Finally, I’ve had time to write down my notes on using aircrack-ng with the Airpcap Tx adapter in Windows. Before you read on, please be aware that this isn’t meant to be a guide or tutorial, it’s just my notes. Thanky

Basics

Start capturing:

airodump-ng \\.\airpcap00 airpcap CHANNELNUMBER mycapturefile

Fake auth:

aireplay-ng --fakeauth 0 -e "MYSSID" -a BSSIDMAC -h AIRPCAPMAC \\.\airpcap00

Start attack:

aireplay-ng --arpreplay -b BSSIDMAC -h CLIENTMAC \\.\airpcap00

Deauth (if we need ARPs):

aireplay-ng –deauth 3 -a BSSIDMAC -c CLIENTMAC \\.\airpcap00

Start cracking:

aircrack-ng -z mycapturefile.cap

Worked example:

airodump-ng.exe \\.\airpcap00 airpcap 11 mycapturefile
aireplay-ng --fakeauth 0 -e "WEP" -a 00:a0:c5:9d:d5:50 -h 00:02:72:67:92:8a \\.\airpcap00
aireplay-ng --arpreplay -b 00:a0:c5:9d:d5:50 -h 00:90:4b:eb:9b:36 \\.\airpcap00
aireplay-ng --deauth 3 -a 00:a0:c5:9d:d5:50 -c 00:90:4b:eb:9b:36 \\.\airpcap00
aircrack-ng -z mycapturefile.cap

Download

I’ve prepared a special release of the aircrack-ng tools originally prepared by CACE Technologies on the AirPcap CDROM. It replaces the new aireplay-ng.exe with an older one which, in my tests, appears to perform better.

Download the release of aircrack-ng for AirPcap Tx

Every time you deploy a WEP Access Point, a fluffy kitty dies.

Primer

Recently a team of German cryptography researchers perfected methods to recover a WEP key faster than ever before. The older Weak IV attacks generally needed between 500,000 and 2,000,000 packets to recover a 128-bit WEP key. In contrast, the new PTW method needs a mere 85,000 packets to have a 95% chance of recovering the WEP key.

Unlike the Weak IV attack, instead of collecting weak IVs, the PTW method collects ARP requests and responses to attack the encryption. ARP requests can either be collected naturally, or can be generated via packet injection. Until recently, packet injection was only possible in Linux. With the advent of the AirPcap USB adapter, and some unsupported beta drivers, it’s possible to inject packets in Windows. Update: CACE have released AirPcap Tx, which features fully supported packet injection, for an added premium.

In this tutorial, I’ll guide you through the process of recovering a WEP key, via the PTW attack, in Windows. For this you’ll be using the AirPcap USB adapter, Cain, aircrack-ptw, and the aircrack-ng suite.

Legalities

It’s important to point out that these methods should only be applied with permission from the owner of the target AP. You should either be auditing, penetration testing, or demonstrating the weaknesses of WEP in a Test Lab environment. You should not be using these methods to get “Free internet”!

Preparation

You’ll need:

• An AP configured with WEP
• At least one client associated with the Access Point (to give us an initial ARP request)
• A standard AirPcap Adapter with the unsupported beta packet injection driver or a fully-supported AirPcap Tx.
• Cain and Abel
• aircrack-ng for AirPcap
• aircrack-ptw for Windows

Now you’ll need to prepare the environment:

• Install the beta drivers (or if you have AirPcap Tx, install the drivers from the CD-ROM)
• Plug in the AirPcap
• Install Cain
• Extract aircrack-ng to c:\airpcap\
• Extract aircrack-ptw to c:\airpcap\
• Move aircrack-ptw.exe to the bin folder (this is no longer required – see my notes)
• Optional: To make things easier, move the contents of the bin folder to c:\airpcap\. You’ll then be able to run aircrack-ptw.exe with just c:\airpcap\aircrack-ptw.exe mycapture.cap

Let’s get cracking

I added narration to the video this evening at 20:36. It’s my first attempt at narration, and a little noisy, but I’m sure things will improve as time goes on!

Youtube Video Link

Countermeasures

The primary counter measure to this WEP attack is to cease using WEP and switch your Access Points to WPA encryption. As you’ve seen in this video, WEP is just too easy to crack. For further reading, Wikipedia has an excellent entry on WPA.

Access Points are so cheap now that, if your AP doesn’t support WPA via a firmware upgrade, you can easily afford a new one with full WPA or WPA2 support.

Notes

Note 1: After recording this tutorial, I’ve become aware that, as of version 0.9, aircrack-ng.exe natively supports the PTW attack by using the -z switch. For example: aircrack-ng.exe -z mycapturefile.cap. If you want to use this attack, download aircrack-ng from the authors, and replace aircrack-ng.exe in c:\airpcap with the new one.

Note 2: The whole process from starting capture to recovering the WEP key takes about 10 minutes.

Note 3: It is important that you get the Packet Injection drivers and the aircrack-ng release specifically for the AirPcap adapter, or this will not work.

Note 4: Just to summarise the steps in the video:

1. Run Cain and passively scan for the target AP, making a note of the Channel number.
2. Using the channel number, tell AirPcap to inject packets once it has collected an ARP request. (You can sometimes force an ARP by sending Deauth. To do that, right click on the client. Otherwise, repair the Wireless connection on the client connected to the AP)
3. To use the PTW attack, you need to collect all packets. By running airodump-ng you can collect all the packets generated by Cain. The reason we use airodump-ng instead of Cain, is that Cain only collects WEP IVs.
4. Once you’ve collected enough packets, run aircrack-ptw against the capture file.

As of version 0.9, the aircrack-ng suite natively supports the PTW attack. Download it here. To invoke the PTW attack in aircrack-ng, run it with the -z switch: aircrack-ng.exe -z mycapturefile.cap.

A French chap has compiled Aircrack-PTW for Windows. This is great for anyone using the AirPcap adapter to inject packets in Windows, as the new PTW attack dramatically reduces the amount of packets you need to collect before attempting to crack the WEP key. Notice in the screenshot below, only 83,000 packets were needed to break a 128bit key; as opposed to around 400,000 with the KoreK attack.

The executable is in French but it’s still perfectly usable; All you’re looking for is the WEP key!

Just run it with:

aircrack-ptw.exe yourcapturefile.cap

When I get some time I’ll try to compile a version in English, but for now you can grab the French version: Download Aircrack-PTW for Windows.

I’m in the process of writing up and recording a demonstration of cracking WEP in Windows with AirPcap, Cain, and aircrack-ptw. Expect to see something within a week! Update: Check it out here

Preparation

You’ll need:

• An AirPcap Tx adapter
• Cain and Abel

Note: It is possible to get this working by using the cheaper “Classic” AirPcap, in conjunction with the old 2.0 Beta Tx Drivers for AirPcap, to enable packet injection capability, but this is entirely unsupported, and is not guaranteed to work. YMMV.

Notes

• To begin ARP injections, AirPcap must capture at least 1 ARP request from a system on the target AP. You can usually force this by sending a Deauth to a connected client.
• Make sure you have over 250,000 IVs before attempting to crack the WEP key.
• In my tests, the old AirPcap (silver-grey) appears to perform significantly faster than the new AirPcap (dark-grey). I think it’s about 10x faster.

The Video

Click Play to get things started.

Additional

Download the full resolution video (Thanks to TAz00 from the Oxid.it forums for the hosting!)

View the video on Youtube

Version 2.1 adds support for the upcoming Wi-Spy 2.4x, which incorporates an RPSMA connector for external antennas. Wi-Spy 2.4x ships with a standard “rubber duck” omni-directional antenna.

View the announcement on metageek.net

Download Chanalyzer 2.1

To do this, you’ll need the useful AirPcap USB Wireless Capture Adapter from CACE Technologies. It’s pretty cheap when compared to some of the other Windows hardware solutions, and you’ll be supporting the makers of Wireshark!

Why Windows?

I adore Linux and the entire Open Source movement, but it’s important to recognise that many people out there are locked into Windows; and learning an entirely new OS to perform security testing isn’t cost-effective for their company.

How is WEP cracked?

To crack WEP, you need to exploit a weakness in its implementation, and collect lots of Initialisation Vectors (IVs). In normal WLAN traffic, it would take quite a while to pickup enough IVs – approximately 1 million – so we need to generate our own traffic. There’s two ways we could do this:

1. Generate your own traffic using iperf.
2. Use packet injection using aireplay.

At present, the AirPcap Drivers do not support packet injection in Windows. Fortunately, the makers of AirPcap, CACE Technologies, have said packet injection will be included soon.

Update 2007-06-11: Packet Injection is now possible in Windows with the AirPcap. Please see my posts: Cracking WEP with Cain and Cracking WEP with aircrack-ptw for more information.

What will you need?

• An AirPcap Wireless Capture adapter. This is a great little tool for 802.11 sniffing in Windows. You can even run Kismet with it!
• The Aircrack-ng for AirPcap release by CACE Technologies.
• Your own Wireless Access Point, configured with WEP.
• 3 computers, at least 1 of which should have a Wireless LAN Adapter.
• Enough traffic to generate over 1 million IVs. For this demonstration, we’ll use a Windows release of iperf, called K-perf, to generate lots of traffic.

Let’s get cracking

This guide assumes that you are performing this on a WLAN you have permission to use.

OK let’s do it…

Set up Aircrack

Plug in your AirPcap.

Extract the contents of the aircrack-ng release to C:\aircrack (or wherever, I’m just doing this for tidiness).

Open up the c:\aircrack\bin\ directory and double-click the airodump-ng.exe (this is a specially built release tailored for AirPcap).

Configure it as per your settings [Screenshot: Configuring Airodump-ng]

Generate some traffic

Install K-perf, then run J-perf — the Java front-end — on the two machines connected to the AP. At least one should be connected via Wireless. Set one up as a server, and the other as a client. Remember, we’re just doing this to generate enough traffic on our demo WLAN.

On the Server, choose the ‘Server’ option, then click Run. [Screenshot: Server, Configure K-perf using the Java front-end, J-perf.]

On the Client, type in the Server’s IP address, configure the time iperf should run to 1200, and click Run. [Screenshot: Client, Configure K-perf]

Capture and Crack

Go back to your AirPcap machine and watch the IV frames come in. [Screenshot: Airodump-ng capturing WEP IVs]

When you’ve hit over 1,000,000 frames, open up aircrack-ng_GUI.exe in the c:\aircrack\bin\ directory.

Click the Aircrack-ng tab, and locate your crackme.iv file.

Click launch and wait for the cracker to find your WEP key. [Screenshot: Airocrack-ng cracking WEP]

If aircrack cannot find your WEP key, you may not have enough IVs. To get more IVs, start up airodump-ng.exe again, and when asked the Output filename prefix, give the same name as you did previously. Airodump-ng will then append packets to the original dump.

What next?

Traffic capture

As this is a simulation, now that you have your WEP key, you can continue your penetration testing by using AirPcap with Wireshark to capture all the traffic flowing over your WPA or WEP-enabled WLAN.

Educate!

As one of the aims of my blog is to help people, if you have friends/neighbours/co-workers whose WLANs are WEP enabled, you could demonstrate how easy it is to crack WEP, and then help them set up a properly-implemented WPA/WPA2 WLAN

Did this help you at all? Any questions? Feel free to leave me a comment below!

1. Open up a Terminal: Applications > Accessories > Terminal
2. sudo apt-get install kismet
3. sudo gedit /etc/kismet/kismet.conf
4. Change
source=none,none,addme
   to
   source=ipw2200,eth1,wifi
   • If you don’t know your relevant network driver, view the Kismet Readme and scroll down to the section “12. Capture Sources”. My driver is ipw2200.
   • If you don’t know your interface name, use iwconfig to find your wireless interface (mine is eth1). [screenshot]
5. Save the file
6. sudo kismet [screenshot]

Any questions? Feel free to leave me a comment below

When AirPcap was first released, only WEP decryption was supported. However, with the release of Wireshark 0.99.5 it is possible to decrypt WPA packets with the AirPcap adapter in Windows. Here’s how:

1. Install Wireshark 0.99.5 or above
2. Run Wireshark
3. Go: View > Wireless Toolbar
4. Click on “Decryption Keys…”
5. Add a new decryption key. In my instance, because I know the Passphrase, I used WPA-PWD. If you’re doing penetration testing and, you have a 64byte string from something like AirCrack, you should use WPA-PSK.
   
6. Capture away. In the screenshots below, I’ve filtered my own Wi-Fi card to cut down on the volume of ‘junk’ and demonstrate that it is, in fact, decrypting the packets on the WLAN.
   

For a lot more information on getting this set up, check out the AirPcap Userguide.

Did this help you at all? Any questions? Feel free to leave me a comment below!

What is AirPcap?

If you need to capture 802.11b/g packets in Windows, then AirPcap is your answer. Made by the guys who brought you WinPcap and Wireshark, AirPcap enables you to capture raw Wi-Fi packets in Windows. AirPcap fully integrates into Wireshark, giving you a seamless packet capture experience. Read More AirPcap…

Kismet for Windows is available from the CACE Tech website. At present, it only works with AirPcap and Kismet drones.

If you work or play with Wi-Fi networks and you’ve never heard of Wi-Spy, it’s worth checking out. Small, and affordable, Wi-Spy is a very capable wireless spectrum analyser. You just plug in the USB dongle, load up the Chanalyzer software and you’ll be seeing the 2.4GHz spectrum in no time. It’s fantastic for wireless troubleshooting (especially when your wireless network seems slow or keeps dropping out) – enabling you to confidently choose a Wi-Fi channel with less interference, as opposed to the old method of ‘blindy’ changing channels and hoping things improve.

You can find out more at my Wireless Analysis site.

If you already have Wi-Spy, what do you use it for?