Thursday, January 24, 2013

Cracking WEP Networks with KisMAC+aircrack-ng on Mac OS X Lion

Cracking WEP Networks with KisMAC+aircrack-ng on Mac OS X Lion

UPDATE 12-5-12: Thanks to a reader (see comments below), I've gotten my hands on a version of KisMAC that works on Mac OS X Mountain Lion! While it may be a beta version, it does at least run and collect unique IVs from my Airport Extreme card, and I'm able to use the data in aircrack-ng. Download it here:

Your situation: You've spent endless hours researching/experimenting with cracking your own personal WEP encrypted wireless network and you just can't seem to get it accomplished. You don't necessarily have state-of-the-art equipment (other than your super fine Macbook/Macbook Pro), and you can't run other alternatives such as Backtrack 5. You're stuck with KisMAC although it's outdated software. It just so happens you're still in luck. All you need are a couple extra tools and some tips that aren't usually discussed anywhere else.

What you need:
  • KisMAC - the latest version is currently 0.3.3
  • MacPorts - I downloaded the disk image for Lion
Go ahead and install KisMAC and MacPorts (standard installation with defaults is fine). You may need to see the MacPorts installation instructions if you don't already have Apple's developer tools installed. Once MacPorts is installed, you can install the last piece of the puzzle (and most important): aircrack-ng. Just run this command in terminal:
sudo port install aircrack-ng
If you get an error, you may need to update your MacPorts sources:
sudo port selfupdate
Once aircrack-ng is installed, you're ready to go. You should already be familiar with basic KisMAC usage, so if you're not, refer to some beginner tutorials on it first. This guide is targeted at some of the "gotchas" of using KisMAC and aircrack-ng. To briefly get KisMAC set up:
  1. Open KisMAC
  2. Go to Preferences -> Driver
  3. Add your first card (mine was the Airport Extreme passive mode)
  4. Select the channel the target AP is on (if you don't already know this, refer to beginner docs
  5. If the card is used for injection, select the "use as primary device" option
  6. Select "Keep everything" in the Dump Filter settings and select a location to save the dump files
  7. Add your second card and repeat steps 4-6
I recommend that you keep dump files from both cards stored in the same folder (an empty folder somewhere).

Now it's time to start sniffing. Click "Start Scan" and watch as data starts coming in. Double click on the target AP in the list and click Network -> Reinject Packets to start packet reinjection and quickly generate unique IVs. You should see the Unique IV count climb.

The last step is to start aircrack-ng. Open Terminal and type:
aircrack-ng -b
I selected the ~/Desktop/aircrack/ folder to store my KisMAC dumps, so my example would be something like:
aircrack-ng -b 00:00:00:00:00:00 ~/Desktop/aircrack/*
Of course you need to enter the bssid of the target AP after the -b flag. Aircrack-ng should load up any dump files in that directory and start cracking. It will automatically attempt to crack every 5000 IVs, so you don't have to even worry about rerunning it.

Now for the tips that it took me hours to discover:
  1. aircrack-ng can use multiple dump files, so you can stop/start KisMAC all you want and create multiple files. Just use the asterisk like I did in my aircrack-ng example above. You could even do something like ~/Desktop/Dump* to get all the files that begin with "Dump".
  2. If you encounter errors in aircrack-ng about a corrupt file or incorrect packet length, the problem is that KisMAC is dumping management and control packets too. We really only need data packets, so you can go back in the Preferences -> Driver section and instead of selecting "Keep Everything", you can select "Data Only". This should correct the errors.
  3. If you notice that the number of IVs in KisMAC is drastically greater than those showing in aircrack-ng, do tip 2 above. If that doesn't fix it, make sure you are saving dumps from all of your devices.
Once I figured that out, I was able to crack my network in under 5 minutes with only 15,000 unique IVs.

Happy cracking and remember to only experiment on network you own or have permission to crack.


mahasiswa teladan said...

hi...Im student from Informatics engineering nice article,
thanks for sharing :)

mahasiswa teladan said...

hi...Im student from Informatics engineering nice article,
thanks for sharing :)

amado said...

Many thanks for your post. One of the most eloquent ones I've read about the matter. However, it does not work for me. After running

sudo port selfupdate

on my terminal, I run command

sudo port install aircrack-ng

but I still get errors and some more stuff. I do not know whether I have succesfully installed aircrack-ng, it does not seem so as
my Kismac keeps not gathering Uniques IV at a decent pace.

Any ideas?


Matthew Du Puy said...

aircrack-ng is also available from the Mac Homebrew project at
Just: brew install aircrack-ng
You have to have Xcode installed of course but it downloads the latest tarball and compiles on Mountain Lion perfectly.

The problem with using the Airport drivers in the KisMac2 beta on my MacBookPro is that injection is not supported. :(

BERN said...

Do I still need an additional wireless card that has packet injection?

Blogger said...


Professional trading signals delivered to your cell phone every day.

Start following our signals today & make up to 270% daily.