Linux tools, Howtos


Tools Index


Wireless Commands


FC6 Build Howto


FC5 Build Howto


FC4 Build Howto


Live Linux Distros



Site Search







WIN32 tools, Howtos


Tools Index



Get Firefox!





Miscellaneous WI-FI


Default WI-FI Settings


Rogue AP Howtos


WI-FI Certifications


802.11 Standards




Formats / Extensions


WI-FI Home Security


Useful Links







Project Homepage:

Local mirror: aircrack-ptw-1.0.0.tar.gz  MD5: 1d7d84d1e69189bc1397db3f565c183a









The Attack:


"We were able to extend Klein's attack and optimize it for usage against WEP. Using our version, it is possible to recover a 104 bit WEP key with probability 50% using just 40,000 captured packets. For 60,000 available data packets, the success probability is about 80% and for 85,000 data packets about 95%. Using active techniques like deauth and ARP re-injection, 40,000 packets can be captured in less than one minute under good conditions."


aircrack-ptw is a proof of concept tool to be utilised together with the aircrack-ng toolsuite (basically it replaces the aircrack-ng component to speed up WEP cracking).



Installing aircrack-ptw:


The following installation process assumes you have build similar to the Auditing Laptop Build: HOWTO 


Download latest stable code (currently aircrack-ptw-1.0.0.tar.gz) from to /tools/wifi



cd /tools/wifi


tar zxvf aircrack-ptw-[version].tar.gz


cd aircrack-ptw-[version]


Debian/ubuntu only: Install libpcap0.8-dev apt-get install libpcap0.8-dev


Fedora Core: edit the makefile and move -lpcap switch to the end of both gcc lines





Running aircrack-ptw:





  1. Aircrack-ptw requires the Aircrack-ng suite of tools for ARP re-injection (aireplay-ng) and data capture (airodump-ng).

  1. When starting airodump-ng do not use the --ivs parameter.

  1. Aircrack-ptw currently only works with ARP requests and ARP responses  e.g. ARP re-injection carried out with aireplay.  It does not work with arbitrary data e.g. file downloads etc.

Step 1:


Start airodump-ng:



Step 2:


Start aireplay-ng:




Step 3:


If no ARP requests are captured it may be necessary to deauth a network client, forcing the client to generate an arp-request




Step 4:


Collect between the recommended 40,000 and 85,000+ data packets.



Step 5:


Once 40,000 data packets have been collected aircrack-ptw can be run against the resultant data file (failed attempt below)



Step 6:


You can carry on collecting data packets whilst running aircrack-ptw against the capture file.



The successful aircrack-ptw crack took approximately 50,000 data packets, however, the number of data packets required will obviously vary.


It took less than 2 minutes to capture the 50,000 data packets and obtain the WEP key: 866578388517be0b4818a0db1


This scenario was conducted in a lab environment under ideal conditions, expect the process to take a little longer in reality.



Troubleshooting Install:


Receiving the error on compilation:


/tmp/ccOUnQRV.o: In function 'main':

aircrack-ptw.c:(.text+0x9e): undefined reference to 'pcap_open_offline'

aircrack-ptw.c:(.text+0xb2): undefined reference to 'pcap_datalink'

aircrack-ptw.c:(.text+0xee): undefined reference to 'pcap_next_ex'

collect2: ld returned 1 exit status

make: *** [aircrack-ptw] Error 1


Fix: move -lpcap switch to the end of both gcc lines


   Copyright 2010 All Rights Reserved.