You might think that our test key comprised of all 1's was simple and fast to crack, but you'd be wrong. We'll step you through what we had to do to finally get a successful crack in order to show some of the options that you may have to use if your cracking efforts come up short.
The first run used the command:
aircrack-ng -b 00:06:25:B2:D4:19 capturefile*.ivs
and yielded the surprising result shown in Figure 11.
Figure 11: aircrack first failed run
You can see that aircrack got the first eight keybytes (out of 13 for a 128 bit WEP key), but not the last five (note that keybyte 12 is not shown). Since we had collected over 2 million IVs, we didn't think that more would help. So we tried raising the "fudge factor" from its default of 2 to 4.
Aircrack uses a combination of statistics and brute force to crack WEP keys. This excerpt from the aircrack page explains:
The idea is to get into the ball park with statistics then use brute force to finish the job. Aircrack-ng uses brute force on likely keys to actually determine the secret WEP key.
This is where the fudge factor comes in. Basically the fudge factor tells aircrack-ng how broadly to brute force. It is like throwing a ball into a field then telling somebody to ball is somewhere between 0 and 10 meters (0 and 30 feet) away. Versus saying the ball is somewhere between 0 and 100 meters (0 and 300 feet) away. The 100 meter scenario will take a lot longer to search then the 10 meter one but you are more likely to find the ball with the broader search. It is a trade off between the length of time and likelihood of finding the secret WEP key.
For example, if you tell aircrack-ng to use a fudge factor 2, it takes the votes of the most possible byte, and checks all other possibilities which are at least half as possible as this one on a brute force basis. The larger the fudge factor, the more possibilities aircrack-ng will try on a brute force basis. Keep in mind, that as the fudge factor gets larger, the number of secret keys to try goes up tremendously and consequently the elapsed time also increases. Therefore with more available data, the need to brute force, which is very CPU and time intensive, can be minimized.
The good news was that it got us past the "attack failed" message. The bad was that it didn't find the key after about 10 minutes.
The second run used the approach of "if a little is good, more is better", and doubled the fudge factor to 8, even though the suggested 30 minutes of aircrack run hadn't elapsed. That, too, ran for awhile, but also failed to nail the key.
The third run combined the fudge factor of 8 with the -x2 option to brute force the last two keybytes instead of just the default of the last keybyte. The command was:
We also tried the PTW attack, to see if it really was that much faster. Figure 12 shows that PTW really does perform as advertised!
Figure 12: aircrack 0.9.1 using the PTW attack
It took airodump-ng under a minute to capture the 38,721 IVs and aircrack-ng 0.9.1 under a minute more to find the key. Aircrack actually found the key almost instantly after startup once it had enough IVs. The 55 seconds shown in Figure 12 came from starting aircrack-ng after only around 5,000 IVs had been captured.
The lesson learned here is that even though it's a bit of a hassle (the whole process takes less than a minute) to download and install aircrack-ng 0.9.1 with the current BT2 release, it's well worth it!