Cracking WEP with aircrack-ptw in Windows with AirPcap and Cain

Every time you deploy a WEP Access Point, a fluffy kitty dies.

Primer

Recently a team of German cryptography researchers perfected methods to recover a WEP key faster than ever before. The older Weak IV attacks generally needed between 500,000 and 2,000,000 packets to recover a 128-bit WEP key. In contrast, the new PTW method needs a mere 85,000 packets to have a 95% chance of recovering the WEP key. Unlike the Weak IV attack, instead of collecting weak IVs, the PTW method collects ARP requests and responses to attack the encryption. ARP requests can either be collected naturally, or can be generated via packet injection. Until recently, packet injection was only possible in Linux. With the advent of the AirPcap USB adapter, and some unsupported beta drivers, it's possible to inject packets in Windows. Update: CACE have released AirPcap Tx, which features fully supported packet injection, for an added premium. In this tutorial, I'll guide you through the process of recovering a WEP key, via the PTW attack, in Windows. For this you'll be using the AirPcap USB adapter, Cain, aircrack-ptw, and the aircrack-ng suite.

Legalities

It's important to point out that these methods should only be applied with permission from the owner of the target AP. You should either be auditing, penetration testing, or demonstrating the weaknesses of WEP in a Test Lab environment. You should not be using these methods to get "Free internet"!

Preparation

You'll need: Now you'll need to prepare the environment:
  • Install the beta drivers (or if you have AirPcap Tx, install the drivers from the CD-ROM)
  • Plug in the AirPcap
  • Install Cain
  • Extract aircrack-ng to c:\airpcap\
  • Extract aircrack-ptw to c:\airpcap\
  • Move aircrack-ptw.exe to the bin folder (this is no longer required - see my notes)
  • Optional: To make things easier, move the contents of the bin folder to c:\airpcap\. You'll then be able to run aircrack-ptw.exe with just c:\airpcap\aircrack-ptw.exe mycapture.cap

Let's get cracking

I added narration to the video this evening at 20:36. It's my first attempt at narration, and a little noisy, but I'm sure things will improve as time goes on! :) [MEDIA=1] Youtube Video Link

Countermeasures

The primary counter measure to this WEP attack is to cease using WEP and switch your Access Points to WPA encryption. As you've seen in this video, WEP is just too easy to crack. For further reading, Wikipedia has an excellent entry on WPA. Access Points are so cheap now that, if your AP doesn't support WPA via a firmware upgrade, you can easily afford a new one with full WPA or WPA2 support.

Notes

Note 1: After recording this tutorial, I've become aware that, as of version 0.9, aircrack-ng.exe natively supports the PTW attack by using the -z switch. For example: aircrack-ng.exe -z mycapturefile.cap. If you want to use this attack, download aircrack-ng from the authors, and replace aircrack-ng.exe in c:\airpcap with the new one. Note 2: The whole process from starting capture to recovering the WEP key takes about 10 minutes. Note 3: It is important that you get the Packet Injection drivers and the aircrack-ng release specifically for the AirPcap adapter, or this will not work. Note 4: Just to summarise the steps in the video:
  1. Run Cain and passively scan for the target AP, making a note of the Channel number.
  2. Using the channel number, tell AirPcap to inject packets once it has collected an ARP request. (You can sometimes force an ARP by sending Deauth. To do that, right click on the client. Otherwise, repair the Wireless connection on the client connected to the AP)
  3. To use the PTW attack, you need to collect all packets. By running airodump-ng you can collect all the packets generated by Cain. The reason we use airodump-ng instead of Cain, is that Cain only collects WEP IVs.
  4. Once you've collected enough packets, run aircrack-ptw against the capture file.

49 thoughts on “Cracking WEP with aircrack-ptw in Windows with AirPcap and Cain

  1. Pingback: Aircrack-PTW for Windows · Mind Circus

  2. Ghost face

    Hey Mind Circus I have been looking everywhere for the airpcap beta drivers to enable packet injection in cain .I was hoping That maybe if you had them you can send them to me.I am a noob (freshmen) in high school that is why i saved my money to buy the airpcap.I tried using knopix std.and aircrack but had no luck i bought many diffrent kinds of cards for my old notebook but still could not get aircrack to work.so i got the airpcap.I have had it since since 6/5/07 and have had no sucess on getting the iv’s that i need to get cracking.so thank’s if you can get the driver and thank’s even if you cant get the driver.oh and i clicked on the link to get the driver from rapid share and i cant seem to get it to work .Thank’s….I am also taking classes at my local community college for basic’s in visual basic.I just started on monday 6/18/07..Evantualy i want to be an I.T.

  3. Phil Wiffen Post author

    Hi “Ghost face”,

    I’m sorry you’ve been having trouble with Linux. Generally, I’ve found Backtrack 2 to be the best Linux distro for auditing. Most things you need are auto-configured and it’s very, very easy to start testing and auditing once it’s booted.

    Back to Windows…

    Rapidshare can be confusing, especially as the stuff you want to do (download) is “below the fold” on the page, requiring you to scroll down. I won’t get into the Web Usability issue there :) The basic steps to download the beta drivers:

    – Go to the bottom of the page, click ‘free’.
    – Choose a mirror, then fill out the captcha, and click ‘download via…’.
    – Your download will start almost immediately.

    Hope that helps!

  4. Ghost

    Hi mind circus I have been trying to use the airpcap with aircrack to crack faster and i cant seem to get it to work it is taking to long the normal way can you give me some tips thank you.

  5. rodrigo

    Hi Phil,
    Well I did exactly the same that you did on the video except that I dont know why but the number of wep ivs that I collect do not increase or go faster at all. I do get ARP requests (14 of them in last attempt) but when I click “deauth” sometimes it actually even goes slower or nothing happens. I dont know what Im doing wrong, I have installed the same driver and I have followed the instructions…. Any ideas???

    thank you very much!

  6. Phil Wiffen Post author

    rodrigo,

    Do you have an AirPcap Tx? If you only have the original AirPcap USB Adapter, the beta driver isn’t fully supported and it seems that it doesn’t work in some PCs.

  7. Arnaud

    Dear Phil,

    We are waiting for your write regarding aircrack-ng, and aircap TX with impatience… :-)

    Arnaud :-)

  8. Phil Wiffen Post author

    Haha, I have notes! I just need to write them up. I have a long weekend coming up so maybe I’ll post my notes then – but I can’t promise a polished article!

  9. Mike

    Hi and thanks for a great post!

    Have you tried the new PTW cracking feature in Cain? Does Cain work with the new Cace AirPcap TX from Cace (there are some reports that the Packet Injection doesn’t work…)?

    MIke

  10. Phil Wiffen Post author

    Mike,

    The last time I tried the Cain PTW attack it failed miserably, hence why I’m using the aircrack-ng suite to perform the PTW attack. Sucks, really, but I understand that the author of Cain is working on a solution. :)

    Oh and yes, Cain works with the new (kinda see-through) AirPcap Tx.

  11. kev

    Phil, Which is best for use with cain, aircrack-ng and wireshark??? airpcap or airpcap tx ? please could u help me please !

  12. Kev

    Phil, If i get AirPcap Tx is it stable in WinXP Pro for cracking WEP ? Does it also crack WPA/WPA2 ? I also can’t find any technical specifications for AirPcap Tx eg. range, gain, dbi ? Help Please !

  13. fine

    hi mind i just installed cain and am all new to this, i been watching your video and notice when you open the drop down box and click on one of the lines it splits in 2 mine dont so i cant lock on to channels.. please help.. if possible could you e mail me.. p.s i have seen many videos on this subject but far out this is the best.. ta

  14. fine

    would it help if i said my search bar dont say passive scanning its says active scanning.. what do i need to install or buy for cain to work.. also im using a hawking 8dbi hi gain wireless adapter,my lap top is also wireless its a fujitsu siemens.. as you can see from the time of the last post i have left im still trying lol

  15. Phil Wiffen Post author

    Hi “fine”,

    In the “Preparation” section of my instructions above, it specifically states you will need an AirPcap Tx adapter to perform this attack. Once you have one of those, you will be able to do what I do in the video.

  16. justin

    i have clicked on deauth several times but nothing seems to happen. i am using cain with airodump and aircrack-ptw with airpcap tx adapter. please help

  17. Dominik

    Phil,

    I am trying to do the same with an Aircap Tx, aircap 3.2 beta driver and Cain v4.9.8
    The problem is that in Cain the box for the arp request is grey, I cannot activate the injection!
    Any idea will be well accepted!
    Thank you
    Dominik

  18. Phil Wiffen Post author

    Dominik: I’ve not fully tested Cain with the 3.2 Beta Driver, but it sounds like you may be using a Classic AirPcap, and not an AirPcap Tx. Can you double check and get back to me?

    Kev: AirPcap Tx supports Vista. With regards to aircrack-ng in Vista, I’m not sure as I don’t run Vista myself. My flatmate has a Vista laptop so I’ll try to pry it from his hands for a quick test ;)

  19. HaRdY

    Hi,

    Have to say great site .. some really helpful advice.. im currently at uni doing a project in my final year on wireless network security so should be following this tutoral up … should be interesting! I just wanted to ask do you use linux at all .. if so do you know if a brought a wireless card thats compatible with monitor mode will it wokr on any processor and also how do i add the linux drivers to it.

    many thanks and again great info this is going to help me big time

    cheers dude

    hardy

  20. Dominik

    Phil,

    Thank you for answering.
    I was using a simple aircap adapter. Now I asked an update and I receive a tx version, it is black and orange.
    I use Cain v4.9.8 and the driver version 3.1(it is in the cd in box)
    The problem now is that I can not make the injection to work.The deauth doesn’t give any result.
    Please can you let me know if it is a problem of driver? I really do not know what to try next :(
    Thank you

    Dominik

  21. Marlock

    Hi Phil!

    I am using an aircap tx(black and orange) with cain v4.9.8 and driver 3.1.0.965.
    I try to do exactly the same things that you show in the video but in my case the deauth doesn’t work!
    Do you think it is a problem of drivers?
    I will really appreciate every advice you can give me.

    Thank you!

  22. Phil Wiffen Post author

    Dominik, Marlock: This sounds like a known problem with Cain. As Cain is a 3rd party app, which CACE do not directly support, it’s hard to troubleshoot what’s to blame (most likely Cain). My advice would be to use my to confirm that injection does indeed occur, and if it works with aircrack-ng, then chase up Mao (the author of Cain). In my experience whilst at Crownhill, when dealing with customers who had the same problem as you, the adapter was always capable of injection; it’s just that Cain couldn’t drive it properly. Let me know how you it goes!

  23. jay

    hello, ive ben researching this a while now using differant methods and programs,
    my questions would be:
    is this worth the effort if ive used backtrack 2…is there a upside? quicker? more compatibe devices?
    also is there help and capability on vista? (which ive recently updated to for motherboard reasons)
    hope i get a responce soon adios =)

  24. Phil Wiffen Post author

    Jay: Firstly, the AirPcap solution is only worth it if you’re using a Windows machine and haven’t really used Linux much, or simply don’t have the time to invest in learning Linux.

    Shaq: AirPcap works for sure. I have not yet tested aircrack-ng or Cain in Vista.

  25. Mikel

    Please help me. How do you do to create the new device driver in cain :\\.\airpcap00 . I need a detale procedure please.

    Thanks a lot

  26. Phil Wiffen Post author

    Mikel, you don’t create it, you need to buy an AirPCap adapter, which will include the AirPCap drivers, and allow you to address \\.\airpcap00.

  27. darren

    Phil Hi,

    Could you spare me five minutes to help please as clearly you are a fountain of WEP knowledge lol :)

    Forgive me here as im a ‘noob’ but werent we all at one stage.

    I have windows XP with a standard netgear USB dongle and im on a sky broadband package yeh? Obvioulsy i can scan for networks as part fo windows and when i do i see two other networks in my area, both of which use WEP. I’m looking for a way to find the key so i can connect to those networks yeh? Is there a way to do this using XP and some freeware? Your solution mentions the dongle but thats about £150, so is this the only way to do it? Adn do i need more than one PC?

    As i said, forgive me but any pointers you can give would be a big help.

    cheers
    D

  28. joepapa

    hi! please tell me, your airpcap tx adapter MAC address first to seven caracter.
    xx.xx.xx.na.na.na
    pls tell me xx.xx.xx number (vendor code)

  29. Phil Wiffen Post author

    Darren: This isn’t the only way to do it in Windows, but it’s by far the quickest. The alternative is to use something like Cain to actively scan and pick up the data, but this will take much longer as you’ll be unable to inject packets. Another free option is running Linux.

    I certainly wouldn’t recommend that you crack anyone’s access points without their permission!

  30. Phil Wiffen Post author

    joepapa: The information is on the back of the AirPcap itself. It’s also detailed in my Command Line notes. If you’re thinking of buying a much cheaper OEM adapter, and trying to turn it into an AirPcap, you may be out of luck – the adapters are hardware-modified by CACE.

  31. ruler

    How can you collect an ARP request (I assume this is needed) if no client shows in the bottom window of Cain?

  32. Phil Wiffen Post author

    Hey Ruler,

    You can’t with Cain. Although I have seen tutorials that allege it’s possible with aircrack-ng. It might be worth investigating further!

  33. linuxhater

    dont you find it ridiculous that the company that puts out hacking software requires a dongle to run their sniffer driver. There is not technological reason for needing that stupid usb drive that they couldn’t work around in a few days but then they wouldn’t be able to charge 600$ for it. dork hackers wont pay 39.95 for software that cost millions to build but you will spend 100’s one a piece of shit sniffer built in poland or some shit for a couple hundred bucks. dumb shits

  34. Phil Wiffen Post author

    linuxhater: Correct me if I’m wrong, but my understanding is that Windows filters RAW 802.11 packets and hides them from the upper layers of the OS – hence the need for a hardware/solution solution such as CACE’s, which basically sits underneath, bypassing Windows’ filtering.

    Do remember that CACE have never, ever, said that AirPcap is a hacking tool, nor has it been aimed at the hacking market. First and foremost, it is a 802.11 Protocol Analyser for Windows that addresses the frustrating issue that I just mentioned. It just so happens that AirPcap can also be used to break WEP.

    My opinion is that if people were curious enough, and really wanted to break WEP for free, they’d use Linux, and one of the numerous Linux/aircrack-ng tutorials out there on the internet.

  35. jkey

    i hv tried to run airpcap control panel but it didn`t detected my wireless adapter buil-in notebook. then what must i do to make the tool detect the adapter?

  36. Phil Wiffen Post author

    jkey: I’m getting a little frustrated by people like yourself who are wasting my time by not reading my posts. I took the time to produce these tutorials, for free, so I’d appreciate it if you actually read the whole post. The AirPcap Software will not work without an AirPcap Adapter.

  37. Webby

    Phil,

    I would really appreciate some help, as I don’t know what I’m doing wrong?

    I am using the following:

    Windows XP SP2
    Cacetech AirPcap TX adapter (black & orange), with the 3.2.1.1069 driver installed.
    Cain & Abel Software v4.9.14
    WinPcap 4.0.2

    When I lock on a channel and select WEP injection and restart passive scan, the unique WEP IVs count up really slow (1 every 20sec – I don’t think its working)? Do I have to configure any settings in the AirPcap control panel?

    Any advice would be much appreciated :-)

  38. Pingback: Wireless Network Cracking | Programming Resources

Comments are closed.