Introduction
airolib-ng is a powerful tool within the Aircrack-ng suite designed to manage and use Pre-computed Master Key (PMK) databases. When attempting to crack a WPA/WPA2 handshake, the most time-consuming part is calculating the PMK from a potential passphrase and the network's name (ESSID).
By pre-calculating these PMKs for a list of common passphrases and network names and storing them in a database, you can dramatically accelerate the cracking process. Instead of performing the heavy computation for each password during the attack, aircrack-ng can simply look up the PMK in the database.
In this lab, you will learn the fundamental operations of airolib-ng to create and populate a PMK database.
Understand the Concept of a Pre-computed Master Key Database
In this step, we will cover the theory behind PMK databases before we start using airolib-ng. There are no commands to execute in this step.
The security of WPA/WPA2 networks relies on a four-way handshake that uses a Pairwise Master Key (PMK) to encrypt traffic. This PMK is derived from the network's password (passphrase) and its name (ESSID). The formula is:
PMK = PBKDF2(passphrase, SSID, 4096 iterations, 256-bit output)
When you try to crack a captured WPA/WPA2 handshake using a tool like aircrack-ng and a wordlist, the tool performs this calculation for every single password in your list. The 4096 iterations make this process computationally expensive and slow.
This is where airolib-ng comes in. It allows you to perform this heavy lifting in advance. You can take a list of common ESSIDs and a large wordlist of passphrases and pre-compute all the resulting PMKs. These PMKs are then stored in an efficient SQLite database.
When it's time to crack a handshake, aircrack-ng can use this database. Instead of calculating the PMK for each password, it calculates it once from the captured handshake's ESSID and the password from the wordlist, and then looks up the result in your pre-computed database. This lookup is thousands of times faster than the full calculation, drastically reducing cracking time.
In the following steps, you will create such a database, populate it with an ESSID and passwords, and verify its integrity.
Create a New SQLite Database with airolib-ng --new
In this step, you will create a new, empty SQLite database that will store our PMKs. All our work will be done in the ~/project directory.
We use the airolib-ng command followed by the desired database name and the --new flag. This flag tells airolib-ng to initialize a new database file.
Let's create a database named pmk_db. Execute the following command in your terminal:
airolib-ng pmk_db --new
The tool will create the pmk_db file in your current directory (~/project) and set up the necessary tables inside it. You should see output confirming the creation and initialization of the database.
Expected output:
Database 'pmk_db' created.
Wrote 1 ESSIDs and 0 PMKs.
You can verify that the file has been created using the ls command:
ls -l pmk_db
Expected output:
-rw-r--r-- 1 labex labex 8192 May 20 10:30 pmk_db
Import a Single ESSID into the Database using --import essid
In this step, you will add a network name (ESSID) to your newly created database. The database needs to know which ESSIDs you want to pre-compute PMKs for.
We will use the --import essid option. This option can take a single ESSID as an argument from the command line or a list of ESSIDs from a file. For this lab, we will import a single ESSID named MyHomeWiFi.
Run the following command to import the ESSID into your pmk_db database:
airolib-ng pmk_db --import essid MyHomeWiFi
You will see output indicating that the database is being read and that one ESSID has been written.
Expected output:
Reading file...
Wrote 1 ESSIDs and 0 PMKs.
Done.
Now your database is aware of the MyHomeWiFi network and is ready to store PMKs associated with it.
Import a Wordlist to Compute PMKs for that ESSID
In this step, you will import a list of passwords (a wordlist) and have airolib-ng compute the PMKs for the ESSID we imported in the previous step.
The setup script for this lab has already created a small wordlist file for you named wordlist.txt in the ~/project directory. We will use the --import pwd option to read this file. For each password in wordlist.txt, airolib-ng will calculate the PMK for the MyHomeWiFi ESSID and store the result in the database.
Execute the following command:
airolib-ng pmk_db --import pwd wordlist.txt
The tool will read the passwords from the file and compute the PMKs. Our wordlist.txt contains 4 passwords, and we have 1 ESSID in the database, so it will compute and store 4 PMKs.
Expected output:
Reading file...
Wrote 0 ESSIDs and 4 PMKs.
Done.
Your database now contains the pre-computed keys for the MyHomeWiFi network for every password in wordlist.txt.
Run a Batch Operation to Verify Database Integrity
In this step, you will learn how to verify the contents of your database and compute any missing PMK pairs. This is a crucial maintenance step, especially for large databases.
The --batch option performs a comprehensive operation. It finds all pairwise combinations of ESSIDs and passwords in the database and computes the PMK for any pair that doesn't have one yet. It also serves as a way to verify the integrity of existing PMKs by re-calculating and comparing them.
Run the batch command on your pmk_db database:
airolib-ng pmk_db --batch
Since we just computed all possible pairs in the previous step (1 ESSID x 4 passwords), the command will find that no new PMKs need to be computed. It will simply verify the existing ones.
Expected output:
All PMKs have been computed for all ESSIDs.
Nothing to do.
If you were to add a new ESSID or a new wordlist, running the --batch command would be the most efficient way to update the database with all the new PMK combinations.
Summary
Congratulations! You have successfully created and managed a Pre-computed Master Key (PMK) database using airolib-ng.
In this lab, you have learned how to:
- Understand the concept and benefit of a PMK database for accelerating WPA/WPA2 cracking.
- Create a new, empty database using
airolib-ng --new. - Import a network name into the database using
airolib-ng --import essid. - Import a wordlist and compute the corresponding PMKs using
airolib-ng --import pwd. - Run a batch operation to verify and update the database using
airolib-ng --batch.
With this knowledge, you can now build larger, more comprehensive PMK databases to significantly speed up your WPA/WPA2 security assessments. The created database pmk_db could be used with aircrack-ng like this: aircrack-ng -r pmk_db your_capture_file.cap.



