Menu

Database

Aircrack

WVE ID: WVE-2005-0015

Type: Exploit

Status: Candidate

Classification:
Authentication Management
Cryptographic
Denial of Service

Description:
Aircrack is a suite of tools for 802.11 packet capture, injection, and WEP/WPA-PSK key cracking available for both Windows and Linux.

Discussion:
Aircrack is comprised of several tools each serving speacializing in performing a specific task in encryption key discovery. These tools are used for framecapture, injection, and encryption cracking.

Airodump is used for monitor mode packet capture of raw 802.11 frames and is especially suited for collecting WEP IVs (initialization vectors) for the intent of using them with the WEP/WPA attack tools included in the Aircrack suite. Not only does airodump allow an attacker to capture IVs in real-time, but also allows an attacker to extract them from a pre-existing packet capture. In addition to being supported under Linux, airodump is capable of capturing raw frames under Windows thanks to use of AiroPeak's proprietary packet capture drivers.

To inject frames, the aireplay tool is used. It's primary function as used with the reset of the Aircrack tools is to generate traffic for use in cracking WEP and WPA-PSK keys. As such it makes it very easy to conduct deauthentication attacks for the purpose of capturing WPA handshake data, fake authentications, data frame re-injection, ARP request re-injection, and hand-crafted ARP request injection. To aid in this, Aircrack provides the arpforge tool that can be used to create arbitrary ARP request frames. Unlike airodump, aireplay does not work under Windows due to driver limitations disallowing raw frame injection.

Once enough data has been gathered from the target network, the aircrack program can be used to actually crack the WEP or WPA-PSK key. Aircrack can perform various statistical attacks to discover WEP keys with small amounts of captured data. For cracking WPA-PSK, bruteforce and dictionary methods are employed.

Once a key has been discovered by aircrack, an attacker is then able to join the attacked network or can decrypt pre-captured packet dumps by using the airdecap tool.

Credits
Author: Christophe Devine ( devine@100h.org) : None

References
URL: http://www.netstumbler.org/showthread.php?postid=89036#post89036
URL: http://www.cr0.net:8040/code/network/aircrack/
URL: http://www.netstumbler.org/showthread.php?mode=hybrid&t=11878

Released: 2004-07-29

Submitter
Andrew Lockhart (alockhart@networkchemistry.com) : Network Chemistry

Submitted: Thu Oct 20 17:02:42 -0700 2005

Candidate Date: Mon Oct 24 10:10:04 -0700 2005


Recent Entries

Weaknesses in the A5/1 Cipher
WVE-2008-0007 4/9/2008
Block ACK DoS
WVE-2008-0006 4/9/2008
GF Mode WIDS Rogue AP Evasion
WVE-2008-0005 4/9/2008
HT Intolerant Degradation of Service
WVE-2008-0004 4/9/2008
Sidejacking
WVE-2008-0003 4/2/2008
ZiPhone
WVE-2008-0002 4/2/2008
RADIUS Key Delivery Exposure
WVE-2008-0001 3/21/2008
BackTrack
WVE-2007-0020 11/19/2007
Airoscript
WVE-2007-0019 11/19/2007
airoway.sh
WVE-2007-0018 11/19/2007
More Entries...

News

SANS Institute Sponsors WVE
4/19/2008
Wireless Attackers and Honeypot Technology
4/15/2008
High Speed Risks in 802.11n Slides Posted
4/11/2008
Vulnerabilities in 802.11n
4/9/2008
WVE Editors Speaking at SHARKFEST.08
1/3/2008
More News...