"We were able to
extend Klein's attack and optimize it for usage against WEP. Using our version,
it is possible to recover a 104 bit WEP key with probability 50% using just
40,000 captured packets. For 60,000 available data packets, the success
probability is about 80% and for 85,000 data packets about 95%. Using active
techniques like deauth and ARP re-injection, 40,000 packets can be captured in
less than one minute under good conditions." -www.cdc.informatik.tu-darmstadt.de
aircrack-ptw is a proof
of concept tool to be utilised together with the aircrack-ng toolsuite
(basically it replaces the aircrack-ng component to speed up WEP cracking).
The following installation process assumes you
have build similar to the
Auditing Laptop Build: HOWTO
stable code (currently aircrack-ptw-1.0.0.tar.gz) from
Install libpcap0.8-dev apt-get install libpcap0.8-dev
Fedora Core: edit
the makefile and move -lpcap switch to the end of both gcc lines
POINTS TO NOTE:
requires the Aircrack-ng suite of tools for ARP re-injection (aireplay-ng) and
data capture (airodump-ng).
airodump-ng do not use the --ivs parameter.
Aircrack-ptw currently only works
with ARP requests and ARP responses e.g. ARP re-injection carried out
with aireplay. It does not work with arbitrary data e.g. file
If no ARP requests
are captured it may be necessary to deauth a network client, forcing the client
to generate an arp-request
Collect between the
recommended 40,000 and 85,000+ data packets.
Once 40,000 data
packets have been collected aircrack-ptw can be run against the resultant data
file (failed attempt below)
You can carry on
collecting data packets whilst running aircrack-ptw against the capture file.
aircrack-ptw crack took approximately 50,000 data packets, however, the number
of data packets required will obviously vary.
It took less than
2 minutes to capture the 50,000 data packets and obtain the WEP key:
This scenario was
conducted in a lab environment under ideal conditions, expect the process to
take a little longer in reality.
Receiving the error on compilation:
/tmp/ccOUnQRV.o: In function 'main':
undefined reference to 'pcap_open_offline'
undefined reference to 'pcap_datalink'
undefined reference to 'pcap_next_ex'
collect2: ld returned 1 exit status
make: *** [aircrack-ptw] Error 1
Fix: move -lpcap switch to the
end of both gcc lines