Sunday, November 17, 2013

Running Aircrack-ng for Windows:

Once as many IVs as required have been captured using the airodump packet capture utility the resultant [filename].cap file can be imported into aircrack to break the static WEP or WPA-PSK keys.

To view all available switches:

cd  c:\aircrack-ng-[version]

Basic usage:

aircrack  -q  -n  [WEP key length]  -b [BSSID]  [filename].cap

Breaking WEP:

As you can see the capture file in use below (capture1.ivs) was created with airodump capture option "Only capture WEP IVs (y/n)" set to "y" as the resultant file is in the .ivs format.  If n had been selected the resultant file would be in the .cap format.

Whilst this will work, we can could have cut down the cracking options for Aircrack-ng by specifying the WEP key length (-n) or by specifying the target AP MAC address (-b) on the command line:

aircrack -a 1 -q  -n 128  -b  11:11:11:11:11:11  capture1.ivs  (Where 11:11:11:11:11:11 = Target AP's MAC address)

As you can see aircrack found the WEP key for our 1008195 IV capture file (capture1.ivs) in only 4 seconds.The capture file itself (capture1.ivs) is included here to test your own aircrack installs (note: the file is a 5.77mb download).
Breaking WPA:

In order to be carry out the WPA dictionary attack using aircrack-ng we either have to:
  1. Wait for a WPA client to associate to the network (This could take a while)
  2. Force a WPA client off the network, forcing it to reassociate.
Either of these two method allows us to capture the WPA handshake, which is what we require to perform a dictionary attack.The downside to using this Windows version of aircrack-ng is that there are not any freely available tools to perform this attack.  So we have to either use a Linux tools (e.g. aireplay or void11) or wait for an association to occur.Which ever way we gather the WPA handshake we still use the same tool; airodump

Once we think we have captured the WPA handshake, we simply run the capture file through aircrack for confirmation:

If have confirmed we have the WPA handshake (as above) we can attempt the dictionary attack:

As you can see above aircrack found the WPA PSK of "passphrase"
The capture file itself (capture2.cap) is included here to test your own aircrack installs


Post a Comment


Subscribe in Bloglines Msn bot last visit powered by MyPagerank.Net Yahoo bot last visit powered by MyPagerank.Net
I heart FeedBurner downtime checker The Ubuntu Counter Project - user number # 31290

Twitter Delicious Facebook Digg Stumbleupon Favorites More

Powered by TadPole