Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Router Charts

Click for Router Charts

Router Ranker

Click for Router Ranker

NAS Charts

Click for NAS Charts

NAS Ranker

Click for NAS Ranker

More Tools

Click for More Tools

Wireless How To

Massaging the Crack

You might think that our test key comprised of all 1's was simple and fast to crack, but you'd be wrong. We'll step you through what we had to do to finally get a successful crack in order to show some of the options that you may have to use if your cracking efforts come up short.

The first run used the command:

aircrack-ng -b 00:06:25:B2:D4:19 capturefile*.ivs

and yielded the surprising result shown in Figure 11.

aircrack first failed run
Click to enlarge image

Figure 11: aircrack first failed run

You can see that aircrack got the first eight keybytes (out of 13 for a 128 bit WEP key), but not the last five (note that keybyte 12 is not shown). Since we had collected over 2 million IVs, we didn't think that more would help. So we tried raising the "fudge factor" from its default of 2 to 4.

Aircrack uses a combination of statistics and brute force to crack WEP keys. This excerpt from the aircrack page explains:

The idea is to get into the ball park with statistics then use brute force to finish the job. Aircrack-ng uses brute force on likely keys to actually determine the secret WEP key.

This is where the fudge factor comes in. Basically the fudge factor tells aircrack-ng how broadly to brute force. It is like throwing a ball into a field then telling somebody to ball is somewhere between 0 and 10 meters (0 and 30 feet) away. Versus saying the ball is somewhere between 0 and 100 meters (0 and 300 feet) away. The 100 meter scenario will take a lot longer to search then the 10 meter one but you are more likely to find the ball with the broader search. It is a trade off between the length of time and likelihood of finding the secret WEP key.

For example, if you tell aircrack-ng to use a fudge factor 2, it takes the votes of the most possible byte, and checks all other possibilities which are at least half as possible as this one on a brute force basis. The larger the fudge factor, the more possibilities aircrack-ng will try on a brute force basis. Keep in mind, that as the fudge factor gets larger, the number of secret keys to try goes up tremendously and consequently the elapsed time also increases. Therefore with more available data, the need to brute force, which is very CPU and time intensive, can be minimized.

The command with fudge factor of 4 added was:

aircrack-ng -f 4 -b 00:06:25:B2:D4:19 capturefile*.ivs

The good news was that it got us past the "attack failed" message. The bad was that it didn't find the key after about 10 minutes.

The second run used the approach of "if a little is good, more is better", and doubled the fudge factor to 8, even though the suggested 30 minutes of aircrack run hadn't elapsed. That, too, ran for awhile, but also failed to nail the key.

The third run combined the fudge factor of 8 with the -x2 option to brute force the last two keybytes instead of just the default of the last keybyte. The command was:

aircrack-ng -f 8 -x2 -b 00:06:25:B2:D4:19 capturefile*.ivs

and was actually the command line used to get the successful run shown in Figure 10.

All of the above tricks came from the aircrack-ng Usage Tips:General approach to cracking WEP keys section, which you definitely should visit if you find yourself unable to crack a key even having the suggested number of IVs.

We also tried the PTW attack, to see if it really was that much faster. Figure 12 shows that PTW really does perform as advertised!

aircrack first failed run
Click to enlarge image

Figure 12: aircrack 0.9.1 using the PTW attack

It took airodump-ng under a minute to capture the 38,721 IVs and aircrack-ng 0.9.1 under a minute more to find the key. Aircrack actually found the key almost instantly after startup once it had enough IVs. The 55 seconds shown in Figure 12 came from starting aircrack-ng after only around 5,000 IVs had been captured.

The lesson learned here is that even though it's a bit of a hassle (the whole process takes less than a minute) to download and install aircrack-ng 0.9.1 with the current BT2 release, it's well worth it!

More Wireless

Wi-Fi System Tools
Check out our Wi-Fi System Charts, Ranker and Finder!

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Over In The Forums

I have been watching my laptop wireless 5Ghz speed change over time. I am just letting my laptop sit and the speed is changing from 5xx to7xx over a m...
Have a AC-5300 running Merlim firmware.Looking to replace cable with wi-fi card on 5ghz frequency.Has direct line of sight to router of around 5 feet ...
Hi,I got my hand on a used AC3200 but I can't get it to work.Here is the CFE log I get if I connect to the router on serial port:CFE version 7.14.43.1...
Good day! Has anyone bought and pried open Asus PCE-AC88 to slot in the chip mentioned? I would like to setup for my desktop. Or if you have other bet...
For years I have always wanted to bridge my wifi interface to my lan network on my access point (or media server that also works as AP). The access po...

Don't Miss These

  • 1
  • 2
  • 3