Marfil - An Extension of the Aircrack-ng Suite used to assess WiFi Network Security

Saturday, May 14, 2016


Marfil is an extension of the Aircrack-ng suite, used to assess WiFi network security. It allows to split the work of performing long running dictionary attacks among many computers.

Motivation
The Aircrack-ng suite provides the aircrack-ng tool, which is a 802.11 WEP and WPA/WPA2-PSK key cracking program. When cracking the latter, a dictionary or word list has to be used. The longer these dictionaries are, the longer the process takes. Depending on your hardware it could even take days or weeks.
If you happen to have some additional hardware at your disposal aircrack-ng does not allow you to distribute the load between them: you have to choose the fastest one and stick to it. This is exactly where Marfil comes to play.

Solution
Marfil is a php-based tool that distributes the cracking load between different nodes. The approach followed is considerably simple: instead of using only one node to crack a .cap file using a big dictionary it splits the dictionary and distributes it among the rest of the nodes. The high-level process goes like this:
  1. Dictionaries to use are configured in the server node
  2. A client node sends a crack request to the server includes a .cap file and the BSSID of the target network)
  3. Clients ask the server for work
  4. Once work is needed the server answers with a .cap file and BSSID along with a dictionary piece
  5. Clients perform the cracking on their own and when finished return the result
  6. The server updates the status of the crack request according to the result
  7. Eventually, either the .cap file is processed against all parts of a dictionary without success or the password is found
  8. The process repeats. Note the first step is only needed for the first time or whenever the dictionaries are updated. The server node can also work as a client node.

Requirements
  1. aircrack-ng suite
  2. PHP >= 5.5.9
  3. SQLite module for PHP5 (only needed for the server node)
  4. Composer (only needed if you do not download the release from the releases section)
Marfil has only been tested on Linux so far. However, the approach followed and the tools used are considerably platform-independent so it should also work on Windows or Mac.

Setup

Initial setup and dictionary configuration
  1. Download the most up-to-date file in the release section
  2. Decompress it in all your nodes (server and clients)
  3. Install PHP5 and the aircrack-ng suite in all clients
    On Debian Linux you can do this by running this command:
          sudo apt-get install php5 aircrack-ng     

  4. Install SQLite module for PHP5 on the server
    On Debian Linux you can do this by running this command:
          sudo apt-get install php5-sqlite     

  5. On the server node, start a web server setting the root as the public directory in the Marfil directory
    Using PHP's built-in web server, this can be done by running the following command in the Marfil directory:
          php -S 0.0.0.0:8080 -t public     

    You can test this worked by accessing http://localhost:8080 in a browser on your server node and see an empty list of crack requests
  6. Make sure you can access the web server from your clients by accessing http://YOUR_SERVER_IP_ADDRESS:8080 in a web browser from your clients
  7. Place dictionaries in the storage/app/dictionaries directory. Search the web for word lists, if you don't have any
  8. Execute this command in the Marfil directory to split the dictionaries into pieces and prepare the dictionary database (depending on the size of the dictionaries, it might take a while):
          php artisan marfil:refresh-dictionaries     


Adding crack requests and working on them
  1. In order to add crack requests, a .cap file with the WPA handshake and the BSSID of the target network is needed. This can either be done through the web server interface or by executing the following command in the Marfil directory of any node:
          php artisan marfil:crack YOUR_SERVER_IP_ADDRESS:8080 path/to/file.cap 01:23:45:67:89:AB     

  2. Any successfully generated crack request can be displayed in the web server interface
  3. Any of the nodes can be used as a worker client. In order to do so just run the following command in the Marfil directory:
          php artisan marfil:work YOUR_SERVER_IP_ADDRESS:8080     

    This command will make the client ask for work every 60 seconds. When the server responds with work, the client will download the needed files and try to crack the .cap file.
  4. Progress can be tracked by means of the web interface

Support
If any issue is found, please, report it providing all the needed information to reproduce it. Failing to do so will result in the ticket being closed.
Some additional notes:
  • It is possible to watch server logs by monitoring storage/logs/lumen.log file
  • The database can be regenerated by running this command:
          php artisan migrate:refresh     





Subscribe via e-mail for updates!