How to Install Aircrack on Mac in 3 Easy Steps
Installing Aircrack-ng can be a little confusing if you don't understand the lingo.
Let me guide you trough those steps and you'll have Aircrack running natively in no time and almost no effort.
Why Use Aircrack?
Aircrack-ng is about up to 5 to 10 times faster than KisMAC when it comes to cracking WPA or WEP password.
KisMAC has an old Aircrack Engine and, honestly, it needs an update...
Aircrack-ng 1.1 churns about 1500 "WPA" keys per Second, or about 360 Passphrase/second when KisMAC is left behind at 160/Sec on a dual core.
Aircrack-ng was tested on a MacPro at 1,800 passphrases/sec or 6,100 keys/ sec
Aircrack-ng can recover keys for WEP and WPA. If you are interested in WPA only and want to use the NTWHM (Nukular Turbo Warp Hyperdrive Mode) We would then suggest you to check this post and this post. As a repeat, it's WPA only, but the speed is nothing short of phenomenal:
Yes, it's 1,576,213 PMK/S.
It means 1082.5 times faster than Aircrack.
Back to Aircrack:
On WEP, the difference is extremely noticeable, especially on low IV's captures. Aircrack-ng can work as low as ~23,000 IV's on a 64 bit WEP, and this in matter of seconds. KisMAC will churn for 10 min before giving you the "unable to find the key"
(Update: Success @ 20,566 IV's ;- )
Example here: 3 seconds with 22,566 IV's. Only 753 used.
For Airport users, once decrypted, you have to enter the key without semicolons and space.
Example: 70:61:62:6C:6F will be entered as 7061626C6F or 7061626c6f
If the key was entered as ASCII, Aircrack will also give you the ASCII value
If you are not familiar with the lingo, or wonder what does what, I would suggest reading the FAQ first.
There is multiple ways to install Aircrack-ng, this is one is the most straightforward way (that I am aware of. Suggestions are welcomed in the comment section)
Installing Aircrack-ng on OS X
Gather what you need: The Mise En Place
You'll need:
- The DVD or CD install that came with your Mac
- A Copy of Aircrack-ng 1.1 (just download, Do NOT unzip)
- A Copy of Macports, (OPTIONAL for Install #2) you can download either directly from the website or choose between the following two:
- MacPorts for OS X 10.6 (Snow Leopard)
- MacPorts for OS X 10.5 (Leopard)
- The Admin rights on your Mac, or at least the Admin Password.
- In Most Cases you will a Network Adapter to either Re-Inject packets, Flood or Dehauthenticate. You can do without, but you'll need a lot of patience. I only recommend one specific one. If you already have one, well..too bad. if you are going to buy one, you better use the one recommended: Better Value and beat the shit out of the competition
The Installation
Put the Snow Leopard DVD in, and select Optional Installs
Select "Install Xcode " and continue.
When Xcode is fully installed, Remove the DVD and continue with MacPorts
Click on the previously downloaded MacPorts dmg file and let it mount
Select "Standard Install" if asked, and click to continue.
It may take more than 5 minutes to install, don't panic!
While waiting, read the FAQ!
when done, go to the next step
Open Terminal
Go to the folder where Aircrack-ng was downloaded, i.e "Downloads"
Note: Avoid the use of folder names with spaces or you'll make it difficult with Terminal
Note: Avoid the use of folder names with spaces or you'll make it difficult with Terminal
cd Downloads
sudo port install aircrack-ng
Enter your password as requested, then hit Enter, and let it run....
Voila!
FAQ & RFAQ
Why use Aircrack and not KisMAC alone?
Aircrack-ng can churn 10 x faster than KisMAC alone for Key Recovery.
Why use Aircrack and not KisMAC alone?
Aircrack-ng can churn 10 x faster than KisMAC alone for Key Recovery.
Can I dump KisMAC now?
No! Aircrack alone can not re-inject or Monitor Wifi. "Mind you, airodump-ng and aireplay-ng are linux only and will not work under OSX native, so for reinjecting and sniffing you will have to use other means." And that's from Aircrack-ng itself. Hence, I'll advise to keep KisMAC. Other tools are provided with the Aircrack-ng suite, but not the ones needed to re-inject. See list at the end.
I cannot find a .cap file
.cap .pcap or dumplog are the same thing. KisMAC exports the file without an extension and Aircrack does not care. KisMAC let you choose the name of the file under Preferences >> Drivers
The format by default is ~/Dumplog year month day hours minutes
Select your options based on your preferences or make your own.
Can I merge Dumplogs / PCAP / CAP files?
Yes, You may use Wireshark ➟ File ➟ Merge
Can I convert Dumplogs / PCAP / CAP files?
Yes, You may use ivstools, provided with Aircrack.
ivstools --convert
Can I Merge IVS files?
Yes, use --merge with ivstools: ivstools --merge
Can I Open Multiple Dumplogs / PCAP / CAP files?
Yes, just use an asterisk (star) (*) with Aircrack
Example: Aircrack-ng Dump*
I can't has a krack! I can has a pazwort?
The subject was previously discussed, here again: sudo make user -now RTFM&STFW. Or box the Mac and ship to me: I'll deal with it.
Aircrack-ng options
Just type Aircrack-ng or Aircrack-ng --help You'll have the whole list
How do I start?
Just start by a simple: aircrack-ng dumplog (dumplog being the name of the capture file, with path if necessary)
Or, if you have opted for very long dumplogs names, with spaces, just drag the file into the Terminal window, and add "Aircrack-ng" before the path. please don't type the quotes....
Or, if you have opted for very long dumplogs names, with spaces, just drag the file into the Terminal window, and add "Aircrack-ng" before the path. please don't type the quotes....
You'll see a list of APs, enter the network number, ... after that it's pretty straightforward....
Aircrack-ng Command Lines
usage: aircrack-ng [options] <.cap / .ivs file(s)>
Assuming that:
dumplog being the name of your dump file
dicfile.txt being the name of your dictionary files or wordlists , with path if necessary
WEP
aircrack-ng dumplog
Select the number of the AP, then press Enter
WPA
aircrack-ng dumplog -w dicfile.txt
Select the number of the AP, then press Enter
Aircrack-ng Opening Multiple DumpLogs, PCAP, CAP files, on a single network, with automatic key recovery
Please note that "dumplog" & "Dumplog" are different. -for aircrack-.
It's easier to "regroup" your files in one directory than typing path long as your arm.
Also, don't hesitate to rename the dumplogs / cap files: "dumplog" is easier to type than "DumpLog-11-02-17-17/40.pcap"
aircrack-ng ~/Desktop/dumplog -w ~/Desktop/Dicfile.txt
If you have located your dumplog in a far far away folder, or have used spaces in your folder name, read again the previous paragraph.
If you decide against that advice, you'll need to include quotes in the file name, or use a backslash BEFORE the space.
Example with the folder Air Crack, the command line would be the following:
~/Desktop/Air\ Crack/Dicfile.txt
Examples:
Aircrack-ng Opening Multiple DumpLogs, PCAP, CAP files, on a single network, with automatic key recovery
To Pause Aircrack-ng
Hold your horses! There is no real pause when running a Wordlist on Aircrack-ng
One solution is to stop Aircrack, note carefully the name of the last key checked, and edit your Wordlist few keys before, save under a temp name and restart when ready.
To Stop, just do a CTRL-Z.
To Quit Aircrack-ng CTRL-C
I have multiple Macs, can I speed up the key recovery?
yes, copy the Dumplog and the Dictionary(ies) and use as many as you want. It's called a distributed attack. I would split the Dic in two and reverse one (start from bottom up) or use multiple dictionaries. - Your call.
What about Precomputed Tables?
Yes but no,
The precomputed PMK (Pairwise Master Key) has pros and cons.
The SSID is used as "salt" in the hash, hence you'll have to precompute a different one for each SSID. If you spend your days assessing networks, that, maybe, could be useful with SSIDs such as "Linksys" etc ... but you'll spend a lot of time computing. It is only worth it if you know that you are going to reuse the precomputed table over and over again.
The most used SSIDs are the following.
After many years, Dlink has started assigning different SSIDs to their router (Dlink.1234)
Nevertheless, they are still using very short default password. Thank you D-Link.
Source: WiGLE
Aircrack-ng / KisMAC Speed Test
Test files of 100,000 lines were used:
One with 8 numerical digit, from 00000000 to 99999999
One with complex passphrase of 50 printable characters: !@#$%....ABC....99999
One with 50,000 less than 8 ch and 50,000 more than 8 ch long
Tests were done on a Intel Dual Core 2.5GHz, 4GB RAM
Aircrack Speed:
100,000 Passphrases in 04' 42", or 354.61 Pswd/sec
~1450 K/s
Is Aircrack-ng slowed down by complex passphrase?
100,000 Passphrases in 04' 43", or 353.3 Pswd/sec
Result: difference is negligible: 1 sec overall
Is Aircrack-ng testing less than 8ch passwords?
No, the file containing 50% less than 8ch long passwords was done in 2'12
KisMAC Speed:
100,000 Passphrases in 10' 18", or 161.8 Pswd/sec
2.2 times slower
Is KisMAC testing less than 8ch passwords?
No, the file containing 50% less than 8ch long passwords was done in 4' 27"
Is KisMAC slowed down by complex passphrase?
No, here again, results are almost the same.
Common Aircrack-ng options:
-a : force attack mode (1/WEP, 2/WPA-PSK)
-e : target selection: network identifier
-b : target selection: access point's MAC
-p : # of CPU to use (default: all CPUs)
-q : enable quiet mode (no status output)
-C : merge the given APs to a virtual one
-l : write key to file
Static WEP cracking options:
-c : search alpha-numeric characters only
-t : search binary coded decimal chr only
-h : search the numeric key for Fritz!BOX
-d : use masking of the key (A1:XX:CF:YY)
-m : MAC address to filter usable packets
-n : WEP key length : 64/128/152/256/512
-i : WEP key index (1 to 4), default: any
-f : bruteforce fudge factor, default: 2
-k : disable one attack method (1 to 17)
-x or -x0 : disable bruteforce for last keybytes
-x1 : last keybyte bruteforcing (default)
-x2 : enable last 2 keybytes bruteforcing
-X : disable bruteforce multithreading
-y : experimental single bruteforce mode
-K : use only old KoreK attacks (pre-PTW)
-s : show the key in ASCII while cracking
-M : specify maximum number of IVs to use
-D : WEP decloak, skips broken keystreams
-P : PTW debug: 1: disable Klein, 2: PTW
-1 : run only 1 try to crack key with PTW
WEP and WPA-PSK cracking options:
-w : path to wordlist(s) filename(s)
Other Tools provided with the Aircrack-ng Suite
Ivstools-ng : Merge and convert IV's
Airbase-ng : "Airbase-ng is multi-purpose tool aimed at attacking clients as opposed to the Access Point (AP) itself. Since it is so versatile and flexible, summarizing it is a challenge"
Airdecloak-ng : "Airdecloak-ng is a tool that removes wep cloaking from a pcap file. Some WIPS (actually one) actively “prevent” cracking a WEP key by inserting chaff (fake wep frames) in the air to fool aircrack-ng. In some rare cases, cloaking fails and the key can be recovered without removing this chaff. In the cases where the key cannot be recovered, use this tool to filter out chaff. "
Source: Aircrack-ng.org. Please refer to it for any information related to the Aircrack-ng Suite.
New Rules for Comments:
Aircrack-ng Command Lines
usage: aircrack-ng [options] <.cap / .ivs file(s)>
Assuming that:
dumplog being the name of your dump file
dicfile.txt being the name of your dictionary files or wordlists , with path if necessary
WEP
aircrack-ng dumplog
Select the number of the AP, then press Enter
WPA
aircrack-ng dumplog -w dicfile.txt
Select the number of the AP, then press Enter
Aircrack-ng Opening Multiple DumpLogs, PCAP, CAP files, on a single network, with automatic key recovery
Aircrack-ng -e dump*
Please note that "dumplog" & "Dumplog" are different. -for aircrack-.
It's easier to "regroup" your files in one directory than typing path long as your arm.
Also, don't hesitate to rename the dumplogs / cap files: "dumplog" is easier to type than "DumpLog-11-02-17-17/40.pcap"
aircrack-ng ~/Desktop/dumplog -w ~/Desktop/Dicfile.txt
If you have located your dumplog in a far far away folder, or have used spaces in your folder name, read again the previous paragraph.
If you decide against that advice, you'll need to include quotes in the file name, or use a backslash BEFORE the space.
Example with the folder Air Crack, the command line would be the following:
~/Desktop/Air\ Crack/Dicfile.txt
Examples:
Aircrack-ng Opening Multiple DumpLogs, PCAP, CAP files, on a single network, with automatic key recovery
Aircrack-ng -e dump* |
To Pause Aircrack-ng
Hold your horses! There is no real pause when running a Wordlist on Aircrack-ng
One solution is to stop Aircrack, note carefully the name of the last key checked, and edit your Wordlist few keys before, save under a temp name and restart when ready.
To Stop, just do a CTRL-Z.
To Quit Aircrack-ng CTRL-C
I have multiple Macs, can I speed up the key recovery?
yes, copy the Dumplog and the Dictionary(ies) and use as many as you want. It's called a distributed attack. I would split the Dic in two and reverse one (start from bottom up) or use multiple dictionaries. - Your call.
What about Precomputed Tables?
Yes but no,
The precomputed PMK (Pairwise Master Key) has pros and cons.
The SSID is used as "salt" in the hash, hence you'll have to precompute a different one for each SSID. If you spend your days assessing networks, that, maybe, could be useful with SSIDs such as "Linksys" etc ... but you'll spend a lot of time computing. It is only worth it if you know that you are going to reuse the precomputed table over and over again.
The most used SSIDs are the following.
After many years, Dlink has started assigning different SSIDs to their router (Dlink.1234)
Nevertheless, they are still using very short default password. Thank you D-Link.
| no ssid | 2110760 | 6.571% |
| linksys | 2065356 | 6.429% |
| NETGEAR | 678943 | 2.113% |
| default | 595090 | 1.852% |
| Belkin54g | 276667 | 0.861% |
| hpsetup | 232518 | 0.723% |
| Wireless | 225838 | 0.703% |
| no_ssid | 211360 | 0.658% |
| DLINK | 199668 | 0.621% |
| WLAN | 120117 | 0.373% |
| home | 107110 | 0.333% |
Aircrack-ng / KisMAC Speed Test
Test files of 100,000 lines were used:
One with 8 numerical digit, from 00000000 to 99999999
One with complex passphrase of 50 printable characters: !@#$%....ABC....99999
One with 50,000 less than 8 ch and 50,000 more than 8 ch long
Tests were done on a Intel Dual Core 2.5GHz, 4GB RAM
Aircrack Speed:
100,000 Passphrases in 04' 42", or 354.61 Pswd/sec
~1450 K/s
Is Aircrack-ng slowed down by complex passphrase?
100,000 Passphrases in 04' 43", or 353.3 Pswd/sec
Result: difference is negligible: 1 sec overall
Is Aircrack-ng testing less than 8ch passwords?
No, the file containing 50% less than 8ch long passwords was done in 2'12
KisMAC Speed:
100,000 Passphrases in 10' 18", or 161.8 Pswd/sec
2.2 times slower
Is KisMAC testing less than 8ch passwords?
No, the file containing 50% less than 8ch long passwords was done in 4' 27"
Is KisMAC slowed down by complex passphrase?
No, here again, results are almost the same.
Common Aircrack-ng options:
-a
-e
-b
-p
-q : enable quiet mode (no status output)
-C
-l
Static WEP cracking options:
-c : search alpha-numeric characters only
-t : search binary coded decimal chr only
-h : search the numeric key for Fritz!BOX
-d
-m
-n
-i
-f
-k
-x or -x0 : disable bruteforce for last keybytes
-x1 : last keybyte bruteforcing (default)
-x2 : enable last 2 keybytes bruteforcing
-X : disable bruteforce multithreading
-y : experimental single bruteforce mode
-K : use only old KoreK attacks (pre-PTW)
-s : show the key in ASCII while cracking
-M
-D : WEP decloak, skips broken keystreams
-P
-1 : run only 1 try to crack key with PTW
WEP and WPA-PSK cracking options:
-w
Other Tools provided with the Aircrack-ng Suite
Ivstools-ng : Merge and convert IV's
Airbase-ng : "Airbase-ng is multi-purpose tool aimed at attacking clients as opposed to the Access Point (AP) itself. Since it is so versatile and flexible, summarizing it is a challenge"
Airdecloak-ng : "Airdecloak-ng is a tool that removes wep cloaking from a pcap file. Some WIPS (actually one) actively “prevent” cracking a WEP key by inserting chaff (fake wep frames) in the air to fool aircrack-ng. In some rare cases, cloaking fails and the key can be recovered without removing this chaff. In the cases where the key cannot be recovered, use this tool to filter out chaff. "
Source: Aircrack-ng.org. Please refer to it for any information related to the Aircrack-ng Suite.
New Rules for Comments:
- Please use a name other than "Anonymous" See Name/url . Any name, even Max the Cat will do. Will do only once.
- Please State your OS, Version, etc. Don't forget to state your OS.
- Max 3 questions. If we need to ask you what is your OS, that will be one, 2 left.
- Thank you.
No comments:
Post a Comment