To give some background I have successfully crack WEP Open, WPA, and WPS but I seem to be a noob when it comes to WEP SKA.
The problem I am encountering is when I capture the auth packet.
In airpodump-ng once the client authenticates I receive: Broken SKA instead of handshake Captured.
I looked it up some and it said to prevent broken ska packages to spoof the client mac address.
I have done that and am still receiving broken ska. I'm including output from airodump-ng and ifconfig.
airodump-ng -c 1 --bssid 00:21:2F:39:C4:0C -w keyfile mon0:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE detection-run SYSTEM "http://kismetwireless.net/kismet-3.1.0.dtd">
<detection-run kismet-version="airodump-ng-1.0" start-time="Sun Apr 1 18:48:38 2012">
<wireless-network number="1" type="infrastructure" first-time="Sun Apr 1 18:48:38 2012" last-time="Sun Apr 1 18:53:17 2012">
<SSID first-time="Sun Apr 1 18:48:38 2012" last-time="Sun Apr 1 18:53:17 2012">
<type>Beacon</type>
<max-rate>54.000000</max-rate>
<packets>2498</packets>
<beaconrate>10</beaconrate>
<encryption>WEP </encryption>
<essid cloaked="false">airlink101</essid>
</SSID>
<BSSID>00:21:2F:39:C4:0C</BSSID>
<manuf>Phoebe Micro Inc.</manuf>
<channel>1</channel>
<freqmhz>2412 6034</freqmhz>
<maxseenrate>54000</maxseenrate>
<packets>
<LLC>2498</LLC>
<data>760</data>
<crypt>0</crypt>
<total>6034</total>
<fragments>0</fragments>
<retries>0</retries>
</packets>
<datasize>0</datasize>
<wireless-client number="1" type="established" first-time="Sun Apr 1 18:48:42 2012" last-time="Sun Apr 1 18:53:11 2012">
<client-mac>E0:B9:BA:5B:44:E0</client-mac>
<client-manuf>Apple, Inc.</client-manuf>
<channel>1</channel>
<maxseenrate>54.000000</maxseenrate>
<packets>
<LLC>0</LLC>
<data>0</data>
<crypt>0</crypt>
<total>821</total>
<fragments>0</fragments>
<retries>0</retries>
</packets>
<snr-info>
<last_signal_dbm>-23</last_signal_dbm>
<last_noise_dbm>0</last_noise_dbm>
<last_signal_rssi>-23</last_signal_rssi>
<last_noise_rssi>0</last_noise_rssi>
<min_signal_dbm>-23</min_signal_dbm>
<min_noise_dbm>0</min_noise_dbm>
<min_signal_rssi>1024</min_signal_rssi>
<min_noise_rssi>1024</min_noise_rssi>
<max_signal_dbm>-23</max_signal_dbm>
<max_noise_dbm>0</max_noise_dbm>
<max_signal_rssi>-23</max_signal_rssi>
<max_noise_rssi>0</max_noise_rssi>
</snr-info>
<cdp-device></cdp-device>
<cdp-portid></cdp-portid>
</wireless-client>
<snr-info>
<last_signal_dbm>-3</last_signal_dbm>
<last_noise_dbm>0</last_noise_dbm>
<last_signal_rssi>-3</last_signal_rssi>
<last_noise_rssi>0</last_noise_rssi>
<min_signal_dbm>-3</min_signal_dbm>
<min_noise_dbm>0</min_noise_dbm>
<min_signal_rssi>1024</min_signal_rssi>
<min_noise_rssi>1024</min_noise_rssi>
<max_signal_dbm>-3</max_signal_dbm>
<max_noise_dbm>0</max_noise_dbm>
<max_signal_rssi>-3</max_signal_rssi>
<max_noise_rssi>0</max_noise_rssi>
</snr-info>
<bsstimestamp>0</bsstimestamp>
<cdp-device></cdp-device>
<cdp-portid></cdp-portid>
</wireless-network>
</detection-run>
ifconfig mon0:
mon0 Link encap:UNSPEC HWaddr E0-B9-BA-5B-44-E0-00-00-00-00-00-00-00-00-00-00
UP BROADCAST NOTRAILERS RUNNING PROMISC ALLMULTI MTU:1500 Metric:1
RX packets:294562 errors:0 dropped:23075 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:18673664 (18.6 MB) TX bytes:0 (0.0 B)
Any help would be greatly appreciated!
Thanks
PS
One thing I have just noticed is that I neglected to run the arp replay attack before de-authing the client.
Would not performing the arp replay first affect my ability to capture the handshake?
Any input is greatly appreciated!