I was playing around with my wireless network early today and realized I didn’t have the key written down near by where I was working. Rather than expending the effort of getting up and moving, I decided I’d just crack it.
After starting up airodump-ng I was looking at aircrack-ng’s man page. Trying to decide which options would make it crack most effectively. After browsing the man page for half an hour or so I decided that they should be run in a certain order for best effect. Still being lazy, I began to script this up. I added some ‘fluff’ and called it crackIt.
crackIt uses 20 different permutations of aircrack-ng. These different configurations are run from fastest targetted, least reliable to slow, broad, sure-fire methods. I chose to order it this way because in my experience, the targeted, least reliable method is effective in a large number of cases.
crackIt begins using aircrack’s standard configuration with the fudge factor lowered to 1. The fudge factor is used to determine how many votes should required for a key to be ‘valid’. The largest number of votes for each key, the key in the left most position’s parenthesis value, is divided by the fudge factor. The result is the minimum number of votes required to be ‘valid.’ By reducing this to one, we provide a very targeted, quick method of attack. This method is prone to false positives or failing.
Next, crackIt uses the standard configuration of aircrack, raising the fudge factor back to the default 2. It then moves onward to try again with each of the 17 Korek attacks omitted. The Korek attacks are prone to large numbers of false positives. In the event both the fast-crack and default modes in aircrack fail, odds are good that one of these is to blame.
Finally, crackIt uses “an experimental single brute-force attack which should only be used when the standard attack mode fails with more than one million IVs.” aircrack won’t even let you run this method without 780,000 IVs. If you’ve left airodump-ng running, by the time it gets to this mode, we should have atleast that.
Technical details, usage, and future plans can be found in the fully commented code here.