Table of Contents

Tools

WZCook

It recovers WEP keys from XP's Wireless Zero Configuration utility. This is experimental software, so it may or may not work depending on your Service Pack level.

WZCOOK can also display the PMK (Pairwise Master Key), a 256-bit value which is the result of the passphrase hashed 8192 times together with the ESSID and the ESSID length. The passphrase itself can't be recovered – however, knowing the PMK is enough to connect to a WPA-protected wireless network with wpa_supplicant (see the Windows README). Your wpa_supplicant.conf configuration file should look like:

network={ 
   ssid="my_essid" 
   pmk=5c9597f3c8245907ea71a89d[...]9d39d08e
}

The WZCook tool also supports a silent mode. This is invoked by adding “--silent” (double dashes) to the command. The program runs and does not output any messages. This is useful for batch files and scripts.

If you don't use WZC service, but you use USR Utility, get this registry value and try it here:

HKey_Current_User/Software/ACXPROFILE/profilename/dot11WEPDefaultKey1

ivstools

This tool handle .ivs files. You can either merge or convert them.

Merge

Use --merge option to merge multiple .ivs files. Example:

ivstools --merge dump1.ivs dump2.ivs dump3.ivs out.ivs 

It will merge dump1.ivs, dump2.ivs and dump3.ivs into out.ivs. You can merge more than 2 files, output file must be the last argument.


Note: aircrack-ng is able to open multiple files (pcap or ivs)

Convert

Use --convert option to convert a pcap file (by default, they have .cap extension) to a .ivs file. Example:

ivstools --convert out.cap out.ivs

It will save out.cap IVs to out.ivs


Note: Kismet produce pcap files (the extension is .dump), that can be converted

WARNING: pcap2ivs from aircrack, and aircrack-ng up to v0.2.1 have a bug which creates broken captures. You should not use pcap2ivs from those versions. If you have a broken IVs file from using the broken versions, then try using FixIvs to recover it.

Versuck-ng

versuck-ng's purpose is to calculate the default WEP key for Verizon issued Actiontec wireless routers. It does this using a list of known hardware IDs in the wired mac used by the router. Depending on the BSSID you can some times use it as well. The OUI needs to match on both the wireless and wired mac for use of the BSSID to work.

Usage: versuck-ng options -m -e

Options:
 -h, --help            show this help message and exit
 -m MAC, --mac=MAC     Mac Address
 -e ESSID, --essid=ESSID essid

Use:

  versuck-ng -e ESSID -m WIRED_MAC

buddy-ng

Check out easside-ng documentation.

makeivs-ng

makeivs-ng is a tool designed to generate an IVS dump file with an inputted WEP key. The aim of is tools is to provide a way to create dumps with a known encryption key for tests.

By default, it will generate a file with the BSSID 01:02:03:04:05:06 of 100000 packets and 16 bytes of keystream. IVs will be sequential. Various parameters can added to test different scenarios:

OptionDescription
-b <bssid> or –bssid <bssid>Set the BSSID (Access Point MAC).
-f <num> or –first <num>Value for the first IV generated.
-k <key> or –key <key>Target network WEP key in hex. Separator between bytes is accepted but not necessary.
-s <num> or –seed <num>Seed used to setup random generator. May be used in combination with -p or –prng.
-w <file> or –write <file>Filename to write IVs into.
-c <num> or –count <num>Amount of IVs to generate. Default value is 100000.
-d <num> or –dupe <num>Percentage of duplicate IVs.
-e <num> or –error <num>Percentage of erroneous keystreams.
-l <num> or –length <num>Size of keystreams. Default: 16 bytes.
-n or –nofmsIgnores weak IVs.
-p or –prngUse random values when generating IVs. Default is to use sequential values.

Minimum required parameters: -w and -k.

kstats

kstats is a tool designed to show the FMS algorithm votes for an IVS dump with a specified WEP key. The IVS dump can be get by using the combination of both airodump-ng and ivstools.

Usage:

 kstats <IVS file> <WEP Key>