I've been trying out the new PTW attack and so far have had very good success - cracking 128-bit with as little as 45,000 keys.
Yesterday though I encountered an key that would not be cracked with as many as 550,000 IVs. I finally gave up, remembering that PTW had claims such as 99% success at something like 150,000 IVs.
Today I tried that same AP again, generating new IVs and appending them to my original cap and loading up aircrack again. Same problem, I got up to about 800,000 IVs and nothing was happening. Then, I ran aircrack-ng again on Just the IVs I had gathered today instead of including the 550,000 from the other day, and boom, instant crack.
What could it be about those original IVs that prevent PTW from cracking the key when included with the new ones?
Another thing you need to mention is what version of Aircrack you are using.
I am using the dev version of aircrack-ng 1.0.dev.svn.653 that I downloaded here: slax.org/modules.php?id=1015
Converted it to an LZM and loaded into backtrack using uselivemod
Capturing and injection went something like the following:
Originally ran aircrack with both cap files (the one from the other and the one I was currently gathering)Code:airodump-ng -w foo --bssid xx:xx:xx:xx:xx:xx --channel x ath0 aireplay-ng -3 -b xx:xx:xx:xx:xx:xx -h xx:xx:xx:xx:xx:xx ath0
No luck, then used it with just the latest cap, and it cracked instantly:Code:aircrack-ng foo*cap
I'm really not sure what you are trying to tell me? What other information should I provide. It really didn't take many more commands than that. I had the bssid of the AP and the MAC of a client written down already. I used Kismet to find them earlier in the week. Other than that, not much else to the attack. Inject traffic, capture it with airodump, crack it. I'm just confused as to why ptw seemed throw off by those other IVs, almost as if they were misleading it
You are asking us our opinion on why something is happening.
If you only give us half of the information, you can only expect to get an assumption.
The point about the aircrack module stuff is that you have used as many commands, and the same amount of time, to get it from someone you don't know that has done it correctly, when you could have made it yourself, and know that it was done right.
In essence you are using an untrusted source, and a non recommended method, when diagnosing a possible problem.
A simple "I don't know why that's happening" would have sufficed, rather than criticizing the way I chose to install aircrack and going off on a tangent.
There are plenty of possible answers, but without information, they would only be speculation.
Or would you prefer me to say to work it out for yourself.
I gave you all the commands I ran, the exact version of aircrack I was running... you didn't ask specifically for anything else, just kept telling me how I'm not giving enough information.
what else is needed to diagnose the problem? It's on a toshiba p105-9722 laptop with a ubiquiti src card running backtrack 2 final as a live cd... I don't know what else I could provide..
only difference between what I posted and what I actually did was specifics about the client that I"m not going to post on the forum (like the real mac addresses and file prefixes), but those should be irrelevant.