Aircrack Segmentation Fault and Combining .cap Files

I recently ran into a weird aircrack segmentation fault during a wireless engagement. I thought I'd share my fix for when someone else runs into it in the future.

The Aircrack Segmentation Fault

First, for those of you who are unfamiliar, Aircrack-ng is "a complete suite of tools to assess WiFi network security."

During a wireless engagement recently, I had a few different .cap files containing a various amount of data packets. I was trying to crack a WEP key, so I stopped the collection a few times to try again/move my equipment around.

When I attempted to crack multiple .cap files at once, I received the segmentation fault.

root@kali:~# aircrack-ng s_wep_outputNEW-01.cap serta_wep_outputNEW-02.cap
Opening s_wep_outputNEW-01.cap
Opening s_wep_outputNEW-02.cap
Segmentation fault

Attempting to crack these files one by one worked, but I needed to combine the IVs from all of them.

Debugging and Attempting to Merge

At first, I wondered if one of the files I was using was corrupt, so I ran file to make sure nothing came back weird.

root@kali:~# file s_wep_outputNEW-0*.cap
s_wep_outputNEW-01.cap: tcpdump capture file (little-endian) - version 2.4 (802.11, capture length 65535)
s_wep_outputNEW-02.cap: tcpdump capture file (little-endian) - version 2.4 (802.11, capture length 65535)
s_wep_outputNEW-03.cap: tcpdump capture file (little-endian) - version 2.4 (802.11, capture length 65535)

Since nothing seemed to work, I decided to just run mergecap. This combines multiple capture files into one, so I figured I would no longer get the segmentation fault.

Unfortunately, this seemed to segfault with the same files as well...

root@kali:~# mergecap -F pcap s_wep_outputNEW-01.cap s_wep_outputNEW-02.cap -w combined.cap
Segmentation fault

Ivs Files and a Proper Combine

Next, I decided to use ivstools to convert each pcap into an ivs file.

This worked, though I was still only able to crack one of these files at a time.

root@kali:~# ivstools --convert s_wep_outputNEW-01.cap s1.ivs
Opening s_wep_outputNEW-01.cap
Creating s1.ivs
Read 7998874 packets.
Written 8274 IVs.
root@kali:~# ivstools --convert s_wep_outputNEW-02.cap s2.ivs
Opening s_wep_outputNEW-02.cap
Creating s2.ivs
Read 2170930 packets.
Written 2182 IVs.

Finally, I used the merge command and was able to successfully combine all of my original pcaps into one file!

root@kali:~# ivstools --merge s1.ivs s2.ivs combined.ivs
Creating combined.ivs
Opening s1.ivs
249120 bytes written
Opening s2.ivs
314823 bytes written

Cracking the Key

With the files combined, I was able to run combined.ivs through aircrack and get the proper number of IVs.

root@kali:~# aircrack-ng combined.ivs 
Opening combined.ivs
Read 10458 packets.

   #  BSSID              ESSID                     Encryption

   1  FC:xx:xx:xx:xx:xx  Unbreakable               WEP (10435 IVs)

Choosing first network as target.

Opening combined.ivs
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 10435 ivs.


                                 Aircrack-ng 1.2 rc4


                 [00:00:02] Tested 150553 keys (got 10435 IVs)

   KB    depth   byte(vote)
    0   84/ 85   F8(11264) 3E(11192) 47(11044) 09(11008) 12(11008) 
    1   15/  1   88(13312) 1A(13092) 41(13056) 80(13056) E8(13020) 
    2   39/  2   B7(12068) 0F(12032) 14(12032) 53(12032) 7E(12032) 
    3    2/  7   37(15360) 52(14848) 58(14848) D9(14336) 43(14080) 
    4    7/ 18   D1(14336) 57(13824) A5(13604) 61(13568) 1F(13312) 

Failed. Next try with 15000 IVs.

Unfortunately, I was never able to crack this network, even with over 240k IVs.

Aircrack Segmentation Fault - Conclusion

Unfortunately, I was never able to figure out the cause of the actual segmentation faults. If you know, or if you've fixed this a different way, then please let me know!

I wish I could have cracked into the network, as it was for an engagement, but at least I got a workaround in place.

Stay tuned for some more tips, tricks, and gadgets I picked up during some recent wireless engagements!

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCP, eCPPT, eWPT, eWPTX, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Penetration Testing Consultant for Secureworks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next (currently GXPN) or side project to work on, he enjoys playing video games, traveling, and watching sports.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.