- Monitoring: Packet capture and export of data to text files for further processing by third party tools.
- Attacking: Replay attacks, deauthentication, fake access points and others via packet injection.
- Testing: Checking WiFi cards and driver capabilities (capture and injection).
- Cracking: WEP and WPA PSK (WPA 1 and 2).
It focuses a lot on code quality and adds a few visible features:
- PMKID cracking
- Crack 802.11w capture files
- Speed and memory usage improvement when loading (large) files with Aircrack-ng and Airdecap-ng
- Packages for Linux distributions and Windows
- Fix building on various platforms
- Improved and tweaked our CI/CD processes
- Using new CI/CD tools for our buildbots and packaging, PyDeployer
- Almost doubled the amount of tests
On routers with 802.11i/p/r, the AP can cache an “ID” for the connection so roaming clients don’t have to waste frames reauthenticating and just use the PMKID, which helps decrease a bit the latency (from 6 frames to only 2).
Calculation is of the PMKID is done this way:
PMKID = HMAC-SHA1-128(PMK, "PMK Name" | BSSID | STA MAC)
A big advantage here is that this PMKID is present in the first EAPoL frame of the 4-way handshake.
A few caveats about this attack:
- Sometimes APs send empty PMKID
- It doesn’t work on WPA/WPA2 Enterprise networks
When loading a PCAP, Aircrack-ng will detect if it contains a PMKID. In the following screenshot, it is present for the network ogogo, notice the “with PMKID” on the same line:
When selecting the network, it will use it as if it were a regular PCAP with a handshake (and thus the wordlist requirement applies).
If you’d like to test, two capture files with PMKID are available this test files:
More details about the attack itself can be found in this post.
git clone https://github.com/aircrack-ng/aircrack-ng