Cain's Wireless Scanner detects Wireless Local Area Networks (WLANs) using 802.11x.

Active Scanner

Unlike other wireless applications it does not use the Windows NDIS User Mode I/O Protocol (NDISUIO) but the Winpcap Packet Driver to control the wireless network card. Access points and ah-hoc networks are enumerated using  802.11 OIDs from  Windows DDK at intervals of five seconds and WLANs parameters (MAC address, SSID, Vendor, WEP Encryption, Channels.... ) are displayed in the scanner list.


How Active Scanner works

The active scanner opens the wireless network adapter using the Winpcap protocol driver then it uses the "PacketRequest" function of the same driver to communicate with the wireless network card. This API can be used from the Windows User Mode to perform a query/set operation on an internal variable of the network card driver.


BOOL PacketRequest ( LPADAPTER AdapterObject, BOOL Set, PPACKET_OID_DATA OidData);


...from Winpcap documentation

not all the network adapters implement all the query/set functions. There is a set of mandatory OID functions that is granted to be present on all the adapters, and a set of facultative functions, not provided by all the cards (see the Microsoft DDKs to see which functions are mandatory). If you use a facultative function, be careful to enclose it in an if statement to check the result.


Windows DDK provides a set of mandatory WLAN OIDs that should be supported by all Miniport drivers for IEEE 802.11; they are all defined in "ntddndis.h" file (from Windows XP SP1 DDK) and documented here.


The scan command is sent to the wireless card using the OID_802_11_BSSID_LIST_SCAN and the following function:


BOOL Packet_802_11_SetScanAP(LPADAPTER pAdapter)


BOOL Status = FALSE;



int len = sizeof(*pOidData);

len += sizeof(UINT);


pOidData = (PPACKET_OID_DATA) calloc(len, sizeof(char));

pOidData->Oid = OID_802_11_BSSID_LIST_SCAN;

pOidData->Length = sizeof(UINT);


Status = PacketRequest(pAdapter,TRUE,pOidData); //Set

free (pOidData);

return Status;


Passive Scanner

The passive scanner requires the AirPcap adapter from CACE Technologies which enables the raw capture of 802.11 frames by mean of its AirPcap drivers. The scanner recognize wireless Access Points (upper list) and clients (lower list) decoding 802.11b/g packets that travels on the air in a completely passive way. The "Channel Hopping" feature changes the frequency of the adapter every second and let you discover wireless networks on different channels.


When the "Dump WEP IVs" checkbox is checked, Cain collects unique WEP initialization vectors (IVs) in the "dump.ivs" file placed in the program's directory. WEP IVs are needed for cracking WEP encryption keys used in wireless protected networks.



Cain also support automatic ARP Requests injection (to speed up the collection of unique WEP IVs) and the capture of WPA-PSK authentication hashes. WEP injection is possible with specific Airpcap TX drivers only that can be obtained from CACE Technologies; you can check transmission enabled channels in the Airpcap driver information frame.


The WEP IVs dump file is compatible with those created by Aircrack-ng software. It can be opened immediately, using the "Analyze", button or saved for later analysis.


The above dialog lets you start Korek's Attack on WEP Keys; accordingly to Aircrack's documentation the minimum number of unique WEP IVs needed to successfully crack a WEP Key using the Korek's Attack is: 250.000 for  64-bit WEP keys and 1.000.000 or more for 128-bit keys.


You should be able to crack a 128-bit WEP key with 70.000 PTW IVs and the new PTW attack.


This feature requires a Windows compatible wireless network interface and the Winpcap protocol driver. The Passive Scan feature requires the AirPcap adapter and drivers from CACE Technologies.


Choose the wireless adapter from the list and press the "Active Scan" or  "Passive Scan" button.