Monday, February 15, 2016

Aircrack-ng compilation matrix

I tried to compile Aircrack-ng on a 'few' systems to see how it works and I was quite surprised by the amount of systems it can be compiled on (and most of the time, it can be compiled with both gcc and clang).

Here is the status for the current development code (r2846). I will update this matrix and add more details from time to time.


On x86 (32/64 bit)
GCC Clang/LLVM
Linux Yes Yes
OpenWrt Yes Untested
Cygwin 32 bit Yes Yes
Cygwin 64 bit Yes No
OSX (Travis CI) Yes Yes
FreeBSD No Yes
OpenBSD Yes Yes
NetBSD Untested Untested
DragonFlyBSD Yes No package
Solaris Yes Yes


Other CPUs (Linux)
GCC Clang/LLVM
ARM 32 bit Yes Yes
ARM 64 bit Yes Untested
MIPS Yes No

Sunday, February 14, 2016

Aircrack-ng 1.2 Release Candidate 4

Fourth release candidate. There will be another one, some small bugs still need to be fixed but it should happen fairly soon. On top of a big speed increase (up to 175% increase) that also fixes compilation on Cygwin 64 bit, it includes a ton of fixes and improvements on Linux, *BSD, Solaris and Cygwin on x86 and Linux on ARM and MIPS.

Changelog

  • Airodump-ng: Increase console window size.
  • Aircrack-ng: Added time remaining and percentage done when doing WPA cracking with a dictionary (file).
  • Aircrack-ng: Make benchmark last 15 seconds for a more accurate value.
  • Aircrack-ng: Fixed compilation on Cygwin 64 and drastically improve cracking speed for all CPUs (up to +175% performance).
  • Airmon-ng: Improved chipset detection on FreeBSD.
  • Airmon-ng: Display chipset for some Broadcom SDIO.
  • Airbase-ng: Fixed broadcasting 'default'.
  • General: Updated and cleanup TravisCI file to test compilation and testing on OSX.
  • General: Fixed reading large files on Cygwin.
  • General: Fixed a bunch of compilation warnings with gcc and clang.
  • General: Fixed compilation on Solaris, OpenBSD, DragonFlyBSD 4.4, NetBSD, OSX.
  • General: Fixed compilation on ARM and MIPS.
  • General: Improved compatibility on FreeBSD and Cygwin (RAM and CPU detection).
  • General: Fixed gcc segfault on cygwin.
  • General: Memory cleanups, fixed memory leaks and fix other issues reported by Valgrind.
  • Testing: Fixes on various OSes.
  • INSTALLING: Updated installation instructions for different OS.
  • TravisCI: Improved file.

Wednesday, December 30, 2015

Cracking speed improvements

Almost 8 years, we got pretty big improvement with SSE2 code to crack WPA, a nice upgrade from MMX.

I recently posted a bug bounty to fix the compilation of Aircrack-ng on Cygwin 64 bit. It's been working fine on Linux 64 bit but for some reason, Cygwin didn't like when compiling on 64 bit.
We couldn't have tested it back then since Cygwin 64 bit didn't exist at the time.

darkfires took up the challenge to fix the compilation on Cygwin 64 bit. After that, he helped fix a bunch of memory leaks and other issues as well as improving cracking speed quite a bit, which is the reason of this post.

The task was pretty daunting and a lot of testing was needed to make sure it works on the different CPU architectures (x86 32 and 64 bit, various ARM) and different OSes (Cygwin, Linux, BSD, Solaris, OSX).
On top of the usual 'fixing something on one, breaking on the other', here are three examples on how complicated it was:

  • Different CPU support different features and instructions set and detecting them wasn't an easy task. For example, on Raspberry Pi (v1), gcc supports 'neon' and we can compile aircrack-ng with them but the CPU itself doesn't support them which means aircrack-ng crashes and it has to be disabled. On the Beaglebone, the CPU support neon instructions.
  • gcc can compile with AVX2 instructions on x86. However, if the CPU doesn't support it, aircrack-ng will crash with a nice error: 'Illegal instruction'.
  • Some code that works to get CPU features (such as MMX, SSE, AVX) works on some CPU and doesn't on others.
There is no way to explain in details how complicated it was to make it work on all those different combinations of CPU and OSes. darkfires has spent countless hours making all of this work.

To give you an idea how much work has been done, the patch was ~375Kb and ~11K lines long.

On top of it, the Aircrack-ng CPU detection code has been rewritten on x86 to give more details. Here is what 'aircrack-ng -u' now looks like:

Vendor          = Intel
Model           = Intel(R) Core(TM) i7-2630QM CPU @ 2.00GHz
Features        = MMX,SSE,SSE2,SSE3,SSSE3,SSE4.1,SSE4.2,AVX
Hyper-Threading = Yes
Logical CPUs    = 8
CPU cores       = 4
SIMD size       = 4 (128 bit)

Last but not least, here are the numbers.

1.2rc3 r2800 Increase
Celeron M 1.4Ghz 138k/s 152k/s +10%
i7-2630QM ~3000k/s ~4000k/s +33%
E3-1231 v3 ~4900k/s ~13100k/s +167%
i5-4590 ~4700k/s ~11600k/s +146%
i7-6700K ~6200k/s ~17100k/s +175%

It's still pretty far from GPU cracking speeds but there are pretty significant gains thanks to AVX. The second version provides the most gains as you can see on the numbers above.

Bonus thing: if you are a package maintainer, you can compile aircrack-ng with different improvements. Simply edit the common.cfg and put MULTIBIN=true and when running make will compile 3 different versions: the original, SSE and SIMD.

We have tested it quite a bit on different CPU and OSes but please test (simply get the latest revision from our subversion repository) a lot and report back to us. Let us know how it works for you, what kind of improvements you're getting and we especially want to hear if you have bugs. If you have a recent AMD CPU, we want to hear from you.

The plan is to make another release candidate in about 2 weeks.

Saturday, November 21, 2015

Aircrack-ng 1.2 Release Candidate 3

Third release candidate and hopefully this should be the last one. It contains a ton of bug fixes, code cleanup, improvements and compilation fixes everywhere. Some features were added: AppArmor profiles, better FreeBSD support, including an airmon-ng for FreeBSD.

Changelog

  • Airodump-ng: Prevent sending signal to init which caused the system to reboot/shutdown.
  • Airbase-ng: Allow to use a user-specified ANonce instead of a randomized one when doing the 4-way handshake
  • Aircrack-ng: Fixed compilation warnings.
  • Aircrack-ng: Removed redundant NULL check and fixed typo in another one.
  • Aircrack-ng: Workaround for segfault when compiling aircrack-ng with clang and gcrypt and running a check.
  • Airmon-ng: Created version for FreeBSD.
  • Airmon-ng: Prevent passing invalid values as channel.
  • Airmon-ng: Handle udev renaming interfaces.
  • Airmon-ng: Better handling of rfkill.
  • Airmon-ng: Updated OUI URL.
  • Airmon-ng: Fix VM detection.
  • Airmon-ng: Make lsusb optional if there doesn't seem to be a usb bus. Improve pci detection slightly.
  • Airmon-ng: Various cleanup and fixes (including wording and typos).
  • Airmon-ng: Display iw errors.
  • Airmon-ng: Improved handling of non-monitor interfaces.
  • Airmon-ng: Fixed error when running 'check kill'.
  • Airdrop-ng: Display error instead of stack trace.
  • Airmon-ng: Fixed bashism.
  • Airdecap-ng: Allow specifying output file names.
  • Airtun-ng: Added missing parameter to help screen.
  • Besside-ng-crawler: Removed reference to darkircop.org (non-existent subdomain).
  • Airgraph-ng: Display error when no graph type is specified.
  • Airgraph-ng: Fixed make install.
  • Manpages: Fixed, updated and improved airodump-ng, airmon-ng, aircrack-ng, airbase-ng and aireplay-ng manpages.
  • Aircrack-ng GUI: Fixes issues with wordlists selection.
  • OSdep: Add missing RADIOTAP_SUPPORT_OVERRIDES check.
  • OSdep: Fix possible infinite loop.
  • OSdep: Use a default MTU of 1500 (Linux only).
  • OSdep: Fixed compilation on OSX.
  • AppArmor: Improved and added profiles.
  • General: Fixed warnings reported by clang.
  • General: Updated TravisCI configuration file
  • General: Fixed typos in various tools.
  • General: Fixed clang warning about 'gcry_thread_cbs()' being deprecated with gcrypt > 1.6.0.
  • General: Fixed compilation on cygwin due to undefined reference to GUID_DEVCLASS_NET
  • General: Fixed compilation with musl libc.
  • General: Improved testing and added test cases (make check).
  • General: Improved mutexes handling in various tools.
  • General: Fixed memory leaks, use afer free, null termination and return values in various tools and OSdep.
  • General: Fixed compilation on FreeBSD.
  • General: Various fixes and improvements to README (wording, compilation, etc).
  • General: Updated copyrights in help screen.

Friday, April 10, 2015

Aircrack-ng 1.2 Release Candidate 2

Here is the second release candidate. Along with a LOT of fixes, it improves the support for the Airodump-ng scan visualizer. Airmon-zc is mature and is now renamed to Airmon-ng. Also, Airtun-ng is now able to encrypt and decrypt WPA on top of WEP. Another big change is recent version of GPSd now work very well with Airodump-ng.

Changelog

  • Airtun-ng: Adds WPA CCMP and TKIP decryption and CCMP encryption
  • Compilation: Added support for DUMA.
  • Makefile: Renamed 'unstable' to 'experimental'.
  • Airodump-ng: Fixed XML sanitizing.
  • Airmon-ng: Airmon-zc is now stable enough to replace airmon-ng.
  • Manpages: Removed airdriver-ng manpage and references to it (forgot to do it before the previous release).
  • Manpages: Updated 'see also' references in all manpages.
  • PCRE: Added it in various places and docs.
  • WZCook: Fixed processing values stored in register.
  • Updated a few headers files (if_llc, ieee80211, ethernet and if_arp).
  • Travis CI: updated make parameter and add testing with pcre.
  • Compilation: de-hardcode -lpcap to allow specifying pcap libraries.
  • Makefile: Fixed installing/uninstalling Airdrop-ng documentation files.
  • Makefile: Fixed uninstalling ext_scripts.
  • Airodump-ng: Added new paths (and removed one) for OUI files and simplified logic to find the OUI file.
  • Aircrack-ng: Fixed ignoring -p when specified after -S.
  • Airmon-ng: fixes for openwrt busybox ps/grep issues which do not seem present in other versions of busybox
  • Airmon-ng: fix vm detection.
  • Airserv-ng: Fixed channel setting (and assert call).
  • Airodump-ng: Fixes to NetXML (unassociated clients missing and various other small bugs) and update the code to match current NetXML output.
  • Airodump-ng: Removed requirement for 2 packets before AP is written to output (text) files.
  • Airodump-ng: Fixed formatting of ESSID and display of WPA/WPA2 (as well as a bunch of other small fixes) in CSV file.
  • Airodump-ng: Fixed GPSd.
  • Airodump-ng: Allow to specify write interval for CSV, kismet CSV and NetXML files.
  • Airserv-ng: Fixed wrong station data displayed in Airodump-ng.
  • General: Fixed 64 bit promotion issues.
  • General: Fixed a bunch of uninitialized values and non-zeroed structures (upon allocating them).
  • General: Added Stack protection.
  • Various other small fixes and improvements.

Friday, October 31, 2014

Aircrack-ng 1.2 Release candidate 1

Here is the first release candidate. I was wrong about saying there would be a fourth beta in the post of the previous release. There is exactly 7 month after the last beta. There will be most likely another one then the final release in the next few month.

Updating is highly recommend as this contains a lot of bug fixes and improvements as well as security fixes (CVE-2014-8321, CVE-2014-8322, CVE-2014-8323 and CVE-2014-8324). More details can be found in the blog.

Changelog:
  • Airodump-ng should be able to parse the canonical oui file.
  • Airodump-ng: Fixed GPS stack overflow.
  • Airodump-ng: Fixed stopping cleanly with Ctrl-C.
  • Airmon-zc: better handling for when modules are not available (incomplete)
  • Airmon-zc: users can now start the monitor interface again to change channels
  • Airmon-zc: update to use ip instead of ifconfig if available.
  • Airmon-zc: better handling of devices without pci bus
  • Aireplay-ng: Fixed tcp_test stack overflow.
  • OSdep: Fixed libnl detection. Also avoid detection on non Linux systems.
  • OSdep: Fixed segmentation fault that happens with a malicious server.
  • Besside-ng: Add regular expression matching for the SSID.
  • Buddy-ng: Fixed segmentation fault.
  • Makefile: Fixed 'commands commence before first target' error when building Aircrack-ng.
  • Fixed segfault when changing the optimization when compiling with gcc thanks to Ramiro Polla.
  • Removed airdriver-ng (outdated and not meant for today's kernels)
  • Added gitignore file.
  • Fixed build issues on other compilers by using stdint.h types.
  • Updating installation file and added pkg-config as a requirement.
  • Various small fixes and improvements.

Tuesday, June 10, 2014

Comcast xfinitywifi and hidden wifi network

Recently, on twitter, I talked about Comcast and their xfinitywifi network. Here is the full story

If you have Comcast and a recent modem from them such as one of those, it creates by default a wireless network called xfinitywifi (if it doesn't now, it will do it soon). So that other people with Comcast can login to it and have Internet access when they are traveling.

It's a pretty good idea since it does not use any of your bandwidth (based on what they say and Slashdot had a story today from the Houston Chronicle) but it could slow down your wireless network since it is on the same channel. However, I really don't like the way they implemented it: it is enabled by default and you can only disable when logging on your account online, there is not a single mention of it in the modem configuration. It's also a bad idea because you can easily fake it to steal credentials (it's an Open network, no encryption).

Unfortunately, I had to spend quite a lot of time with their tech/customer service to figure out and get it disabled (their first attempt to disable it failed). And they will try to convince you to leave it. I knew they have access to the cable modem and they can reset/upgrade the firmware. What's really worrying is that they can access all the settings of the modem, including the wireless settings and they could tell me what my WiFi settings were. They might also be able to access your network.

Moving on. Another issue I mentioned to their tech was that there was another wireless network along xfinitywifi and my personal network. A hidden network with the same security settings as my personal network (or it's just a coincidence I use the same settings as them). The MAC address is also very similar to the one of your modem. What changes is the first byte.
As of now (last time I spoke to them was 2 or 3 week ago at least), this hidden network is still there and I have absolutely no idea what that network is. So, I'll disable the wireless on the modem and have another AP between the modem and my network. Here is a picture of the network (let me know if you'd like a PCAP).



Does anybody knows what that hidden wireless network is for? Comcast hasn't responded yet to that question on twitter.