WEP Shared Key Authentication attack "Broken SKA"

[Hawkje]

Hi all,

I encountered a problem with performing the WEP SKA (Shared Key Authentication) attack using the aircrack-ng suite. Everytime I try to capture the SKA the header of airodump-ng shows me:

Code:

CH  1 ][ Elapsed: 32 s ][ 2010-06-30 11:59 ][ Broken SKA: 00:0E:XX:XX:XX:XX

And no .xor file is generated, which airodump-ng should do after capturing a successful SKA.

The de-authentication of the client works fine, the client gets disconnected and reconnects successfully after it. Also all of the other attacks with aireplay-ng work fine as well as WPA handshake capturing and aireplay -9 does not show any problems.

Here is the list of the things I tried to resolve this problem:

Tried different accesspoints:
- WRT54G v2
- ASUS WL300G

Tried different network cards to capture
- Comfast CWUSB-500HG USB - Realtek 8187 Chipset
- Acer Aspire One internal card - Atheros chipset

Tried different network card drivers
- rtl8187/mac80211
- r8187
- ath5k

Tried different client hardware and network cards
- Apple MacBook Pro - OUI 00:22:41 - Apple, Inc
- Acer Aspire One - OUI 00:22:69 - Hon Hai Precision Ind. Co., Ltd.

Tried different client OS
- Windows XP
- Windows 7

Tried different BackTrack versions
- BackTrack 4 Final VMware - Fresh install
- BackTrack 4 Final VMware - Fully upgraded (apt-get update && apt-get update && apt-get dist-upgrade)
- BackTrack 4 Final HDD install

Tried different aircrack-ng versions
- 1.0 (included in BackTrack 4)
- 1.1 (downloaded from aircrack website)

Tried active and passive attacks on capturing the SKA.

None of approaches above changed anything, the message always is "Broken SKA".

I have been searching quite a lot on this problem and I found some people encountering the same problems, but no solution is provided anywhere.
One of the most useful links I found is someone else with the same problem: Wifu Aireplay-ng SKA attack problem with Linksys WAP54G

And a ticket on the aircrack site: #703 (Airodump-ng reports broken SKA even if the AP accept it and does not create a xor file)

However, but of them also do not solve anything. So, my question is, does anyone have any idea why this attack fails and what a possible solution would be?

Just to make clear: Yes, I own all the hardware myself, and I am currently doing the WiFu course.

[Hawkje]

Just a small update: Since this might be a bug in airodump-ng they are looking into it.

[chrisj]

Hawkje,

Thanks for the post. I like the link talking about the Linksys WAP54G not working. Was about to start throwing parts of my lab around.

This is the only lab that really beat me. I have the WTR54GL and it's not working like it should either. Wish I had an old D-Link to pull out and test now.

[muts]

Related to this? #372 (SKA authentication doesn't work on WRT54GL)