Help - Search - Members - Calendar
Full Version: Aircrack - Fast Wep Cracking Tool
OESF Forums > General Forums > General Support and Discussion > Security and Networking
speculatrix
wep as everyone knows should only be used where either you're just stopping casual drive-by intrusion, or where you don't care TOO much about someone breaking in.

aircrack is a latest generation tool set for capturing, analysing and breaking wep keys.
http://www.cr0.net:8040/code/network/

I've made it build on zaurus, am going to be trying to test it, and I was wondering if anyone else would be interested in giving it a go; I am wondering if my Zonet/Mercury card will be 100% suitable.

Paul
silvio
QUOTE(speculatrix @ Apr 8 2005, 12:04 PM)
wep as everyone knows should only be used where either you're just stopping casual drive-by intrusion, or where you don't care TOO much about someone breaking in.

aircrack is a latest generation tool set for capturing, analysing and breaking wep keys.
http://www.cr0.net:8040/code/network/

I've made it build on zaurus, am going to be trying to test it, and I was wondering if anyone else would be interested in giving it a go; I am wondering if my Zonet/Mercury card will be 100% suitable.

Paul
*


Nice work - but you should better take a look at http://www.elsix.org/ before you waste your time with creating packages that already exists wink.gif
speculatrix
QUOTE(silvio @ Apr 8 2005, 10:09 AM)
Nice work - but you should better take a look at http://www.elsix.org/ before you waste your time with creating packages that already exists wink.gif
*


Ah, it wasn't in the section I expected, it was in console tools not wireless.

Should have used the search function I guess. d'oh.

Sorry to have wasted people's time. Move along now, nothing to see.

huh.gif
eji
Uh, silvio, how exactly does one use Aircrack? I installed your ipk on my 6000, but I'm not good at all -- okay, downright pathetic -- when it comes to console stuff.
silvio
QUOTE(eji @ Apr 8 2005, 03:00 PM)
Uh, silvio, how exactly does one use Aircrack? I installed your ipk on my 6000, but I'm not good at all -- okay, downright pathetic -- when it comes to console stuff.
*

You need a wlan scanner like kismet or wellenreiter. Start the scanner (in wellenreiter you have to enable package capturing manually) and go for a beer - or a coke if you do not like alcoholics.

After half an hour stop the scanner. Now you got a very big capture file on your Z. Start aircrack with the capture filename on the commandline - now it's time for another drink. Maybe you have luck and aircrack has broken the WEP key when you return.

regards,
Silvio
speculatrix
QUOTE(silvio @ Apr 8 2005, 01:39 PM)
You need a wlan scanner like kismet or wellenreiter. Start the scanner (in wellenreiter you have to enable package capturing manually) and go for a beer - or a coke if you do not like alcoholics.

After half an hour stop the scanner. Now you got a very big capture file on your Z. Start aircrack with the capture filename on the commandline - now it's time for another drink. Maybe you have luck and aircrack has broken the WEP key when you return.


more useful information here with hints to run aircrack better: http://www.securityfocus.com/infocus/1814
silvio
QUOTE(speculatrix @ Apr 8 2005, 04:27 PM)
QUOTE(silvio @ Apr 8 2005, 01:39 PM)
You need a wlan scanner like kismet or wellenreiter. Start the scanner (in wellenreiter you have to enable package capturing manually) and go for a beer - or a coke if you do not like alcoholics.

After half an hour stop the scanner. Now you got a very big capture file on your Z. Start aircrack with the capture filename on the commandline - now it's time for another drink. Maybe you have luck and aircrack has broken the WEP key when you return.


more useful information here with hints to run aircrack better: http://www.securityfocus.com/infocus/1814
*


Does anybody successfully use airodump ? This tool should shorten up the time you need for getting enough packages.
I can't make it work with Cacko ROM.

regards,
Silvio
jfv
I am getting an error "malloc 60MB" when trying to run the aircrack from ELSI. It's on a C860 with Sharp ROM and the file (.dump) was generated by Kismet. Is it just a matter of adding swap space (how much) or something else?

Thanks,

Felipe
speculatrix
QUOTE(silvio @ Apr 8 2005, 03:25 PM)
Does anybody successfully use airodump ? This tool should shorten up the time you need for getting enough packages.
I can't make it work with Cacko ROM.


Have you got it working? If so, what did you have to do?

My self-built version sort of ran, but I think I'm not setting the card into the right mode - I had to manually do "iwpriv wifi0 monitor 1" sort of stuff; I've always relied on kismet's startup script to do this for me. If I get it working, I'll let you know.
speculatrix
QUOTE(jfv @ Apr 9 2005, 01:42 PM)
I am getting an error "malloc 60MB" when trying to run the aircrack from ELSI. It's on a C860 with Sharp ROM and the file (.dump) was generated by Kismet. Is it just a matter of adding swap space (how much) or something else?
*


60MB is a big chunk of memory; yeah, you'll probably need swap space; try "swapd" for a program to do it automatically.

Paul
undrwater
I'm getting the same error running the same aircrack on a 6000. I've used swapd, but that doesn't seem to help.

Is anyone running this successfully?
qaisali
it is good tool , but i can not use this tool coz iam new , any one here halp me and who is can explain how i can use this tool , plz plz plz unsure.gif thankz for all
charlesa
QUOTE(jfv @ Apr 9 2005, 08:42 PM)
I am getting an error "malloc 60MB" when trying to run the aircrack from ELSI. It's on a C860 with Sharp ROM and the file (.dump) was generated by Kismet. Is it just a matter of adding swap space (how much) or something else?
*


Did you get this figured? I am also getting this error using a Wellenreiter packet dump file with the following message:

malloc(80 MB) failed

The packet dump file is pretty small - the test one I am using is only 200k.

This is on an C860 with Cacko 1.22a and a DLink660. Aircrack is from ELSI v 2.1.1. Interested to know how to get this working! Have any of you guys had success?

C.
silvio
it is working perfectly on my Z and I havn't done anything special.
eji
QUOTE(charlesa @ Apr 13 2005, 11:37 PM)
QUOTE(jfv @ Apr 9 2005, 08:42 PM)
I am getting an error "malloc 60MB" when trying to run the aircrack from ELSI. It's on a C860 with Sharp ROM and the file (.dump) was generated by Kismet. Is it just a matter of adding swap space (how much) or something else?
*


Did you get this figured? I am also getting this error using a Wellenreiter packet dump file with the following message:

malloc(80 MB) failed

The packet dump file is pretty small - the test one I am using is only 200k.

This is on an C860 with Cacko 1.22a and a DLink660. Aircrack is from ELSI v 2.1.1. Interested to know how to get this working! Have any of you guys had success?

C.
*


Same here. I'm getting the 80MB version of the error running the Sharp ROM on my 6000.
Foxdie
*BUMP* Please can someone get this tool updated or give us a resolution on how to get it working? smile.gif

Same old malloc(80) error for me as well after installing on C860 / pdaXrom 1.1.0 RC8
silvio
I have tested aircrack only under cacko 1.22 lite.
Maybe it is incompatible with pdaXrom.

I have unchecked pdaXrom in ELSI during upload.

For pdaXrom it should be better to recompile this package because it could be significant faster (gcc 3).
jfv
I am using the Sharp ROM and I get this error too, as reported earlier. Silvio, could you download the file from ELSI and install in your Zaurus and see if it works? Maybe the uploaded file is different from what you have on your machine.

Thanks,

Felipe
stupkid
I am also getting the malloc error. Looking at the aircrack binary Silvio and I should have the exact same libraries/hardware/OS. Silvio, can you crack wellenrieter capture files? If so, what are the exact commandline arguments that you use?

I wonder if the issue is that I don't have enough packets to get aircrack to work properly. You need like 500,000 packets to crack 128-bit keys. I certainly have not captured that many packets yet. Hmm, some more experimentation is in order.
jfv
I downloaded the source from the original site and compiled it on the cluster at handhelds.org. The binary of different size as the binary from ELSI. I haven't got my Zaurus with me (shame on me) so I can't test it. I'll test it tonight, but if anyone wants to try it, I'll attach it here.

Felipe

p.s. I can't seem to attach it so here it is.
berkenb
I looked at the aircrack source a while back. I believe the way it works (and I don't really know anything about it, so I might just be talking nonsense here) is by gathering statistical information about 24bit IVs that are part of each wireless packet.
In order to do this, aircrack allocates 5 bytes of memory for each possible IV - i.e. 5*2^24 = 80MB. Hence the program tries to allocate one big 80MB chunk of memory (cf. row 1012 in aircrack.c, version 2.1).
Since the Z has (at most) 64MB of ram (so your free memory is considerably less than that), you will need a big swap file in order to get this to work, otherwise it will always fail. So that's the error message you guys see.
Besides, I think that a capture file with enough packets in it will easily run in the hundreds of MB...
It seems like this whole endeavor is a little impractical on the Z.
stupkid
QUOTE(jfv @ Apr 14 2005, 10:20 AM)
I downloaded the source from the original site and compiled it on the cluster at handhelds.org. The binary of different size as the binary from ELSI. I haven't got my Zaurus with me (shame on me) so I can't test it. I'll test it tonight, but if anyone wants to try it, I'll attach it here.

Felipe

p.s. I can't seem to attach it so here it is.
*

FYI I have the exact same malloc issue as with Silvio's aircrack binary.
berkenb
Maybe my last answer was a little too long winded....
I think there is absolutely nothing wrong with the binaries you are trying - it is just that aircrack needs to be able to allocate 80MB of memory, and that is impossible on any Z to date (even the newer ones only have 64megs of memory), unless you have a large swap file somewhere...
charlesa
QUOTE(berkenb @ Apr 15 2005, 05:49 AM)
Maybe my last answer was a little too long winded....
I think there is absolutely nothing wrong with the binaries you are trying - it is just that aircrack needs to be able to allocate 80MB of memory, and that is impossible on any Z to date (even the newer ones only have 64megs of memory), unless you have a large swap file somewhere...
*


OK, to test this what is the best way to set a swap file size on a SD card?
berkenb
QUOTE(charlesa @ Apr 14 2005, 03:32 PM)
QUOTE(berkenb @ Apr 15 2005, 05:49 AM)
Maybe my last answer was a little too long winded....
I think there is absolutely nothing wrong with the binaries you are trying - it is just that aircrack needs to be able to allocate 80MB of memory, and that is impossible on any Z to date (even the newer ones only have 64megs of memory), unless you have a large swap file somewhere...
*


OK, to test this what is the best way to set a swap file size on a SD card?
*



I am not the world's leading expert in doing this, but in order to create a swap file on your SD card, you could follow something like the following steps:
CODE
dd if=/dev/zero of=/mnt/card/swapfile bs=1M count=64
mkswap /mnt/card/swapfile
swapon /mnt/card/swapfile

This creates a 64mb file called "swapfile" on /mnt/card containing just 0s, initializes it as a swapfile, and then turns the swapfile on. As a more permanent solution, you would add an entry for this swapfile in your /etc/fstab, but the above steps will do as a quick and dirty method. You can check the status with
CODE
cat /proc/swaps

and turn it off with
CODE
swapoff /mnt/card/swapfile

Mind you though that swapping on SD is probably agonizingly slow and puts some wear on your card (flash memory doesn't have the same amount of write cycles a harddrive has). I think I have used a swapfile on SD before, but only as a test, and certainly never for extended periods of time.
Hope this helps...
jfv
I created the swapfile (64MB) on my SD card and aircrack did run, although it said my dump file did not contain enough data to recover the key smile.gif
I won't leave the swapfile there, takes too much room and, as mentioned above, there are some drawbacks. But it's good to know that, in a pinch, I can make it work.

Felipe
undrwater
Confirmed.

I set up a swap partition on my CF HD, and it now works. Not sure why swapd didn,t work on my SD (actually I think it did something bad to it).

Cool
eji
When I've deleted some MP3s and have a bit more space, I'll try creating a swapfile to see if it works.

FYI, maslovsky's memory applet has a handy GUI for creating swapfiles of any size to any media.
speculatrix
here's my theory:

when creating swap files on memory cards, I would recommend the larger the swap file the better!

you want to spread the wear on the memory card as much as possible, if you force the kernel to use the smallest swap file possible, it will be writing the same set of memory cells intensely (assuming that the card can't somehow write new data to a completely different region of flash), but if you make the swap file really huge, it will not need to use the same area twice?

how about swapping over the network? on a previous project, LinuxAP, using a eumitcom (x86-compatible) system, it was possible to swap over the network block device, which could make a big difference to performance (it only had 4MB of ram).

Paul
stupkid
Hmm, a low memory version aircrack would be nice.
speculatrix
QUOTE(stupkid @ Apr 15 2005, 05:07 PM)
Hmm, a low memory version aircrack would be nice.
*


I'm not sure it's doable without a major rewrite - it has to store each IV, which is five bytes (I think, according to a previous post). Either you'd have to mmap the file and do a huge number of seeks, or extract the IVs into some sort of hashing DB... whether that's possible I don't know.

What would be really nice would be some really REALLY high speed SDRAM cards in a CF format, a true RAM disk. Or solder some more RAM into your Z. (whoosh, off on a dream again. these Zs are *so* addictive for playing "what-if" ).
offroadgeek
I put an 80mb swapfile on my SD card and aircrack works great now...

I don't normally have wep setup on my home AP since it's outside of my firewall and I like to share my wifi with my neighbors, etc.... but I wanted to see aircrack in action so I setup 128bit WEP on the AP and have my laptop connected to it (downloading ISOs). I've started wellenreiter and my stop watch to see about how long it would take to get 500,000 packets. I also have the capture file set on my SD card with about 600mb free, so it should have enough space unsure.gif

We'll see what happens
offroadgeek
so after 6 hours and 15 minutes of wellenreiter running it captured 25,217 packets to a 2.2mb file. I was expecting the file to be much larger. I'm wondering if I did something wrong or didn't have some of the wellenreiter settings set up correctly.

either way, I had aircrack running for over an hour, and for some reason my 1000 went to sleep by itself. I've changed some settings in the light and power app to hopefully prevent it from going to sleep (unless I make it), and left the wifi on (in case the active network will keep it alive too). I'll see if it cracks the wep in the morning.

P.S. I'm impressed that I haven't had any memory issues so far with it smile.gif
charlesa
QUOTE(offroadgeek @ Apr 16 2005, 03:07 AM)
We'll see what happens
*


Yes I got it running on a 64mb swap.

Try running aircrack with a fudge factor of 4 (ref: http://www.securityfocus.com/infocus/1814). You may get a better/faster result.

C.
offroadgeek
QUOTE(charlesa @ Apr 16 2005, 02:08 AM)
QUOTE(offroadgeek @ Apr 16 2005, 03:07 AM)
We'll see what happens
*


Yes I got it running on a 64mb swap.

Try running aircrack with a fudge factor of 4 (ref: http://www.securityfocus.com/infocus/1814). You may get a better/faster result.

C.
*



Thanks, I might try that on my next run. It's been running for just 9 hours, and it hasn't finished. Let's hope it won't take 60 hours, I was hoping to use my Z this weekend wink.gif
Olivier
I have a sharp rom C3000 with same aircrack error.

To solve the issue I have created a swap file (128 MB) as following on my hardisk ( for c6000 or other, I think same can be done one a CF memory card) :

open a terminal as supervisor and then type following commands :

dd if=/dev/zero of=/hdd3/swapfile bs=1048576 count=128
mkswap /hdd3/swapfile
swapon /hdd3/swapfile


to check swap is activated type : cat /proc/swaps

error on aircrack should have now disappeared.
Siftah
Ummmm.

You could just use the Zaurus to create the capture files, then use aircrack on a normal desktop machine/laptop to actually break the wep key.

You'll need a fairly large chunk of data to get the WEP key broken, for a 128bit key then something like a gig of data may need to have passed over the WLAN in order for enough IV's to be captured to break the WEP key.

Also, using airodump and setting it to just store IV's will greatly reduce the data stored, you can then easily transfer this back to a desktop machine to run aircrack on it, etc smile.gif

HTH.
born2wonder
QUOTE(offroadgeek @ Apr 15 2005, 07:38 PM)
so after 6 hours and 15 minutes of wellenreiter running it captured 25,217 packets to a 2.2mb file.  I was expecting the file to be much larger.  I'm wondering if I did something wrong or didn't have some of the wellenreiter settings set up correctly.

*


Recommendations:

Aircrack-ptw: Using aircrack-ng, 64 bit wep needs around 400,000 IV's and 128 bit needs a cool million. That being said, you should try to use aircrack-ptw (can google it for info) which needs as less as 20,000-40,000 IVS to crack wep. Ive used it many times and is a great program. If using airodump to capture dont use the --ivs as aircrack-ptw need full capture file.

Injection: Most of the time, you will need to inject packets into the network to generate alot of IVS fast. You will need a wlan cf card capable of injection (AFAIK all prism2/prisim3 cf cards support it). U also need drivers supporting injection such as Hostap. Aireplay-ng is the tool i use to inject and replay packets. Attacks available for client-connected networks as well as client-less ones. I collect 40,000 Ivs in less than 10 minutes on my LifeBook P1510 (1 kg tablet) running backtrack.

I am buying a c1000 (still deciding on supplier) in a few days; if i manage to crack a wep network, i will post a little step-by-step how-to. Hope this helps.
Capn_Fish
QUOTE(born2wonder @ Jun 28 2007, 11:30 PM)
QUOTE(offroadgeek @ Apr 15 2005, 07:38 PM)
so after 6 hours and 15 minutes of wellenreiter running it captured 25,217 packets to a 2.2mb file.  I was expecting the file to be much larger.  I'm wondering if I did something wrong or didn't have some of the wellenreiter settings set up correctly.

*


Recommendations:

Aircrack-ptw: Using aircrack-ng, 64 bit wep needs around 400,000 IV's and 128 bit needs a cool million. That being said, you should try to use aircrack-ptw (can google it for info) which needs as less as 20,000-40,000 IVS to crack wep. Ive used it many times and is a great program. If using airodump to capture dont use the --ivs as aircrack-ptw need full capture file.

*


Aircrack-ng 0.9.x has the PTW attack. I just broke my WEP key with under 30000 IVs using 0.9 on my Z.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2014 Invision Power Services, Inc.