1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
|
Last Modified: 30 Jan 02
- AirSnort Installation
AirSnort ONLY works with Prism2 cards! Assuming you have one of these,
and a linux installation, you must have the following available to
build AirSnort:
* Kernel source code
* PCMCIA CS package source code (latest is 3.1.31)
* linux-wlan-ng - The newer the better (currently 0.1.13-pre2).
* wlan-monitor patch (not required if wlan-ng ver >= 0.1.10)
* AirSnort source
All of these are available on our website.
To start, you must configure the kernel source code. This will link
the include directories in the the source tree to the system wide
directory, /usr/include. The kernel source code need not be compiled
or installed, but it must be the same version as the one running. The
kernel version can be determined with the command 'uname -a.' In
addition, the running needs to support loadable modules, PCMCIA and
netlink. If the running kernel does not support these, you will need
to compile and install the source code.
The source code for PCMCIA must be installed, and it must be the same
as the version you are running. To determine the version of PCMCIA CS
you are running, consult the output of the command 'cardmgr -V.' If you
have the appropriate version, you need not compile and install the
source code, but you must complete the configuration process. All of
the defaults are okay.
The linux-wlan-ng is the kernel module to drive wlan cards. Only the
Prism2 driver supports raw packet capturing, so it is the only one we
are interested in. This card's driver no longer supports raw packet
capture, but it can easily be added. From the directory which contains
the linux-wlan-ng subdirectory, run the command
$ patch -p0 < wlan-monitor.patch
Then you must make and install the linux-wlan-ng driver. You must
[re]start the cardmgr, and you can then insert your wlan card. If
anything failed, consult the linux-wlan-ng documentation. This is the
last prerequisite for AirSnort.
Assuming everything went well, AirSnort can now be built. This makes
the executable 'airsnort'. If everything went well, the
section "Running AirSnort" is right for you. If anything failed,
(predictably,) consult the appropriate package's documentation.
New in v0.2.0:
* Packets are sorted based on the SSID of the associated AP, allowing
packets from several APs to be captured simultaneously without
hindering the crack operation
* Cracking is attempted in parallel with capture. There is no need to
guess whether you have enough packets to obtain a successful crack.
Packet capture for a given AP terminates when that AP is cracked.
A couple of cracking parameters are configurable in the Preferences
dialog.
* The GUI may be a bit buggy as I did not take the time to learn about
using GTK in a mutli-threading environment. If anyone wants to look
into improving reliability I am all for it.
* An increased set of IVs that result in a resolved condition is
accepted.
* airsnort sets the channel to sniff on via direct communication with
the nic. There is no need to place the card in promiscuous mode
prior to starting airsnort. Also, airsnort now has a crude channel
scanning capability built in.
* Orinoco WaveLAN/IEEE cards are now supported, via a patch to the
orinoco_cs driver (actually the orinoco.o module) available for
the pcmcia-cs-3.1.31 source.
* Wireless device name is configurable in the Preferences dialog.
* It is even possible to start a session w/ a prism2 nic, pause it,
swap to an orinoco nic, and resume the session, without exiting
airsnort.
* The PF_PACKET interface available with a patch to linux-wlan-ng-0.1.13
and expected to be available in 0.1.14 is supported with a radio
button in the preferences dialog.
- Running AirSnort
The first thing to be done to crack 802.11b is to get unmodified
encrypted packets. This can be done by putting the card in a mode
which gathers all packets indiscriminately. This mode is known as
promiscuous mode, and it is entered automatically by selecting the
'Start' button. Choose between "scan" mode and fixed "channel" mode
to scan all 11 802.11b channels or a specific channel respectively.
With a capture in progress, packets are collected and saved in various
data structures to facilitate cracking. Packets are not saved to a
file unless you choose to do so (via the File/Save menu). You can
also load the data structures from a previous capture session that did
not result in a successful crack, in order to resume packet collection.
In this version of Airsnort, cracking is attempted in parallel with
packet capture. In this implementation, the cracker attempts to crack
the captured packets for both a 40 bit and 128 bit key each time it
is instructed to do so by the capture thread. This happens each time
10 interesting packets are captured. The breadth of the search used
by the cracker can be controlled via the Settings/Preferences menu
option and defaults to 3 for 40 bit cracks and 2 for 128 bit cracks.
The number of interesting packets needed to perform a successful crack
depends on two things; luck and key length. Assuming that luck is on
your side, the key length is the only important factor. For a key
length of 128 bits, this translates to about 1500 packets. For other
key lengths, assume 115 packets per byte of the key.
For a discussion of the algorithm, and how it affects runtime,
and statistics, see the section "AirSnort Theory."
In any case, if the crack thread believes it has a correct password,
it checks the checksum of a random packet. If this is successful, the
correct password printed in ASCII and Hex, and the successful crack is
indicated by an 'X' in the leftmost column of the display. A successful
crack causes packet collection for the associated SSID to cease.
- Capture Details
Capture uses the Linux Netlink. If the device on the other end is in
the correct mode, it simply opens it and begins gathering data. The
packets go through two filters. First, non-encrypted packets are
filtered out. Then, if they are encrypted, useless packets are
discarded. All non-data packets are discarded with the exception of
802.11b Beacon packets which are examined in order to obtain
access point SSID data.
To distinguish encrypted and non-encrypted packets, capture examines
the first bytes of the output. Since unencrypted packets have a first
byte with the value 0xAA, all of these packets get dropped. This byte
comes from the Snap header.
Useful packets are those with the following property of their IV; the
first byte is a number three greater than one of the offsets of the
bytes of the key. For 128 bit encryption, this means a number from
3-16. The second byte must be 255 and the third byte can have any
value. This means that for every byte of the key, there are 256 weak
IVs. As of version 0.2.0, two additional classes of IVs are
recognized by airsnort. See the source code for details.
When every weak IV has been gathered (13 key bytes * 256 = 3315
packets), there is no point to continuing the capture process. In
reality, it takes somewhat fewer packets than this. As of version
0.2.0, there are on the order of 9400 resolving IVs recognized by
airsnort.
- Cracking Details
When executing the cracking operation, crack operates with a partial
key search from the given data. Since it is a probabalistic attack,
The best guess may not be the right one, so, with limited captured
data and enough CPU power, you can perform more exaustive searches.
By setting the breadth parameter, you can specify to search "worse"
guesses. It is not suggested that you specify a breadth of more than
three or four.
See the paper linked on our website for a reference to the paper
describing the attack.
|
