Friday, September 24, 2010

Monthly news - September 2010

Aircrack-ng now has support to export WPA handshake information to Elcomsoft Wireless Security Auditor v3 project file since svn r1781 with '-E' thanks to beini's author.

As said in previous monthly news, migration mode attack (WPA Migration Mode: WEP is back to haunt you...) has been added to aireplay-ng and a few improvement were added to aircrack-ng. More details in r1769 commit.


  • A few tools for generating passphrases lists.
  • Live CD
    • WEAKERTHAN2, another pentetration testing linux live cd was released a few weeks ago.
    • Beini, a small Live CD base on TinyCore Linux, is one year old (chinese).
  • Scripts

Sunday, August 15, 2010

Monthly news - August 2010

NeoPwn changed their plan and prefer to release it when the final version is ready. It will finally be called NeoPwn v2.

They plan to do two betas:
  • Private beta containing the control panel, the injection driver and installer but the number of requests is limited
  • Public beta without the control panel, injection driver and installer once the project has reached beta stage.
The final version will be free to download when it is completed and a safe installation process has been developped.

Their website contains more details about the release plan.

I tested the driver and so far it is working really well as you can see:

Last month, the video was showing the injection test on the N900. If you watch carefully, you can note that one of the BSSID is 00:00:00:00:00:00. I first thought it was a bug in aircrack-ng but it's not. I was told it's a unconfigured AP. It only sends beacons and jumps on different channels. If you're as curious as me, here is a capture file with just a beacon.

  • WiFiCake-NG 1.7 is a Perl/TK interface for manipulating the CSV of airodump-ng. You can find more details in the forum thread here. Their website contains a youtube video as well as a PDF manual for the application.

Tuesday, July 13, 2010

Monthly news (July 2010)

This month I have some really interesting news. A lot of people would like to have Aircrack-ng on their phone (including me) but unfortunatly most phones can't work due to their drivers. Do you remember when I talked about NeoPwn v2 which is BackTrack Mobile?

A beta will be released before BlackHat/Defcon and will include Aircrack-ng. What's really great is that injection works with the internal card of the N900 (the original video can be downloaded here):


They also released 2 additional videos on Youtube:


  • BlackHat conferences will happen the 28th and 29th. Schedule can be found here.
  • Besides BlackHat, there will also be BSides Las Vegas. There aren't as much talks as in BlackHat but they look really interesting.
  • Defcon 18 (29 July - 1 August) posted the final schedule a week ago.
  • Starting from 2011, the Wifi Alliance will not allow WEP and TKIP in certified Wifi devices. You can read more about it on WiFiNetNews.
  • I missed the update (v2.1.7) of the patch for FreeRadius-WPE (Wireless Pwnage Edition) released in May.

    Monday, June 7, 2010

    Monthly news (June 2010)

    Here is the 5th edition of our monthly news.

    • We had some downtime on the server hosting trac and forum between the 16th and the 20th (hardware issues) and fortunatly nothing was lost. You can read more in these 2 posts: Trac and forum down and Trac and forum up again.
    • The forum will be moved to the new server in a bit more than 2 weeks. The change will be transparent for you. And that means only trac and buildbot are left on the old server. They should be done before Defcon.

    • Airoscript not dead. It got some updates and is now renamed to Airoscript-ng. To get it, type svn co in a console.
    • Beini 1.2.1 was released a few days ago. It can be downloaded it from its website.
    • minidwep-gtk, a GUI of aircrack-ng in shell script, has been updated to work with Aircrack-ng 1.1.
    • criser, the author of WepCrackGui, is developping a QT frontend for WepCrackGUI that should be included in the next release, v0.9. You can find instructions to get the sources and test it in this post. He also posted some screenshots. You can follow him on twitter: @wepcrackgui.

    • I'll give a talk at Sharkfest about wireless security next week.
    • digininja released a Karma patch for hostapd. It now works with ath5k and ath9k. It should work with prism54 and various other cards but that's untested.
    • Backtrack 4 r1 was released. Changes: new kernel (2.6.34-rc6), packages updates, and new drivers. Note that it is an unofficial build meant for assesing hardware incompatibilities with the new kernel.
    • The WiFi Alliances and WiGig announced alliance on multi-Gigabit wireless networks in the 60Ghz band. It will allow up to 7 Gigabit/s. You can read more here. The official press release can be found on WiGig website.
    • Here is another GUI in Java for Aircrack-ng: GRIM WEPA.

    Thursday, May 20, 2010

    Trac and forum up again

    You probably noticed earlier today that the trac and forum were working again. They finally fixed the issue (which was according to them probably a bad RAM module or the CPU fan) by replacing completely the server (but keeping the hard drive).

    I think that it's the CPU fan that failed, not the RAM module. But whatever, it works again and that was what we all wanted.

    Wednesday, May 19, 2010

    Trac and forum down

    All started Sunday, around 6AM GMT, our 4-year old dedicated server wasn't responding anymore and even a hardware reboot didn't bring it up. So, I opened a ticket and the technicians noticed the power supply died and quickly replaced it.

    Everything worked fine until Monday morning, 9AM GMT, the server started to be unstable. I first thought it was Apache because during my tests, the process used several times 100% CPU when it crashed.
    Then I tried stopping Apache and MySQL, the 2 most consuming processes (the CPU usage was on average at 6% without these 2 processes) and even with that, it was crashing after 15 minutes.

    I thought that our kernel might be corrupted due to the crash of the server, so I tried using one of their netboot kernel (as well as the hardware testing mode) and it kept crashing.

    So, I just opened another ticket for this issue. I really wonder what's going on.

    Also, the migration of the forum and trac to the new server was planned at the end of this month but it might happen sooner than expected (I'll try to do it this week-end).

    I'll keep you updated.

    Tuesday, May 4, 2010

    Monthly news (May 2010)

    - Aircrack-ng 1.1 was released a bit more than a week ago. A lot of bug fixes (including the buffer overflow in different tools) and improvements have been done. The most noticeable changes are the addition of airdrop-ng by TheX1le and the interaction in airodump-ng.
    The following screenshot shows some of the possibilities of the interaction (more details in the wiki and in the manpage). In this case, when you color an AP, its clients are automatically colored the same:

    - criser released v0.8 of his C# (Mono) GUI, wepcrack. He uses git for his source control and if you want to use the latest source and don't know much git, read the following. He is looking for someone who can design an icon for his software.
    - Zermolo released permutator beta 1.3. It generates incremental wordlists/dictionaries based on your needs. The package by Jano contains the source code and an Ubuntu package.

    - ShamanVirtuel released a GUI to capture WPA handshakes called Autohs-GUI. His project is hosted on Google Code along with a few other programs.

    Saturday, April 24, 2010

    Aircrack-ng 1.1

    Aircrack-ng 1.1 is released ;)

    A lot of bug fixes (including the buffer overflow in different tools) and improvements have been done. The most noticeable changes are the addition of airdrop-ng by TheX1le and the interaction in airodump-ng.

    Here is the changelog:
    - airdrop-ng: New tool by TheX1le.
    - airodump-ng, aircrack-ng, airdecap-ng, airbase-ng: Fixed buffer overflow in airodump-ng due to forged eapol frame.
    - aircrack-ng: Fixed multicast detection (WPA handshake detection).
    - airodump-ng: Added interaction (see wiki for the commands).
    - airodump-ng: Fixed client time in netxml file.
    - airtun-ng: Add WDS and bridge support.
    - airbase-ng: automatically set privacy bit to 1 if WPA or WPA2 is used (-Z or -z option).
    - airmon-ng: Updated iw URL for v0.9.19.
    - airdriver-ng: Fixed link for madwifi-ng.
    - aireplay-ng: Chopchop enhancement to not stop but wait on deauth packets.
    - tkiptun-ng: Fixed segfault.
    - wesside-ng: Fixed compilation bug with recent version of gcc.
    - cygwin: Compiling sqlite isn't necessary anymore, libsqlite3-devel package can be used.
    - osdep: Strict aliasing and x86_64 fix.
    - osdep: Add tap support for Darwin/OS X. Still require tuntaposx from sourceforge to work.
    - All: Fixed compilation on cygwin 1.7.
    - All: Fixed compilation on recent version of OSX.
    - manpages: Fixed aireplay-ng manpage for attack 0: not disassociation packets, deauth packets.
    - manpages: Added the keys for interaction in airodump-ng.
    - patches: Added regulatory domains override patches for atheros drivers (ath5k, ath9k and ar9170).
    - patches: Added 2.6.32 patch for r8187 driver (ieee80211).
    - Makefiles: Fixed make uninstall.

    Download: aircrack-ng-1.1.tar.gz

    Monday, April 5, 2010

    Monthly news (April 2010)

    Project news:
    - ebfe, who created airolib-ng, released an exploit for airodump-ng, aircrack-ng, airdecap-ng. You can find more information in his blog (Post 1, Post 2) but it just makes the tools crash, no real exploit released. It will be fixed in the next few days before the release (v1.1).
    - Nearly everything has been moved to the new server, only forum, trac and buildbot needs to be moved :).
    - Do you remember I wrote that trac didn't display svn commits for some unknown reason? That's now fixed, I just had to comment out a line in trac.ini.
    - For those who can't open the website due to URL filtering, use It's not a mirror, it points to the exact same content as

    Forum news:
    - Patches to override the regulatory domain for ath5k, ath9k and ar9170.
    - The work on the C# GUI for aircrack-ng, WepCrackGUI, continues. And here is a blog post in italian about it.
    - Beini now has its own website. Here is the forum thread.
    - Wordlist generation:
        * Here and there
        * Here is a script by Zermolo to generate wordlist with only numbers, called permutate and another post in the same thread about the same subject with JTR.
        * Creating custom rules for John.
        * Word field is an incremental word list generator.

    Other news:
    - I'll speak at Sharkfest. It will take place in the main campus of the Standford University, June 14-17.
    - Ever heard about NeoPwn? Version 2 will be based on the Nokia N900 and will be Backtrack Mobile.
    - Remember spoonwep and spoonwep 2? Shamanvirtuel is working on spoonwep 3. Public beta release is planned between 15th-30th April.
    - If you're using SliTaz, you might be interested to know that they released v3.0 a week ago.

    Thursday, April 1, 2010

    <AprilFool>Backcrack-ng v1.1</AprilFool>

    EDIT: This is an April Fool

    The BackTrack team is happy to announce the acquisition of the Aircrack-NG project, as well as a new, long awaited update to v 1.1. The acquisition will mark a turning point to the Aircrack-NG project in more than once sense, and we are looking forward to see the project grow.

    The new version of Aircrack-ng (to be renamed "backcrack-ng") is available in the SVN repositories for your testing:

    Saturday, March 20, 2010

    Mailing list and monthly newsletter

    The poll in the forum convinced me to create the mailing list for the newsletter.

    If you want to receive the newsletter, just send an empty email (no subject or body needed) to

    I also took the time to create a public mailing list for Aircrack-ng. To be able to post messages, you need to subscribe to the mailing-list by sending en empty email to
    This is not moderated to avoid delay in moderation and thus the same rules as IRC apply here too. In order to avoid spam as much as possible, only subscribers can send posts to the mailing-list and registrations needs to be approved.

    All posts should be sent to

    If you have any question or remark about them, do not hesitate :)

    Tuesday, March 2, 2010

    Monthly news (March 2010)

    Forum news:
    - Beini 1.0 final was released: Forum post.
    - I'm happily surprised that the C# (Mono) script developement for aircrack-ng is still active :). By the way, here is the project on sourceforge: wepcrackgui. The current version is 0.6.3
    - A new version of minidwep-gtk, developped in shell script, gtk-server, zenity, kdialog, was released. Here is a video of this script in action. It is included in Beini 1.0.

    Trac news:
    - Various small fixes (makefile, manpage, ...)
    - A patch for the r8187 (ieee80211) driver on kernel 2.6.32 (and lower). Installation instructions are updated.
    - Compilation is fixed when compiling unstable stuff (wesside-ng/easside-ng and tkiptun-ng) with a recent gcc version (v4.4)

    General news:
    - Aircrack-ng now has 4 years old. I checked when the first news was posted and it was the 25th February 2006. Surprisingly, the 2 following news happened the 25th February this year :)
    - A new paper about TKIP attacks was released by hirte: Enhanced TKIP Micheal Attacks.
    - Airdrop-ng from TheX1le is now available in our subversion repository. Here is the video of the talk at Shmoocon 2010.

    If you haven't seen it yet, Shmoocon 2010 videos (and sometimes the slides too) are available.

    Last but not least, here is a very funny video of a woman calling Leo Laporte's Tech Guy Show claiming her WI-FI access has "disappeared".

    Wednesday, February 3, 2010

    Monthly news

    A few things happened last month:
    - The google phone, Nexus One was rooted and it has a bcm4329 chipset and it looks promising.
    - Airodump-ng (in svn trunk) now has interactive mode: you can control it with keys. You can find the documentation in the wiki.
    - A really small (only 10MB) distribution based on MicroCore Linux, console only.
    - I'm sure you saw it, Backtrack 4 was released a few weeks ago.
    - OSX Compiling (Ticket 687) should be fixed now (svn trunk revision 1657).
    - New version of Beini: 1.0 RC5.2
    - The developement of the GUI in C# (Mono) is quite active.

    Last but not least, aircrack-ng will be 4 years old by the end of february :)

    Wednesday, January 20, 2010

    Wiki and Trac search engine

    The wiki and trac implement OpenSearch and when the browser notice there's an OpenSearch on the website, it add a small notification on which your can click to add the search engine:

    Firefox shows it with a light blue shadow on the icon of the search textbox like that:

    IE shows changes the color of the search engine selection to orange:

    Just click on it, and you can add wiki and trac search engines to your favorite browser:

    Saturday, January 9, 2010

    Trac, bugs, forum and t-shirts

    Actually, trac is not completely working. It's better than before, we can commit but now we can't see them in the timeline and also the source browser is not working anymore.
    I tried to debug a few days ago but I haven't found why it doesn't work. The path to the svn repository is correct, permissions of trac and on the filesystem are correct so I'm a bit out of ideas.

    About the commits, I updated to 1.0 and tagged it and also committed a few patches to fix bugs:
    - Client first seen and last seen in kismet netxml file
    - Compilation on cygwin 1.7
    - OSX patch: Ticket 653: Tap support for Darwin/OS X
    - Other small things

    The next bugs I'll take care of are:
    - Ticket 704: Fix broadcast and multicast detection in aircrack-ng: it still require some work.
    - Ticket 498: Aircrack-ng does not support dictionaries over 2Gb
    - I'd like to fix another compilation bug on OSX (Ticket 687) but I don't have access to any Mac so if anyone could give me an access to a mac with Darwin and another with Leopard, that's great :). If anybody is getting rid of a Mac with darwin/leopard, we are really interested.
    - Ticket 713: Invalid channel parsed from packets with mac80211 drivers

    I haven't chosen the other bugs yet, but I still have in mind that WPA handshake detection has to be fixed/enhanced and I remember a bug with airbase-ng not giving the Information Elements in the right order.

    There are a few interesting programs and scripts in the forum, and I'd like to give them more visibility (and even small scripts). What are your ideas/opinion about it?

    I haven't forgotten the t-shirts. They will be there soon. I might do a few with the new logo for Shmoocon.

    Edit (16 Jan 2010): Added one more bug to the list

    Sunday, January 3, 2010

    Happy new year, news, etc ...

    Hello everybody,

    First of all, we wish you a happy new year.

    There was no news here and no commit on trac since some time but we never stoppped working. Although svn commit wasn't working for us (see previous blog entry for more details), we used the tickets to store all patches that have to be committed.

    But I now have some good news, trac is working again. Don't ask me why, I have absolutely no idea, and I didn't change anything (except doing the usual updates).
    So that means I'll commit everything to sync svn with 1.0 final and then start committing all patches that were added to tickets since August (that's when svn commit stopped working) and others that were planned for 1.1. That will take a few days :)

    I'll also try to update this blog at least once a month to tell you what happened during the last month in our forum, trac and on IRC.

    Here are a few things that happened recently:
    - Online WPA cracking services: with cloud computing that was launched begin december then now with GPU.
    - Injection and packet capture with aircrack-ng seems to work with the Nokia N900. I also read that it will have USB host soon.
    - Beini 1.0-RC5.1: A wireless network security testing system,it is based on Tiny Core Linux.
    - GUI for aircrack-ng in C# using Mono.
    - minidwep-gtk a GUI for aircrack-ng in shell script.
    - Slitaz Aircrack-ng: the base Slitaz cooking version plus the latest Aircrack-ng SVN version, wireless drivers patched for injection and other related tools.

    I am also currently installing a new server (Core i5 2.66Ghz, 8Gb Ram, 2x 80Gb SSD) for aircrack-ng. That will allow us to organize better the different parts and give a better service to our ever growing community ;).

    Our webhoster offers ESXi and I first wanted to use it to virtualize our stuff but it takes too much time to stabilize it (and IP management is a bit tricky/expensive) and since I didn't wanted to wait any longer, I switched to vmware server for the different parts:
    - trac and buildbot.
    - forum.
    - downloads: videos, patches, storage, archive, nightly builds, ... (we currently have around 20Gb of stuff).
    - photos and videos of the conventions (btw, I'll soon post the pictures I took during 26C3 and of other conventions).
    - a few other virtual machines for testing.
    The main website and wiki will not be moved.

    Last but not least, I would also like to thank again everybody who help us, not only the donations (although important to pay the servers and domains), but everybody who contributes to the project: in the forum, irc, in the wiki (documentation and translations), bug reports and bug fixes, improvements, ...

    More to come in the following days :)