Wednesday, December 30, 2015

Cracking speed improvements

Almost 8 years, we got pretty big improvement with SSE2 code to crack WPA, a nice upgrade from MMX.

I recently posted a bug bounty to fix the compilation of Aircrack-ng on Cygwin 64 bit. It's been working fine on Linux 64 bit but for some reason, Cygwin didn't like when compiling on 64 bit.
We couldn't have tested it back then since Cygwin 64 bit didn't exist at the time.

darkfires took up the challenge to fix the compilation on Cygwin 64 bit. After that, he helped fix a bunch of memory leaks and other issues as well as improving cracking speed quite a bit, which is the reason of this post.

The task was pretty daunting and a lot of testing was needed to make sure it works on the different CPU architectures (x86 32 and 64 bit, various ARM) and different OSes (Cygwin, Linux, BSD, Solaris, OSX).
On top of the usual 'fixing something on one, breaking on the other', here are three examples on how complicated it was:

  • Different CPU support different features and instructions set and detecting them wasn't an easy task. For example, on Raspberry Pi (v1), gcc supports 'neon' and we can compile aircrack-ng with them but the CPU itself doesn't support them which means aircrack-ng crashes and it has to be disabled. On the Beaglebone, the CPU support neon instructions.
  • gcc can compile with AVX2 instructions on x86. However, if the CPU doesn't support it, aircrack-ng will crash with a nice error: 'Illegal instruction'.
  • Some code that works to get CPU features (such as MMX, SSE, AVX) works on some CPU and doesn't on others.
There is no way to explain in details how complicated it was to make it work on all those different combinations of CPU and OSes. darkfires has spent countless hours making all of this work.

To give you an idea how much work has been done, the patch was ~375Kb and ~11K lines long.

On top of it, the Aircrack-ng CPU detection code has been rewritten on x86 to give more details. Here is what 'aircrack-ng -u' now looks like:

Vendor          = Intel
Model           = Intel(R) Core(TM) i7-2630QM CPU @ 2.00GHz
Features        = MMX,SSE,SSE2,SSE3,SSSE3,SSE4.1,SSE4.2,AVX
Hyper-Threading = Yes
Logical CPUs    = 8
CPU cores       = 4
SIMD size       = 4 (128 bit)

Last but not least, here are the numbers.

1.2rc3 r2800 Increase
Celeron M 1.4Ghz 138k/s 152k/s +10%
i7-2630QM ~3000k/s ~4000k/s +33%
E3-1231 v3 ~4900k/s ~13100k/s +167%
i5-4590 ~4700k/s ~11600k/s +146%
i7-6700K ~6200k/s ~17100k/s +175%

It's still pretty far from GPU cracking speeds but there are pretty significant gains thanks to AVX. The second version provides the most gains as you can see on the numbers above.

Bonus thing: if you are a package maintainer, you can compile aircrack-ng with different improvements. Simply edit the common.cfg and put MULTIBIN=true and when running make will compile 3 different versions: the original, SSE and SIMD.

We have tested it quite a bit on different CPU and OSes but please test (simply get the latest revision from our subversion repository) a lot and report back to us. Let us know how it works for you, what kind of improvements you're getting and we especially want to hear if you have bugs. If you have a recent AMD CPU, we want to hear from you.

The plan is to make another release candidate in about 2 weeks.

Saturday, November 21, 2015

Aircrack-ng 1.2 Release Candidate 3

Third release candidate and hopefully this should be the last one. It contains a ton of bug fixes, code cleanup, improvements and compilation fixes everywhere. Some features were added: AppArmor profiles, better FreeBSD support, including an airmon-ng for FreeBSD.

Changelog

  • Airodump-ng: Prevent sending signal to init which caused the system to reboot/shutdown.
  • Airbase-ng: Allow to use a user-specified ANonce instead of a randomized one when doing the 4-way handshake
  • Aircrack-ng: Fixed compilation warnings.
  • Aircrack-ng: Removed redundant NULL check and fixed typo in another one.
  • Aircrack-ng: Workaround for segfault when compiling aircrack-ng with clang and gcrypt and running a check.
  • Airmon-ng: Created version for FreeBSD.
  • Airmon-ng: Prevent passing invalid values as channel.
  • Airmon-ng: Handle udev renaming interfaces.
  • Airmon-ng: Better handling of rfkill.
  • Airmon-ng: Updated OUI URL.
  • Airmon-ng: Fix VM detection.
  • Airmon-ng: Make lsusb optional if there doesn't seem to be a usb bus. Improve pci detection slightly.
  • Airmon-ng: Various cleanup and fixes (including wording and typos).
  • Airmon-ng: Display iw errors.
  • Airmon-ng: Improved handling of non-monitor interfaces.
  • Airmon-ng: Fixed error when running 'check kill'.
  • Airdrop-ng: Display error instead of stack trace.
  • Airmon-ng: Fixed bashism.
  • Airdecap-ng: Allow specifying output file names.
  • Airtun-ng: Added missing parameter to help screen.
  • Besside-ng-crawler: Removed reference to darkircop.org (non-existent subdomain).
  • Airgraph-ng: Display error when no graph type is specified.
  • Airgraph-ng: Fixed make install.
  • Manpages: Fixed, updated and improved airodump-ng, airmon-ng, aircrack-ng, airbase-ng and aireplay-ng manpages.
  • Aircrack-ng GUI: Fixes issues with wordlists selection.
  • OSdep: Add missing RADIOTAP_SUPPORT_OVERRIDES check.
  • OSdep: Fix possible infinite loop.
  • OSdep: Use a default MTU of 1500 (Linux only).
  • OSdep: Fixed compilation on OSX.
  • AppArmor: Improved and added profiles.
  • General: Fixed warnings reported by clang.
  • General: Updated TravisCI configuration file
  • General: Fixed typos in various tools.
  • General: Fixed clang warning about 'gcry_thread_cbs()' being deprecated with gcrypt > 1.6.0.
  • General: Fixed compilation on cygwin due to undefined reference to GUID_DEVCLASS_NET
  • General: Fixed compilation with musl libc.
  • General: Improved testing and added test cases (make check).
  • General: Improved mutexes handling in various tools.
  • General: Fixed memory leaks, use afer free, null termination and return values in various tools and OSdep.
  • General: Fixed compilation on FreeBSD.
  • General: Various fixes and improvements to README (wording, compilation, etc).
  • General: Updated copyrights in help screen.

Friday, April 10, 2015

Aircrack-ng 1.2 Release Candidate 2

Here is the second release candidate. Along with a LOT of fixes, it improves the support for the Airodump-ng scan visualizer. Airmon-zc is mature and is now renamed to Airmon-ng. Also, Airtun-ng is now able to encrypt and decrypt WPA on top of WEP. Another big change is recent version of GPSd now work very well with Airodump-ng.

Changelog

  • Airtun-ng: Adds WPA CCMP and TKIP decryption and CCMP encryption
  • Compilation: Added support for DUMA.
  • Makefile: Renamed 'unstable' to 'experimental'.
  • Airodump-ng: Fixed XML sanitizing.
  • Airmon-ng: Airmon-zc is now stable enough to replace airmon-ng.
  • Manpages: Removed airdriver-ng manpage and references to it (forgot to do it before the previous release).
  • Manpages: Updated 'see also' references in all manpages.
  • PCRE: Added it in various places and docs.
  • WZCook: Fixed processing values stored in register.
  • Updated a few headers files (if_llc, ieee80211, ethernet and if_arp).
  • Travis CI: updated make parameter and add testing with pcre.
  • Compilation: de-hardcode -lpcap to allow specifying pcap libraries.
  • Makefile: Fixed installing/uninstalling Airdrop-ng documentation files.
  • Makefile: Fixed uninstalling ext_scripts.
  • Airodump-ng: Added new paths (and removed one) for OUI files and simplified logic to find the OUI file.
  • Aircrack-ng: Fixed ignoring -p when specified after -S.
  • Airmon-ng: fixes for openwrt busybox ps/grep issues which do not seem present in other versions of busybox
  • Airmon-ng: fix vm detection.
  • Airserv-ng: Fixed channel setting (and assert call).
  • Airodump-ng: Fixes to NetXML (unassociated clients missing and various other small bugs) and update the code to match current NetXML output.
  • Airodump-ng: Removed requirement for 2 packets before AP is written to output (text) files.
  • Airodump-ng: Fixed formatting of ESSID and display of WPA/WPA2 (as well as a bunch of other small fixes) in CSV file.
  • Airodump-ng: Fixed GPSd.
  • Airodump-ng: Allow to specify write interval for CSV, kismet CSV and NetXML files.
  • Airserv-ng: Fixed wrong station data displayed in Airodump-ng.
  • General: Fixed 64 bit promotion issues.
  • General: Fixed a bunch of uninitialized values and non-zeroed structures (upon allocating them).
  • General: Added Stack protection.
  • Various other small fixes and improvements.