1

I have been working on decrypting a WEP .cap file using crunch. It has 1268 IVs. I am wondering:

  1. Can I get a clue from the captured file to speed the process of brute-forcing?

  2. If not, what other ways I can try to decrypt the packet?

It is a captured 802.11 file; consisting of data transmission and a part of de-authentication (not an attack). Needless to say, it has a large part of acknowledgment packets as well. I have used aircrack-ng without a dictionary and what it said was this: "Failed. Next, try with 5000 IVs." Since I do not have access to the source transmitter (it is just a .cap file), all I have is the captured file.

Anders
  • 64,406
  • 24
  • 178
  • 215
pyDeb
  • 45
  • 6
  • If you just want to decrypt the packet, you can try Chopchop, which decrypts a single packet, using CRC-32. – Azteca Aug 19 '19 at 22:57
  • @Azteca I would want to find the password. Is there any luck to find the password using Chopchop? – pyDeb Aug 20 '19 at 14:36
  • Nope, ChopChop only decipher packets, AFAIK you can't get / generate the Key out of clean packets. – Azteca Aug 20 '19 at 18:03

1 Answers1

3

You don't have enough IVs

Plain and simple. Cracking WEP works by statistical analysis, and in order to do that reliably, you will need lots of data.

The aircrack-ng FAQ says:

How many IVs are required to crack WEP?

WEP cracking is not an exact science. The number of required IVs depends on the WEP key length, and it also depends on your luck. Usually, 40-bit WEP (64 bit key) can be cracked with 300,000 IVs, and 104-bit WEP (128 bit key) can be cracked with 1,500,000 IVs; if you're out of luck you may need two million IVs, or more.

What does that mean?

Aircrack actually gave you the correct message. It said that with just barely over 1000 IVs, it can't deduct any information about the WEP key, so it'll try again once you have 5000 IVs, then again when you have 10000 IVs, and so on.

How can I successfully crack the key?

One thing you can do is to generate a lot of traffic. Tools such as aireplay-ng are designed to do just that.

The tool has a number of different attacks, some very specialized, some generally useful. For cracking WEP, the ARP Request Replay Attack and the Cafe Latte Attack are quite useful. Both attacks aim to generate more IVs.

Keep in mind you can have aircrack-ng, airodump-ng and aireplay-ng running all at the same time.

Community
  • 1
  • Dear @MechMK1, thank you so much for your thorough answer. Unfortunately, I do not have access to the wifi transmitter. All I have is the .cap file. So, I guess I should go for brute-forcing and wait even more :D. – pyDeb Aug 19 '19 at 16:53
  • @pyDeb No, you misunderstand how WEP cracking works. It's a statistical attack, and requires a specific amount of data. Less IVs doesn't mean longer cracking time, it means you are fundamentally unable to crack the key. You really need more IVs, and if your capture file doesn't contain any more IVs, then you are out of luck. If you want, you can use [`makeivs-ng`](https://www.aircrack-ng.org/doku.php?id=tools#makeivs-ng) to generate artificial IVs to test the tools you have and get a feel for how much data you need. Play with the `-d` and `-e` parameters for more realistic data. –  Aug 19 '19 at 18:25
  • Thanks again. I'll try makeivs-ng. You've been a huge help! – pyDeb Aug 19 '19 at 20:20
  • @pyDeb You're welcome! Glad to be of help. Keep in mind that `makeivs-ng` creates synthetic data, meaning that they are completely fake and don't help you crack any real key at all. It's really just for test purposes. –  Aug 20 '19 at 12:39
  • Sorry to bother you once again. Without enough IVs, is brute-forcing also out of luck? – pyDeb Aug 20 '19 at 14:38
  • @pyDeb I think it's easier to discuss this in the [chat]. I'm available in the DMZ. –  Aug 20 '19 at 14:42