Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Wi-Fi Router Charts

Click for Wi-Fi Router Charts

Mesh System Charts

Click for Wi-Fi Mesh System Charts

Massaging the Crack

You might think that our test key comprised of all 1's was simple and fast to crack, but you'd be wrong. We'll step you through what we had to do to finally get a successful crack in order to show some of the options that you may have to use if your cracking efforts come up short.

The first run used the command:

aircrack-ng -b 00:06:25:B2:D4:19 capturefile*.ivs

and yielded the surprising result shown in Figure 11.

aircrack first failed run
Click to enlarge image

Figure 11: aircrack first failed run

You can see that aircrack got the first eight keybytes (out of 13 for a 128 bit WEP key), but not the last five (note that keybyte 12 is not shown). Since we had collected over 2 million IVs, we didn't think that more would help. So we tried raising the "fudge factor" from its default of 2 to 4.

Aircrack uses a combination of statistics and brute force to crack WEP keys. This excerpt from the aircrack page explains:

The idea is to get into the ball park with statistics then use brute force to finish the job. Aircrack-ng uses brute force on likely keys to actually determine the secret WEP key.

This is where the fudge factor comes in. Basically the fudge factor tells aircrack-ng how broadly to brute force. It is like throwing a ball into a field then telling somebody to ball is somewhere between 0 and 10 meters (0 and 30 feet) away. Versus saying the ball is somewhere between 0 and 100 meters (0 and 300 feet) away. The 100 meter scenario will take a lot longer to search then the 10 meter one but you are more likely to find the ball with the broader search. It is a trade off between the length of time and likelihood of finding the secret WEP key.

For example, if you tell aircrack-ng to use a fudge factor 2, it takes the votes of the most possible byte, and checks all other possibilities which are at least half as possible as this one on a brute force basis. The larger the fudge factor, the more possibilities aircrack-ng will try on a brute force basis. Keep in mind, that as the fudge factor gets larger, the number of secret keys to try goes up tremendously and consequently the elapsed time also increases. Therefore with more available data, the need to brute force, which is very CPU and time intensive, can be minimized.

The command with fudge factor of 4 added was:

aircrack-ng -f 4 -b 00:06:25:B2:D4:19 capturefile*.ivs

The good news was that it got us past the "attack failed" message. The bad was that it didn't find the key after about 10 minutes.

The second run used the approach of "if a little is good, more is better", and doubled the fudge factor to 8, even though the suggested 30 minutes of aircrack run hadn't elapsed. That, too, ran for awhile, but also failed to nail the key.

The third run combined the fudge factor of 8 with the -x2 option to brute force the last two keybytes instead of just the default of the last keybyte. The command was:

aircrack-ng -f 8 -x2 -b 00:06:25:B2:D4:19 capturefile*.ivs

and was actually the command line used to get the successful run shown in Figure 10.

All of the above tricks came from the aircrack-ng Usage Tips:General approach to cracking WEP keys section, which you definitely should visit if you find yourself unable to crack a key even having the suggested number of IVs.

We also tried the PTW attack, to see if it really was that much faster. Figure 12 shows that PTW really does perform as advertised!

aircrack first failed run
Click to enlarge image

Figure 12: aircrack 0.9.1 using the PTW attack

It took airodump-ng under a minute to capture the 38,721 IVs and aircrack-ng 0.9.1 under a minute more to find the key. Aircrack actually found the key almost instantly after startup once it had enough IVs. The 55 seconds shown in Figure 12 came from starting aircrack-ng after only around 5,000 IVs had been captured.

The lesson learned here is that even though it's a bit of a hassle (the whole process takes less than a minute) to download and install aircrack-ng 0.9.1 with the current BT2 release, it's well worth it!

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Don't Miss These

  • 1
  • 2