tutorial.

deauthentication

2009-09-26T22:07:33+01:00

Description This attack sends disassocate packets to one or more clients which are currently associated with a particular access point. Disassociating clients can be done for a number of reasons: * Recovering a hidden ESSID. This is an ESSID which is not being broadcast. Another term for this is “cloaked”. * Capturing WPA/WPA2 handshakes by forcing clients to reauthenticate * Generate ARP requests (Windows clients sometimes flush their ARP cache when disconnected)

donators

2009-11-19T00:47:29+01:00

Moved to donors.

donors

2009-11-19T00:46:24+01:00

I really wish to thank everyone who contributes and/or donates to aircrack-ng. Donations go towards the cost of hosting as well as hardware used to improve aircrack-ng. I would like to thank the following people who already donated (in no particular order):

downloads

2009-04-29T23:09:34+01:00

* The complete Changelog * You can browse the file archive here. * For installation information, see README or User Docs * Don't forget to patch your driver(s) if it isn't already done * See this page to know how to install it. Current Sources This tarball contains the latest Linux sources.

drivers

2007-02-10T15:14:35+01:00

The content of this page has been moved to Compatibility, Drivers, Which Card to Purchase

easside-ng

2009-09-25T23:11:10+01:00

Description Easside-ng is an auto-magic tool which allows you to communicate via an WEP-encrypted access point (AP) without knowing the WEP key. It first identifies a network, then proceeds to associate with it, obtain PRGA (pseudo random generation algorithm) xor data, determine the network IP scheme and then setup a TAP interface so that you can communicate with the AP without requiring the WEP key. All this is done without your intervention.

extendedwarning

2008-12-12T19:48:55+01:00

You just clicked on a link that state you understand that no support will be provided for the windows version. Frankly, it is likely that you were not paying any attention. There will be NO support for the windows version. We won't help with wireless card or drivers, we won't even help you double click on an exe.

fab

2006-11-19T16:12:18+01:00

About this is a draft for a user-page...i'm still working on it I'm Fabian and i'm from switzerland. If you want to write me :-) Fabian ---------- Links * wireless-forum.ch * wireless-forum.info * bernewireless.net * openwireless.ch * freifunk.net * openwrt.org

fake_authentication

2009-10-11T16:28:31+01:00

Description The fake authentication attack allows you to perform the two types of WEP authentication (Open System and Shared Key) plus associate with the access point (AP). This is useful is only useful when you need an associated MAC address in various aireplay-ng attacks and there is currently no associated client. It should be noted that the fake authentication attack does NOT generate any ARP packets. Fake authentication cannot be used to authenticate/associate with WPA/WPA2 Access Poin…

faq

2009-09-27T15:26:51+01:00

What is the best wireless card to buy ? Which card to purchase is a hard question to answer. Each person's criteria is somewhat different. However, having said that, if money is not a constraint then the following cards are considered the best in class:

find_ip

2008-02-17T13:55:23+01:00

Let's assume you must work in a network but they forgot to tell you the ip address range. Passive sniffing * Simply use tcpdump, wireshark or any sniffer that displays the IP addresses of existing packets. * Eg: # tcpdump -nnei eth1 13:46:05.577596 00:1a:73:3f:7a:9d > 00:03:6f:e1:5b:21, ethertype IPv4 (0x0800), length 74: 192.168.0.194.33387 > 80.58.32.97.53: 5597+ A? www.google.com. (32) 13:46:05.676650 00:03:6f:e1:5b:21 > 00:1a:73:3f:7a:9d, ethertype IPv4 (0x0800), length 142: 80.58.32…

fixivs

2006-11-19T16:12:18+01:00

* The problem: Earlier versions of pcap2ivs have a bug that generates broken files: aircrack (all versions) and aircrack-ng (=< 0.2.1). * Symptoms: When you open such .ivs file in aircrack you get much more bssid than what you had (quite slowing aircrack start), most of them are invalid. * If you have problems with this try and use original .cap files, and don't use old version of pcap2ivs. If you only have the corrupt .ivs file and you want to recover it you can try this tool.

flowchart

2008-05-09T23:37:23+01:00

Last update: May 9, 2008 Author: matts Foreword Aircrack is very simple to use once you know the concept. This flowchart will hopefully teach you the concept behind simple wifi cracking. You will want to keep airodump-ng running to collect data, and then run your attacks. Each attack will use aireplay-ng, and the ultimate goal is to generate data on the network... most commonly ARP data. In this tutorial I assume you have read the wiki and are familiar with the different tools and attack…

fragmentation

2008-09-08T23:07:42+01:00

Description This attack, when successful, can obtain 1500 bytes of PRGA (pseudo random generation algorithm). This attack does not recover the WEP key itself, but merely obtains the PRGA. The PRGA can then be used to generate packets with packetforge-ng which are in turn used for various injection attacks. It requires at least one data packet to be received from the access point in order to initiate the attack.

getting_started.it

2009-09-06T14:15:04+01:00

Version: 1.00 November 11, 2007 By: darkAudax Translated by: tipolosko Introduzione Molte persone ci chiedono “Come faccio per iniziare?”. Questo tutorial è stato creato per rispondere a questa domanda. Non è stato creato per essere un “HowTo” dettagliato, diciamo che sono delle indicazioni per portarti da dove sei alla destinazione desiderata sull'utilizo di aircrack-ng. Una volta che riuscirai a partire, troverai una grande quantità di materiale sul wiki che descrive gli strumenti utilizz…

getting_started

2009-09-25T20:57:34+01:00

Version: 1.01 September 25, 2009 By: darkAudax Introduction Many people ask “How do I get started?”. This tutorial is intended to answer that question. It is not intended to be a detailed “How To” tutorial, rather it is a road map to get you from where you are to the desired destination of using aircrack-ng. Once you get going, there is an abundance of materials on the wiki describing the tools in great detail and tutorials for various tasks.

guess.patch

2006-11-19T16:12:18+01:00

The user obo has a patch in the Forum posted about the guessing. Intro After having aircrack continually fail on a certain (obviously ascii) key, I wrote a simple patch that has aircrack dump the corresponding ascii charaters for each byte. This makes guessing the password farily easy in the event of an all-letter password. It's especially useful in the event of single troublesome bytes, as the passphrase can be predicted. Heres an example: ./makeivs therm.ivs 74:68:65:72:6D:6F:64:79:6E:61:6…

hirte

2009-10-11T16:29:47+01:00

Description The Hirte attack is a client attack which can use any IP or ARP packet. It extends the Cafe Latte attack by allowing any packet to be used and not be limited to client ARP packets. The following describes the attack in detail. The basic idea is to generate an ARP request to be sent back to the client such that the client responds.

hostap

2007-11-19T23:19:42+01:00

HostAP is the recommended driver for Prism2.x/3 based PCMCIA and PCI cards. The driver official web site is at . Patching If you're using a kernel version >= 2.6.16, you have to patch kernel sources with hostap-kernel-2.6.18.patch patch instead of using the following method:

how_to_crack_wep_via_a_wireless_client

2008-04-22T16:15:57+01:00

Version: 1.17 September 11, 2009 By: darkAudax File linked to this tutorial: arpcapture-01.cap Introduction There has been a lot of discussion over time of how to use a wireless client workstation to generate packets to crack WEP instead of the wireless access point itself. This tutorial describes four approaches with examples of how to do this. The examples provided are from real working equipment, not theory. Each was used in real life and successfully cracked the WEP keys.

how_to_crack_wep_with_no_clients

2009-09-26T14:34:38+01:00

Version: 1.15 September 26, 2009 By: darkAudax Video: http://video.aircrack-ng.org/noclient/ Introduction There are many times when a wireless network has no wireless clients associated with it and there are no ARP requests coming from the wired side. This tutorial describes how to crack the WEP key when there are no wireless clients and there are no ARP requests coming from the wired side. Although this topic has been discussed many times over in the Forum, this tutorial is intended to …

i_am_injecting_but_the_ivs_don_t_increase

2009-09-10T20:08:01+01:00

Version: 1.09 September 10, 2009 By: darkAudax Introduction A frequent problem that comes up is that packets are being injected but the IVs don't increase. This tutorial provides guidance on determining the root cause of the problem and how to fix it.

injection_test

2008-06-27T22:42:51+01:00

Important note: This option is only available on aircrack-ng 0.9 and up. Description The injection test determines if your card can successfully inject and determine the ping response times to the Access Point (AP). If you have two wireless cards, it can also determine which specific injection tests can be successfully performed.

install_aircrack

2009-08-31T22:31:56+01:00

Requirements Linux * Kernel headers and gcc as well as make have to be installed on your system. On Debian-based distros (Debian, Ubuntu, Xubuntu, ...), issue the following command in a console to install them: sudo apt-get install build-essential * OpenSSL (development). It is called openssl-dev or libssl-dev depending on your distribution.

install_drivers

2009-10-11T15:51:55+01:00

Linux As of now, Aireplay-ng only supports injection on Prism2, PrismGT (FullMAC), Atheros, Broadcom (with the b43 driver), RTL8180, RTL8187, Ralink, ACX1xx and Zydas. Injection on Hermes, Aironet and Marvell is not supported because of firmware and/or driver limitations.

install_fonera

2009-05-09T10:08:48+01:00

February 12, 2007 By: SonicvanaJr Introduction To start off the Fon, or La Fonera router is a small wireless router that is sold to the customer at a relatively low price ($30) provided that the user agrees to connect the Fonera to their internet connection, and provide free internet to those who want it.

interactive_packet_replay

2008-12-02T21:21:20+01:00

Description This attack allows you to choose a specific packet for replaying (injecting). The attack can obtain packets to replay from two sources. The first being a live flow of packets from your wireless card. The second being from a pcap file. Standard Pcap format (Packet CAPture, associated with the libpcap library ), is recognized by most commercial and open-source traffic capture and analysis tools. Reading from a file is an often overlooked feature of airepl…

ipw2200

2008-07-19T14:13:54+01:00

At this point in time, this page is far from complete. In the interim, useful information will be included here. Also do a Forum Search for additional information. The previous version of ipw2200 can't be compiled with the linux headers 2.6.20-16-generic (used by Ubuntu 7.04) so here is the way to get the rtap0 interface working.

ipw2200_generic

2009-09-26T14:27:28+01:00

Version: 0.1 August 27, 2007 By: drio TODO: * How to compile from scratch the device driver to support injection * screen usage example * Different attacks * More detailed explanation about what we are doing on each step * upgrade airodump-ng tools from the livecd.

ipw2200inject

2007-02-14T13:25:05+01:00

Ipw2200 can inject, but only in certain conditions: * Card has to be in managed mode and associated to an ap. * It can only inject data packets. With this in mind, aireplay-ng attacks 2 and 4 are possible, and probably also 3. Attacks 2 and 4 have been successfully tested.

ipw3945

2008-06-29T20:32:49+01:00

Note: This page is about the ipw3945/ipwraw driver. For the new iwl3945 driver, see iwl3945. Injection Walkthrough This is for an intel PRO/Wireless 3945ABG WLAN (802.11a/b/g) card. I've tested this on Ubuntu 7.10 Gutsy Gibbon - x86 architecture - 32 Bit, but I don't see why it shouldn't work on other OS's. Some commands might be different however, especially the ones involving apt-get.

ipw4965

2008-11-27T17:30:05+01:00

This card is properly called iwl4965, and is now handled by iwlagn.

iwl3945

2009-09-24T20:50:11+01:00

Note: This page is about the iwl3945 driver. For the older ipw3945/ipwraw driver, see ipw3945. Iwl3945 is the new driver for the Intel PRO/Wireless 3945ABG wireless chipset. It includes new features like: * Managed and monitor mode support in one driver * Enhanced injection support * Multiple interfaces on one device - use the aircrack suite on a monitor interface while remaining associated on a managed interface * Full radiotap support, for both incoming and outgoing packets * No m…

iwl4965

2008-11-27T17:30:49+01:00

This driver was renamed to iwlagn starting with 2.6.27.

iwlagn

2009-05-26T16:20:27+01:00

The first reported success and how to do it is in this thread message. A more recent success story is in this thread including detailed steps. This one summarizes the the steps for Ubuntu 8.04. Another one. This is how you can get the Intel WiFi Link 4965AGN/5xxxAGN card to inject under Linux using the iwlwifi drivers. Please note that the injection is still under development, but is possible at this point. Fake auth doesn't work but there's a workaround: using wpa_supplicant. Deauth seems t…

korek_chopchop

2007-12-20T17:59:13+01:00

Description This attack, when successful, can decrypt a WEP data packet without knowing the key. It can even work against dynamic WEP. This attack does not recover the WEP key itself, but merely reveals the plaintext. However, some access points are not vulnerable to this attack. Some may seem vulnerable at first but actually drop data packets shorter that 60 bytes. If the access point drops packets shorter than 42 bytes, aireplay tries to guess the rest of the missing data, as far as the heade…

links

2009-09-02T17:16:43+01:00

This page will continue to be expanded to include a variety of reference material. Wireless Basics and Tutorials * 802.11 Attacks by Brad Antoniewicz of Foundstone/McAfee. Provides a step by step walkthrough of popular wireless attacks. * How 802.11 Wireless Works (thanks to Microsoft) * A Comprehensive Review of 802.11 Wireless LAN Security and the Cisco Wireless Security Suite * “IEEE 802.11 Tutorial” Mustafa Ergen, University of California Berkeley, June 2002. * 802.11 Wireless LA…

mac80211

2009-06-27T00:16:00+01:00

General Mac80211 is the new wireless stack of the Linux kernel. It is included in the kernel since 2.6.22, but drivers are only included since 2.6.24. The following drivers use mac80211 (not all have been tested to work with aircrack-ng): * acx1xx (Acx) * adm8211 (ADMtek) * agnx (Airgo MIMO) * ar5523 (Atheros A/B/G/Super-G USB) * ar9170 (Atheros xspaN USB) * at76c50x_usb (Atmel) * ath5k (Atheros A/B/G/Super-G) * ath9k (Atheros xspaN) * b43 and b43legacy (Broadcom) * iwl3…

madwifi-ng

2009-07-24T14:38:56+01:00

This page only deals with the net80211 version of the madwifi-ng driver. For the mac80211 ath5k version see the mac80211 page. To understand the differences, see mac80211 versus ieee80211 stacks write-up. IMPORTANT If you have a new kernel that supports mac80211 and includes the new ath5k driver then you MUST blacklist it otherwise the net80211 version of the module below will not work. See blacklisting mac80211 driver version below.

madwifi

2006-11-19T16:12:18+01:00

Madwifi is the recommended driver for Atheros based pcmcia, mini-pci and pci cards. Official web site is at . Notes: * You'll need uudecode from the sharutils package. * The madwifi-old-r1417 patch should also work with newer version of the madwifi-old SVN. * If you use wpa_supplicant, you should recompile it * With the current madwifi-old, it is no longer needed to run iwpriv ath0 mode 2, since the driver allows injection in mode 0 using athXraw interf…

main

2009-11-19T00:15:28+01:00

Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the all-new PTW attack, thus making the attack much faster compared to other WEP cracking tools. In fact, Aircrack-ng is a set of tools for auditing wireless networks.

morenews

2007-08-28T18:37:29+01:00

DateTitleContent17 November 2009New version of Slitaz Aircrack-ng releasedA new version of the Slitaz Aircrack-ng Distribution has been released.08 September 2009Aircrack-ng 1.0 released1.0 final is released (a few bugs fixes have been done since rc4) and you can now see the new website too. More information in the blog.05 September 2009Contests @ Brucon Wireless workshopsI'll give a workshop friday and saturday (in around 2 weeks) at Brucon and there will be a contest each day where you can win…

mwl8k

2009-08-21T16:20:45+01:00

Marvell TopDog (softMAC) driver. This driver is dependent on latest kernels for support. Some Marvell TopDog chipsets have been mislabeled as Marvel Libertas which is a fullMAC chipset such as 88w8335. Marvell Libertas users should be using either libertas or libertas_tf which are available: and

newbie_guide

2009-09-26T19:52:21+01:00

Idea and initial work: ASPj Additions by: a number of good souls Last updated: May 09, 2008 This tutorial will give you the basics to get started using the aircrack-ng suite. It is impossible to provide every piece of information you need and cover every scenario. So be prepared to do some homework and research on your own. The Forum and the Wiki have lots of supplementary tutorials and information.

p54

2009-08-21T15:46:23+01:00

p54 is the mac80211 stack dependent wireless driver, it supports softMAC Intersil/Conexant Prism GT, fullMAC Intersil Prism GT, as well as Intersil/Conexant Prism GT USB dongle based chipsets. Not to be confused with prism54 driver which is dependent on the legacy ieee80211 stack, has injection support but only supports Intersil Prism GT fullMACs.

packetforge-ng

2009-09-25T22:52:54+01:00

Description The purpose of packetforge-ng is to create encrypted packets that can subsequently be used for injection. You may create various types of packets such as arp requests, UDP, ICMP and custom packets. The most common use is to create ARP requests for subsequent injection.

patches

2007-02-04T17:31:46+01:00

There are currently no patches available for the aircrack-ng suite. Generally, any fixes have been incorporated into the SVN development version.

patching

2009-03-24T01:11:20+01:00

Version: 1.01 March 15, 2009 By: darkAudax Introduction People new to wireless security assessments often do not understand the need for patching drivers or how to do it. You sometimes need to patch the ieee80211 or mac80211 stack as well. This tutorial attempts to provide some background and some basic skills to the reader.

portugues_pacote_aircrack-ng_no_windows_para_leigos

2008-03-25T20:08:44+01:00

Versão: 1.02 Dezembro 18, 2007 Por: darkAudax Tradução e Adaptação: JaymesSmith (06/01/08) Introdução Antes de mais nada, quero salientar que o Windows é virtualmente inútil para atividades wireless devido à enorme quantidade de restrições. As restrições não vêm do pacote Aircrack-ng, então por favor não peçam por melhorias.

prism2_flashing

2009-03-22T19:13:01+01:00

Windows The simplest is to upgrade the firmware with WinUpdate. This also requires to have the WPC11 driver v2.5 installed. Flashing steps * Plug your card * Start WinUpdate. If you have only one prism card running, it will detect it. If you have more than one, it allows you to select one to upgrade. * Pick the right primary and station firmware files. It is safest if you upgrade the companion versions of them together. Some times it is OK to just upgrade station firmware. Accord…

prism54

2008-12-02T23:13:20+01:00

Warning: not to be confused with p54, the mac80211 stack dependent wireless driver that supports both fullMAC and softMAC Intersil/Conexant Prism GT chipset. ifconfig eth1 down rmmod prism54 wget "http://svnweb.tuxfamily.org/dl.php?repname=prism54/prism54&path=%2Ftrunk%2F&rev=531&isdir=1" -O prism54_r531.tar.gz wget http://patches.aircrack-ng.org/prism54-svn-20050724.patch tar -xvzf prism54_r531.tar.gz cd trunk patch -Np1 -i ../prism54-svn-20050724.patch make modules && make install wget http:/…

quotes

2009-10-02T03:25:38+01:00

Quote from Mister_X: Jan 25 00:39 basic wep cracking tut in 3 easy steps: get up from your chair and go to your neighbour door; ring or knock on the door; when he opens, ask him to use his to give the key for his wireless network; you're done Quote from Hirte:

r8180-sa2400

2008-08-11T22:28:42+01:00

This driver is for the Realtek RTL8180 chipset. ifconfig wlan0 down rmmod r8180 wget http://ovh.dl.sourceforge.net/sourceforge/rtl8180-sa2400/rtl8180-0.21.tar.gz wget http://patches.aircrack-ng.org/rtl8180-0.21v2.patch tar -xvzf rtl8180-0.21.tar.gz cd rtl8180-0.21 patch -Np1 -i ../rtl8180-0.21v2.patch make && make install depmod -a modprobe r8180 If you own a RTL8185 chipset card, check this thread out.

r8187

2009-10-11T15:22:07+01:00

The r8187 driver works properly for the Realtek RTL8187L chipset. Support for the RTL8187B chipset is under development but is not fully working. See r8187b for the RTL8187B ieee80211 driver. This page only deals with the ieee80211 version of the r8187 driver. For the mac80211 rtl8187 version see the rtl8187 page. To understand the differences, see mac80211 versus ieee80211 stacks write-up.

r8187b

2009-03-09T00:02:09+01:00

Support for the Realtek RTL8187B chipset is still experimental and is not 100% functional. You can get the latest experimental version here. Please remember it is experimental and not stable. Post any feedback or experiences to the forum. Recent kernels (2.6.27 and newer) contain a fully-functional driver for RTL8187B - it's the same driver as the new one for RTL8187L, rtl8187. You should consider trying that version. The new driver is mac80211-based, so the usual mac80211 rules apply. This …

rt2500

2008-06-28T14:48:26+01:00

This driver doesn't need to be patched anymore. ifconfig ra0 down rmmod rt2500 wget http://rt2x00.serialmonkey.com/rt2500-cvs-daily.tar.gz tar -xvzf rt2500-cvs-daily.tar.gz cd rt2500-cvs-xxxxxxx/Module #xxxxxxxxxx is a number which represents the driver date and revision make && make install modprobe rt2500 NOTE: This will download the Enhanced Legacy version of the driver. The Next Generation version (rt2x00, mac80211-based) has not been tested to work with Aircrack-ng.

rt2570

2008-07-27T01:40:39+01:00

It is highly recommended to use a enhanced and patched driver from instead of serialmonkey drivers. ifconfig rausb0 down rmmod rt2570 wget http://homepages.tu-darmstadt.de/~p_larbig/wlan/rt2570-k2wrlz-1.6.3.tar.bz2 tar -xvjf rt2570-k2wrlz-1.6.3.tar.bz2 cd rt2570-k2wrlz-1.6.3/Module make && make install modprobe rt2570 Make sure to load the driver with modprobe (not insmod).

rt2870

2008-11-25T16:35:23+01:00

Support for this driver is still experimental and is not 100% tested. You can get the latest experimental version here. Please remember it is experimental and not stable. Post any feedback or experiences to the forum. Wireless Device Not Recognized If you have a RT2870 wireless device and it is not recognized by the driver then the USB ID may be missing from the driver. The driver will only function for the list of USB devices programmed into the driver. See this forum thread for details…

rt2x00

2009-07-26T21:15:32+01:00

Devices with Ralink RT2770F Chipset that use the RT2800 driver can successfully be used with the aircrack-ng suite combined with compat-wireless. This forum posting provides an excellent description of how to install the compat-wireless software. This provides the rt2800usb driver.

rt61

2008-05-03T00:28:09+01:00

Installing Open up a shell and type: wget http://rt2x00.serialmonkey.com/rt61-cvs-daily.tar.gz tar xvfz rt61-cvs-daily.tar.gz cd rt61-cvs-* cd Module make Then, as root, type: make install rmmod rt61pci 2>/dev/null modprobe rt61 You also need the following each time you want to use the device in monitor mode:

rt73

2009-05-19T23:59:00+01:00

Installing This page only deals with the ieee80211 version of the RT73 driver. For the mac80211 rt73usb version see the mac80211 page. To understand the differences, see mac80211 versus ieee80211 stacks write-up. IMPORTANT If you have a new kernel that supports mac80211 and includes the new rt73usb driver then you MUST blacklist it otherwise the ieee80211 version of the module below will not work. See blacklisting mac80211 driver version below.

rtl8187

2009-07-26T20:59:52+01:00

The rtl8187 driver is a FOSS mac80211 driver for RTL8187L and RTL8187B. Rtl8187 is part of the official Linux kernel. Starting with 2.6.27, this driver is supported by aircrack-ng. To use the driver with aircrack-ng, it's recommended that you apply the following patch:

rtl8187b

2008-07-13T00:03:28+01:00

The driver for the RTL8187B chipset is under development. It is only partially working and not fully functional at the moment.

shared_key

2008-05-09T23:44:51+01:00

Version: 1.08 November 7, 2008 By: darkAudax File linked to this tutorial: wep.shared.key.authentication.cap Introduction This tutorial covers the situation where you receive the following error message when trying to do fake authentication with aireplay-ng:

sharp_zaurus

2009-09-26T14:29:59+01:00

Description A Sharp Zaurus is a PDA that runs linux straight from the factory. Because of this, there is a large development community behind it. This is a great PDA, although many of the models are marketed strictly in Japan, and as such, can be hard to purchase in many other parts of the world. If you are looking for one, I highly recommend eBay.

simple_wep_crack

2009-09-26T14:36:56+01:00

Version: 1.10 September 26, 2009 By: darkAudax Introduction This tutorial walks you though a very simple case to crack a WEP key. It is intended to build your basic skills and get you familiar with the concepts. It assumes you have a working wireless card with drivers already patched for injection.

slitaz

2009-11-17T23:04:03+01:00

The “Slitaz Aircrack-ng Distribution” is the base Slitaz cooking version plus the latest Aircrack-ng SVN version, wireless drivers patched for injection and other related tools. The custom distribution is especially tuned for the Acer Aspire One netbooks but will work well on virtually all desktops, notebooks and netbooks. It is extremely small (60meg), requires minimal memory and includes a rich set of programs.

spanish_tuto-fr.com_en_tutorial_tutorial-crack-wep-aircrack.php

2007-02-27T23:40:21+01:00

Doc. Fecha: 28 Febrero 2007 Este documento es una adaptación del tutorial francés: Introducción Actualmente, la mayoría de los proveedores ofrecen algún tipo de protección en sus modems wifi. Por desgracia la mayoría de ellos aplican encriptación WEP por defecto en el caso de activar la opción wireless. Es sabido que esta protección está herida de muerte... es debil y muy fácilmente crackable. En menos de una hora es posi…

supported_packets

2008-08-14T17:00:08+01:00

Version: 1.03 August 14, 2008 By: darkAudax Introduction Sometimes people report that PTW fails even though they have sufficient packets. Sufficient meaning roughly 20,000 to 100,000 data packets. For PTW to work correctly, it assumes packets are IP (ethertype 0×0800) or ARP (ethertype 0×0806). The real life problem comes when some of the packets being used with aircrack-ng do not match this assumption. In this case, they disrupt the PTW calculations and PTW fails to find the key.

tkiptun-ng

2009-09-27T16:01:36+01:00

Description NOTE: This documentation is still under development. Please check back on a regular basis to obtain the latest updates. If you have any feedback on the documentation, please post your comments to the Forum. IMPORTANT NOTE: The tkiptun-ng included in v1.0 is not fully working. The final attack phase is not yet implemented. The other portions are working with the ieee80211 drivers for RT73 and RTL8187L chipsets. The madwifi-ng driver is definitely broken and is known to complet…

tools

2007-05-14T15:57:45+01:00

WZCook It recovers WEP keys from XP's Wireless Zero Configuration utility. This is experimental software, so it may or may not work depending on your Service Pack level. WZCOOK can also display the PMK (Pairwise Master Key), a 256-bit value which is the result of the passphrase hashed 8192 times together with the ESSID and the ESSID length. The passphrase itself can't be recovered -- however, knowing the PMK is enough to connect to a WPA-protected wireless network with wpa_supplicant (see the …

troubleshooting

2009-03-24T01:02:07+01:00

I can't seem to capture any IVs ! As a reminder, it doesn't work at all with ndiswrapper. Possible reasons: * You are standing too far from the access point. * There is no traffic on the target wireless network. * There is some G traffic but you're capturing in B mode. * Something is wrong with your card (firmware problem ?) * By the way, beacons are just unencrypted announcement packets. They're totally useless for WEP cracking.

tutorial

2009-11-14T16:24:19+01:00

English Aircrack-ng There are also informal “tutorials” in the Forum. Just use the search function. The User Documentation has non-wiki tutorials. As well, the Installing Drivers pages for each driver typically has some links to the relevant materials in the forum.

user_docs

2009-02-15T22:55:50+01:00

Windows * Part 1 - Cracking WEP with Windows XP Pro SP2 - An excellent tutorial for Windows users * Part 2 - Cracking WEP with Windows XP Pro SP2 - Additional topics for Windows users * Packet Injection Aireplay-ng - Windows XP SP2 - With Airserv-ng & Aireplay-ng

videos

2008-06-15T20:14:46+01:00

Videos.aircrack-ng.org * Fragmentation attack * Fragmentation attack with airoscript * WEP cracking with airoscript * Injection with IPW2200 (with wifislax) * How to crack WEP with no client Remote-exploit.org * Volume #1 "E-Z No Client WEP Cracking Tutorial * Volume #2 "E-Z No Client Korek Chopchop Attack Tutorial * Volume #3 "E-Z WPA/WPA2 Cracking Tutorial * Volume #4 "E-Z Cracking WPA/WPA2 With Airolib-ng Databases Tutorial

wds

2008-05-09T23:52:16+01:00

Version: 1.02.1 February 9, 2008 By: darkAudax Files linked to this tutorial: wds.authentication.cap arp.request.from.ap.wired.client.cap arp.request.from.wds.wired.client.cap ap.wired.client.ping.wds.wired.client.cap Introduction A Wireless Distribution System is a system that enables the interconnection of access points and related clients wirelessly. This Wikipedia entry has an excellent description of WDS. I strongly encourage you to read the Wikipedia entry prior to re…

wesside-ng

2009-09-25T23:01:49+01:00

Description Wesside-ng is an auto-magic tool which incorporates a number of techniques to seamlessly obtain a WEP key in minutes. It first identifies a network, then proceeds to associate with it, obtain PRGA (pseudo random generation algorithm) xor data, determine the network IP scheme, reinject ARP requests and finally determine the WEP key. All this is done without your intervention.

wiki_todo

2006-11-19T16:12:18+01:00

soon * Compare the content with tinyshell.be * Add missing pages according to tinyshell.be * Redesign the main-page * Correct all spelling mistake * New screen-shots (maybe) later some ideas... * Template * Some images * More multilingual content (something like this) * Logo * User-Information-Page (maybe something like this) * Possibility to make boxes. (Is this the solution ?)

wildpacket_driver_install

2007-02-04T22:44:43+01:00

Asumption for this tutorial: You already have the right wildpacket driver for your card There's 2 possible scenarios: * You did not already install the driver * You already have the card's standard drivers installed In these examples, I'll use an Atheros card.

wlan-ng

2007-06-23T22:57:05+01:00

IMPORTANT injection with wlan-ng is only supported in kernels less then or equal to 2.6.11. Important note: when the card is inserted, wlan-ng will flash the firmware in RAM (volatile download) with versions PRI 1.1.4 and STA 1.8.3. Many users experienced problems with this operation, so in any case it's safer to just use hostap instead. Furthermore, HostAP works more reliably and supports iwconfig whereas wlan-ng doesn't.

wpa_capture

2008-01-21T18:39:16+01:00

Version: 1.04 January 26, 2007 By: darkAudax Files linked to this tutorial: wpa.full.cap wpa.bad.passpharse.cap Introduction This is quick and dirty explanation of two sample WPA capture files. The first file (wpa.full.cap) is a capture of a successful wireless client WPA connection to an access point. The second file (wpa.bad.key.cap) is a capture of a wireless client attempting to use the wrong passphrase to connect to the AP.

zd1211rw-mac80211

2009-09-26T22:20:57+01:00

Starting with kernel 2.6.25, zd1211rw is a mac80211 driver. As a result, the installation/patching procedure is now slightly different from what it was before. This tutorial works with kernel 2.6.27 and up. Injection on 2.6.25 and 2.6.26 requires a slightly different procedure (using compat-wireless-old).

zd1211rw

2009-05-18T15:41:40+01:00

NOTE: Unless you have an old kernel, consider using the mac80211 version of the driver and follow these instructinons. It is a much simpler way to obtain injection capability. This driver supports the zd1211 and the newer zd1211b chipsets by Zydas. Atheros has acquired Zydas and renamed this chipset to AR5007UG.