Monday, February 20, 2017

iw monitor mode flags

Out of curiosity, I looked at iw to set monitor mode and it has the following flags:



Pretty much all of them seem pretty self-explanatory but it's worth giving more details about each of them:
  • fcsfailFCS (Frame Check Sequence) is the checksum of the frame (CRC32), to make sure it was received correctly. By default, a driver should only forward valid frames to the monitor mode interface. This flag allow you to receive frame that also fail the test. One of the use could be monitoring the quality of a wireless network.
  • control: There are 3 type of frames: data, management and control. Data is pretty obvious. Management help maintain a connection and control (beacons, probe request/response, authentication, association, deauthentication, deassociation, etc). Control help facilitate the transmission of frame between devices (ACK, RTS, CTS, etc). This is hardware-dependent.
  • otherbss: It would allow receiving frames from other BSS (other than the ones to/from the access point the card is connected to or the clients this access point is serving). This is hardware-dependent.
  • cook: Refer to a mode for HostAPd where authentication frames that mac80211 didn't actually look at. It is only for ancient versions of HostAPd.
  • active: ACK is time sensitive and software is too slow to answer it quick enough so this would be done in the hardware itself instead of software. If an ACK is not received within a certain amount of time, the frame will be considered as lost and a new frame with the retry flag will be sent. The only exception would be very long distance links: the longer the links, the longer it takes for a frame to arrive and in some rare cases, software could be fast enough.

TL;DR: none is what you need.

Monday, February 15, 2016

Aircrack-ng compilation matrix

I tried to compile Aircrack-ng on a 'few' systems to see how it works and I was quite surprised by the amount of systems it can be compiled on (and most of the time, it can be compiled with both gcc and clang).

Here is the status for the current development code (r2846). I will update this matrix and add more details from time to time.


On x86 (32/64 bit)
GCC Clang/LLVM
Linux Yes Yes
OpenWrt Yes Untested
Cygwin 32 bit Yes Yes
Cygwin 64 bit Yes No
OSX (Travis CI) Yes Yes
FreeBSD No Yes
OpenBSD Yes Yes
NetBSD Untested Untested
DragonFlyBSD Yes No package
Solaris Yes Yes


Other CPUs (Linux)
GCC Clang/LLVM
ARM 32 bit Yes Yes
ARM 64 bit Yes Untested
MIPS Yes No

Sunday, February 14, 2016

Aircrack-ng 1.2 Release Candidate 4

Fourth release candidate. There will be another one, some small bugs still need to be fixed but it should happen fairly soon. On top of a big speed increase (up to 175% increase) that also fixes compilation on Cygwin 64 bit, it includes a ton of fixes and improvements on Linux, *BSD, Solaris and Cygwin on x86 and Linux on ARM and MIPS.

Changelog

  • Airodump-ng: Increase console window size.
  • Aircrack-ng: Added time remaining and percentage done when doing WPA cracking with a dictionary (file).
  • Aircrack-ng: Make benchmark last 15 seconds for a more accurate value.
  • Aircrack-ng: Fixed compilation on Cygwin 64 and drastically improve cracking speed for all CPUs (up to +175% performance).
  • Airmon-ng: Improved chipset detection on FreeBSD.
  • Airmon-ng: Display chipset for some Broadcom SDIO.
  • Airbase-ng: Fixed broadcasting 'default'.
  • General: Updated and cleanup TravisCI file to test compilation and testing on OSX.
  • General: Fixed reading large files on Cygwin.
  • General: Fixed a bunch of compilation warnings with gcc and clang.
  • General: Fixed compilation on Solaris, OpenBSD, DragonFlyBSD 4.4, NetBSD, OSX.
  • General: Fixed compilation on ARM and MIPS.
  • General: Improved compatibility on FreeBSD and Cygwin (RAM and CPU detection).
  • General: Fixed gcc segfault on cygwin.
  • General: Memory cleanups, fixed memory leaks and fix other issues reported by Valgrind.
  • Testing: Fixes on various OSes.
  • INSTALLING: Updated installation instructions for different OS.
  • TravisCI: Improved file.

Wednesday, December 30, 2015

Cracking speed improvements

Almost 8 years, we got pretty big improvement with SSE2 code to crack WPA, a nice upgrade from MMX.

I recently posted a bug bounty to fix the compilation of Aircrack-ng on Cygwin 64 bit. It's been working fine on Linux 64 bit but for some reason, Cygwin didn't like when compiling on 64 bit.
We couldn't have tested it back then since Cygwin 64 bit didn't exist at the time.

darkfires took up the challenge to fix the compilation on Cygwin 64 bit. After that, he helped fix a bunch of memory leaks and other issues as well as improving cracking speed quite a bit, which is the reason of this post.

The task was pretty daunting and a lot of testing was needed to make sure it works on the different CPU architectures (x86 32 and 64 bit, various ARM) and different OSes (Cygwin, Linux, BSD, Solaris, OSX).
On top of the usual 'fixing something on one, breaking on the other', here are three examples on how complicated it was:

  • Different CPU support different features and instructions set and detecting them wasn't an easy task. For example, on Raspberry Pi (v1), gcc supports 'neon' and we can compile aircrack-ng with them but the CPU itself doesn't support them which means aircrack-ng crashes and it has to be disabled. On the Beaglebone, the CPU support neon instructions.
  • gcc can compile with AVX2 instructions on x86. However, if the CPU doesn't support it, aircrack-ng will crash with a nice error: 'Illegal instruction'.
  • Some code that works to get CPU features (such as MMX, SSE, AVX) works on some CPU and doesn't on others.
There is no way to explain in details how complicated it was to make it work on all those different combinations of CPU and OSes. darkfires has spent countless hours making all of this work.

To give you an idea how much work has been done, the patch was ~375Kb and ~11K lines long.

On top of it, the Aircrack-ng CPU detection code has been rewritten on x86 to give more details. Here is what 'aircrack-ng -u' now looks like:

Vendor          = Intel
Model           = Intel(R) Core(TM) i7-2630QM CPU @ 2.00GHz
Features        = MMX,SSE,SSE2,SSE3,SSSE3,SSE4.1,SSE4.2,AVX
Hyper-Threading = Yes
Logical CPUs    = 8
CPU cores       = 4
SIMD size       = 4 (128 bit)

Last but not least, here are the numbers.

1.2rc3 r2800 Increase
Celeron M 1.4Ghz 138k/s 152k/s +10%
i7-2630QM ~3000k/s ~4000k/s +33%
E3-1231 v3 ~4900k/s ~13100k/s +167%
i5-4590 ~4700k/s ~11600k/s +146%
i7-6700K ~6200k/s ~17100k/s +175%

It's still pretty far from GPU cracking speeds but there are pretty significant gains thanks to AVX. The second version provides the most gains as you can see on the numbers above.

Bonus thing: if you are a package maintainer, you can compile aircrack-ng with different improvements. Simply edit the common.cfg and put MULTIBIN=true and when running make will compile 3 different versions: the original, SSE and SIMD.

We have tested it quite a bit on different CPU and OSes but please test (simply get the latest revision from our subversion repository) a lot and report back to us. Let us know how it works for you, what kind of improvements you're getting and we especially want to hear if you have bugs. If you have a recent AMD CPU, we want to hear from you.

The plan is to make another release candidate in about 2 weeks.

Saturday, November 21, 2015

Aircrack-ng 1.2 Release Candidate 3

Third release candidate and hopefully this should be the last one. It contains a ton of bug fixes, code cleanup, improvements and compilation fixes everywhere. Some features were added: AppArmor profiles, better FreeBSD support, including an airmon-ng for FreeBSD.

Changelog

  • Airodump-ng: Prevent sending signal to init which caused the system to reboot/shutdown.
  • Airbase-ng: Allow to use a user-specified ANonce instead of a randomized one when doing the 4-way handshake
  • Aircrack-ng: Fixed compilation warnings.
  • Aircrack-ng: Removed redundant NULL check and fixed typo in another one.
  • Aircrack-ng: Workaround for segfault when compiling aircrack-ng with clang and gcrypt and running a check.
  • Airmon-ng: Created version for FreeBSD.
  • Airmon-ng: Prevent passing invalid values as channel.
  • Airmon-ng: Handle udev renaming interfaces.
  • Airmon-ng: Better handling of rfkill.
  • Airmon-ng: Updated OUI URL.
  • Airmon-ng: Fix VM detection.
  • Airmon-ng: Make lsusb optional if there doesn't seem to be a usb bus. Improve pci detection slightly.
  • Airmon-ng: Various cleanup and fixes (including wording and typos).
  • Airmon-ng: Display iw errors.
  • Airmon-ng: Improved handling of non-monitor interfaces.
  • Airmon-ng: Fixed error when running 'check kill'.
  • Airdrop-ng: Display error instead of stack trace.
  • Airmon-ng: Fixed bashism.
  • Airdecap-ng: Allow specifying output file names.
  • Airtun-ng: Added missing parameter to help screen.
  • Besside-ng-crawler: Removed reference to darkircop.org (non-existent subdomain).
  • Airgraph-ng: Display error when no graph type is specified.
  • Airgraph-ng: Fixed make install.
  • Manpages: Fixed, updated and improved airodump-ng, airmon-ng, aircrack-ng, airbase-ng and aireplay-ng manpages.
  • Aircrack-ng GUI: Fixes issues with wordlists selection.
  • OSdep: Add missing RADIOTAP_SUPPORT_OVERRIDES check.
  • OSdep: Fix possible infinite loop.
  • OSdep: Use a default MTU of 1500 (Linux only).
  • OSdep: Fixed compilation on OSX.
  • AppArmor: Improved and added profiles.
  • General: Fixed warnings reported by clang.
  • General: Updated TravisCI configuration file
  • General: Fixed typos in various tools.
  • General: Fixed clang warning about 'gcry_thread_cbs()' being deprecated with gcrypt > 1.6.0.
  • General: Fixed compilation on cygwin due to undefined reference to GUID_DEVCLASS_NET
  • General: Fixed compilation with musl libc.
  • General: Improved testing and added test cases (make check).
  • General: Improved mutexes handling in various tools.
  • General: Fixed memory leaks, use afer free, null termination and return values in various tools and OSdep.
  • General: Fixed compilation on FreeBSD.
  • General: Various fixes and improvements to README (wording, compilation, etc).
  • General: Updated copyrights in help screen.

Friday, April 10, 2015

Aircrack-ng 1.2 Release Candidate 2

Here is the second release candidate. Along with a LOT of fixes, it improves the support for the Airodump-ng scan visualizer. Airmon-zc is mature and is now renamed to Airmon-ng. Also, Airtun-ng is now able to encrypt and decrypt WPA on top of WEP. Another big change is recent version of GPSd now work very well with Airodump-ng.

Changelog

  • Airtun-ng: Adds WPA CCMP and TKIP decryption and CCMP encryption
  • Compilation: Added support for DUMA.
  • Makefile: Renamed 'unstable' to 'experimental'.
  • Airodump-ng: Fixed XML sanitizing.
  • Airmon-ng: Airmon-zc is now stable enough to replace airmon-ng.
  • Manpages: Removed airdriver-ng manpage and references to it (forgot to do it before the previous release).
  • Manpages: Updated 'see also' references in all manpages.
  • PCRE: Added it in various places and docs.
  • WZCook: Fixed processing values stored in register.
  • Updated a few headers files (if_llc, ieee80211, ethernet and if_arp).
  • Travis CI: updated make parameter and add testing with pcre.
  • Compilation: de-hardcode -lpcap to allow specifying pcap libraries.
  • Makefile: Fixed installing/uninstalling Airdrop-ng documentation files.
  • Makefile: Fixed uninstalling ext_scripts.
  • Airodump-ng: Added new paths (and removed one) for OUI files and simplified logic to find the OUI file.
  • Aircrack-ng: Fixed ignoring -p when specified after -S.
  • Airmon-ng: fixes for openwrt busybox ps/grep issues which do not seem present in other versions of busybox
  • Airmon-ng: fix vm detection.
  • Airserv-ng: Fixed channel setting (and assert call).
  • Airodump-ng: Fixes to NetXML (unassociated clients missing and various other small bugs) and update the code to match current NetXML output.
  • Airodump-ng: Removed requirement for 2 packets before AP is written to output (text) files.
  • Airodump-ng: Fixed formatting of ESSID and display of WPA/WPA2 (as well as a bunch of other small fixes) in CSV file.
  • Airodump-ng: Fixed GPSd.
  • Airodump-ng: Allow to specify write interval for CSV, kismet CSV and NetXML files.
  • Airserv-ng: Fixed wrong station data displayed in Airodump-ng.
  • General: Fixed 64 bit promotion issues.
  • General: Fixed a bunch of uninitialized values and non-zeroed structures (upon allocating them).
  • General: Added Stack protection.
  • Various other small fixes and improvements.

Friday, October 31, 2014

Aircrack-ng 1.2 Release candidate 1

Here is the first release candidate. I was wrong about saying there would be a fourth beta in the post of the previous release. There is exactly 7 month after the last beta. There will be most likely another one then the final release in the next few month.

Updating is highly recommend as this contains a lot of bug fixes and improvements as well as security fixes (CVE-2014-8321, CVE-2014-8322, CVE-2014-8323 and CVE-2014-8324). More details can be found in the blog.

Changelog:
  • Airodump-ng should be able to parse the canonical oui file.
  • Airodump-ng: Fixed GPS stack overflow.
  • Airodump-ng: Fixed stopping cleanly with Ctrl-C.
  • Airmon-zc: better handling for when modules are not available (incomplete)
  • Airmon-zc: users can now start the monitor interface again to change channels
  • Airmon-zc: update to use ip instead of ifconfig if available.
  • Airmon-zc: better handling of devices without pci bus
  • Aireplay-ng: Fixed tcp_test stack overflow.
  • OSdep: Fixed libnl detection. Also avoid detection on non Linux systems.
  • OSdep: Fixed segmentation fault that happens with a malicious server.
  • Besside-ng: Add regular expression matching for the SSID.
  • Buddy-ng: Fixed segmentation fault.
  • Makefile: Fixed 'commands commence before first target' error when building Aircrack-ng.
  • Fixed segfault when changing the optimization when compiling with gcc thanks to Ramiro Polla.
  • Removed airdriver-ng (outdated and not meant for today's kernels)
  • Added gitignore file.
  • Fixed build issues on other compilers by using stdint.h types.
  • Updating installation file and added pkg-config as a requirement.
  • Various small fixes and improvements.