User Tools

Site Tools


airolib-ng

This is an old revision of the document!


Airolib-ng

++++++ IMPORTANT ++++++
++++++ IMPORTANT ++++++
++++++ IMPORTANT ++++++

This functionality will be available in a future release. It is NOT available currently.

++++++ IMPORTANT ++++++
++++++ IMPORTANT ++++++
++++++ IMPORTANT ++++++

Description

Airolib-ng is a tool for the aircrack-ng suite to store and manage essid and password lists, compute their Pairwise Master Keys (PMKs) and use them in WPA/WPA2 cracking. The program uses the lightweight sqlite3 database as the storage mechanism which is available on most platforms. The sqlite3 database was selected taking in consideration platform availability plus management, memory and disk overhead.

WPA/WPA2 cracking involves calculating the pairwise master key, from which the private transient key (PTK) is derived. Using the PTK, we can compute the frame message identity code (MIC) for a given packet and will potentially find the MIC to be identical to the packet's thus the PTK was correct therefore the PMK was correct as well.

Calculating the PMK is very slow since it uses the pbkdf2 algorithm. Yet the PMK is always the same for a given ESSID and password combination. This allows us to pre-compute the PMK for given combinations and speed up cracking the wpa/wpa2 handshake. Tests on have shown that using this technique in aircrack-ng can check more than 30,000 passwords per second using pre-computed PMK tables.

Computing the PMK is still required, yet we can:

  • Precompute it for later and/or shared use.
  • Use distributed machines to generate the PMK and use their value elsewhere.

To learn more about WPA/WPA2:

To learn more about coWPAtty:

See the code attached for more info. This is the first version posted and - if accepted - to be included into the tree. there still may be bugs and work to be done before released is marked in the code.

To test the tool get yourself a current 1.0-dev checkout and…

  • get yourself the sqlite3 library and headers
  • compile airolib-ng in src/ directory with -lsqlite3 -lssl and crypto.c
  • compile aircrack-ng with -DHAVE_SQLITE and -lsqlite3. This will make a new option “-r” available
  • create a new database file with “airolib-ng testdb init”
  • import some essid, e.g. “echo Harkonen | airolib-ng testdb import ascii essid -”
  • import some passwords, e.g. “echo 12345678 | airolib-ng testdb import ascii passwd -”
  • start the batch process (“airolib-ng testdb batch”), wait for it to run out of work, kill it
  • crack your WPA/WPA2 handshake, e.g. “aircrack-ng -r testdb -e Harkonen -q wpa2.eapol.cap”

Usage

Usage: airolib <database> <operation> [options]

Where:

  • database is name of the database file. Optionally specify the full path.
  • operation specifies the action you would like taken on the database. See below for a complete list.
  • options may be required depending on the operation specified

Here are the valid operations:

  • init - Create a new database file and it's table layout.
  • stats - Output some information about the database.
  • sql {sql} - Execute the specified SQL statement.
  • clean [all] - Perform steps to clean the database from old junk. The option 'all' will also reduce file size if possible and run an integrity check.
  • batch - Start batch-processing all combinations of ESSIDs and passwords. This must be run prior to using the database within aircrack-ng or after you have added additional SSIDs or passwords.
  • verify [all] - Verify a set of randomly chosen PMKs. If the option 'all' is given, all(!) PMKs in the database are verified and the incorrect ones are deleted.
  • export cowpatty {essid} {file} - Export to a cowpatty file.
  • import cowpatty {file} - Import a cowpatty file.
  • import ascii {essid|passwd} {file} - Import a flatfile as a list of either ESSIDs or passwords.

Usage Examples

Here are usage examples for each operation.

Init Operation

You must be in the directory where you want the database created or specify the fully qualified path name.

Enter:

 airolib-ng testdb init

Where:

  • testdb is the name of the database to be created.
  • init is the operation to be performed.

The system does not respond with any output. You can verify the database was created by doing a directly listing.

Status Operation

Enter:

 airolib-ng testdb stats

Where:

  • testdb is the name of the database to be created.
  • stats is the operation to be performed.

The system responds:

 statsThere are 2 ESSIDs and 232 passwords in the database. 464 out of 464 possible combinations have been computed (100%).
 
 ESSID   Priority        Done
 Harkonen        64      100.0
 teddy   64      100.0

SQL Operation

Coming soon!

Clean Operation

To do a basic cleaning, enter:

 airolib-ng testdb clean

The system responds:

 cleanDeleting invalid ESSIDs and passwords...
 Deleting unreferenced PMKs...
 Analysing index structure...
 Done.

To do a basic cleaning, reduce the file size if possible and run an integrity check., enter:

 airolib-ng testdb clean all

The system responds:

 cleanDeleting invalid ESSIDs and passwords...
 Deleting unreferenced PMKs...
 Analysing index structure...
 Vacuum-cleaning the database. This could take a while...
 Checking database integrity...
 integrity_check
 ok
 Query done. 2 rows affected.
 Done.

Batch Operation

Enter:

 airolib-ng testdb batch

The system responds:

 Computed 464 PMK in 10 seconds (46 PMK/s, 0 in buffer). No free ESSID found. Will try determining new ESSID in 5 minutes...

IMPORTANT: You must press control-C to terminate this program once it is finished or it will continue to run indefinitely.

Verify Operation

To verify a 1000 random PMKs, enter:

 airolib-ng testdb verify

The system responds:

 verifyChecking ~10.000 randomly chosen PMKs...
 ESSID   CHECKED STATUS
 Harkonen        233     OK
 teddy   233     OK

To verify all PMKs, enter:

 airolib-ng testdb verify all

The system responds:

 verifyChecking all PMKs. This could take a while...
 ESSID   PASSWORD        PMK_DB  CORRECT

Export cowpatty Operation

++++++ IMPORTANT ++++++

This functionality will be available in a future release. It is NOT available currently.

++++++ IMPORTANT ++++++
++++++ IMPORTANT ++++++
++++++ IMPORTANT ++++++

Description

Airolib-ng is a tool for the aircrack-ng suite to store and manage essid and password lists, compute their Pairwise Master Keys (PMKs) and use them in WPA/WPA2 cracking. The program uses the lightweight sqlite3 database as the storage mechanism which is available on most platforms. The sqlite3 database was selected taking in consideration platform availability plus management, memory and disk overhead.

WPA/WPA2 cracking involves calculating the pairwise master key, from which the private transient key (PTK) is derived. Using the PTK, we can compute the frame message identity code (MIC) for a given packet and will potentially find the MIC to be identical to the packet's thus the PTK was correct therefore the PMK was correct as well.

Calculating the PMK is very slow since it uses the pbkdf2 algorithm. Yet the PMK is always the same for a given ESSID and password combination. This allows us to pre-compute the PMK for given combinations and speed up cracking the wpa/wpa2 handshake. Tests on have shown that using this technique in aircrack-ng can check more than 30,000 passwords per second using pre-computed PMK tables.

Computing the PMK is still required, yet we can:

  • Precompute it for later and/or shared use.
  • Use distributed machines to generate the PMK and use their value elsewhere.

To learn more about WPA/WPA2:

To learn more about coWPAtty:

See the code attached for more info. This is the first version posted and - if accepted - to be included into the tree. there still may be bugs and work to be done before released is marked in the code.

To test the tool get yourself a current 1.0-dev checkout and…

  • get yourself the sqlite3 library and headers
  • compile airolib-ng in src/ directory with -lsqlite3 -lssl and crypto.c
  • compile aircrack-ng with -DHAVE_SQLITE and -lsqlite3. This will make a new option “-r” available
  • create a new database file with “airolib-ng testdb init”
  • import some essid, e.g. “echo Harkonen | airolib-ng testdb import ascii essid -”
  • import some passwords, e.g. “echo 12345678 | airolib-ng testdb import ascii passwd -”
  • start the batch process (“airolib-ng testdb batch”), wait for it to run out of work, kill it
  • crack your WPA/WPA2 handshake, e.g. “aircrack-ng -r testdb -e Harkonen -q wpa2.eapol.cap”

Usage

Usage: airolib <database> <operation> [options]

Where:

  • database is name of the database file. Optionally specify the full path.
  • operation specifies the action you would like taken on the database. See below for a complete list.
  • options may be required depending on the operation specified

Here are the valid operations:

  • init - Create a new database file and it's table layout.
  • stats - Output some information about the database.
  • sql {sql} - Execute the specified SQL statement.
  • clean [all] - Perform steps to clean the database from old junk. The option 'all' will also reduce file size if possible and run an integrity check.
  • batch - Start batch-processing all combinations of ESSIDs and passwords. This must be run prior to using the database within aircrack-ng or after you have added additional SSIDs or passwords.
  • verify [all] - Verify a set of randomly chosen PMKs. If the option 'all' is given, all(!) PMKs in the database are verified and the incorrect ones are deleted.
  • export cowpatty {essid} {file} - Export to a cowpatty file.
  • import cowpatty {file} - Import a cowpatty file.
  • import ascii {essid|passwd} {file} - Import a flatfile as a list of either ESSIDs or passwords.

Usage Examples

Here are usage examples for each operation.

Init Operation

You must be in the directory where you want the database created or specify the fully qualified path name.

Enter:

 airolib-ng testdb init

Where:

  • testdb is the name of the database to be created.
  • init is the operation to be performed.

The system does not respond with any output. You can verify the database was created by doing a directly listing.

Status Operation

Enter:

 airolib-ng testdb stats

Where:

  • testdb is the name of the database to be created.
  • stats is the operation to be performed.

The system responds:

 statsThere are 2 ESSIDs and 232 passwords in the database. 464 out of 464 possible combinations have been computed (100%).
 
 ESSID   Priority        Done
 Harkonen        64      100.0
 teddy   64      100.0

SQL Operation

Coming soon!

Clean Operation

To do a basic cleaning, enter:

 airolib-ng testdb clean

The system responds:

 cleanDeleting invalid ESSIDs and passwords...
 Deleting unreferenced PMKs...
 Analysing index structure...
 Done.

To do a basic cleaning, reduce the file size if possible and run an integrity check., enter:

 airolib-ng testdb clean all

The system responds:

 cleanDeleting invalid ESSIDs and passwords...
 Deleting unreferenced PMKs...
 Analysing index structure...
 Vacuum-cleaning the database. This could take a while...
 Checking database integrity...
 integrity_check
 ok
 Query done. 2 rows affected.
 Done.

Batch Operation

Enter:

 airolib-ng testdb batch

The system responds:

 Computed 464 PMK in 10 seconds (46 PMK/s, 0 in buffer). No free ESSID found. Will try determining new ESSID in 5 minutes...

IMPORTANT: You must press control-C to terminate this program once it is finished or it will continue to run indefinitely.

Verify Operation

Enter:

 airolib-ng testdb export cowpatty test cowexportoftest

Where:

  • testdb is the name of the database and may be optionally fully qualified.
  • export cowpatty is the operation to be peformed.
  • test is the SSID to be exported.
  • cowexportoftest is the coWPAtty file to be created and may be optionally fully qualified.

The system responds:

 exportExporting...
 Done.

Import cowpatty Operation

Enter:

 airolib-ng testdb import cowpatty cowexportoftest 

Where:

  • testdb is the name of the database and may be optionally fully qualified.
  • import cowpatty is the operation to be peformed.
  • cowexportoftest is the coWPAtty file to be imported and may be optionally fully qualified.

The system responds:

 
 importReading header...
 Reading...
 Updating references...
 Writing...

Import ascii Operation

To import an ascii list of SSIDs, enter:

 airolib-ng testdb import ascii essid ssidlist.txt

Where:

  • testdb is the name of the database to be updated and this must already exist.
  • import ascii is the operation to be performed.
  • essid indicates it is a list of SSIDs.
  • ssidlist.txt is the file name containing the SSIDs. One per line. It can optionally be fully qualified.

The system responds:

 importReading...
 Writing...
 Done.

To import an ascii list of passwords, enter:

 airolib-ng testdb import ascii passwd password.lst

Where:

  • testdb is the name of the database to be updated and this must already exist.
  • import ascii is the operation to be performed.
  • passwd indicates it is a list of passwords.
  • password.list is the file name. One per line. It can optionally be fully qualified.

The system responds:

 importReading...
 Writing... read, 1814 invalid lines ignored.
 Done.

Aircrack-ng Usage Example

The ultimate objective is to speed up WPA/WPA2 cracking under aircrack-ng. To use the tables you have built using airolib-ng then use the “-r” option to specify the database containing the pre-calculated PMKs.

Enter:

 aircrack-ng  -r testdb  wpa2.eapol.cap

Where:

  • -r specifies that a pre-computed PMK database will be used.
  • testdb is the name of the database file and may optionally be fully qualified.
  • wpa2.eapol.cap is capture file containing the WPA/WPA2 handshake.

Note: All the other standard options which are applicable to WPA/WPA2 may also be used. This is a very limited example.

Usage Tips

None at this time.

Usage Troubleshooting

None at this time.

airolib-ng.1184011379.txt.gz · Last modified: 2007/07/09 22:02 by darkaudax