Now this isn't anything new, but I figured it's nice to have a quick easy reference on how to do it using Linux. This guide does not detail the steps involved with obtaining the proper software or driver configuration to exercise these methods. Sorry, but you're on your own there. I highly recommend using
Back|Track because it has all the tools we need built in, and it works great on my Toshiba laptop.
Step 1) Find your victim.
Use Kismet to sniff wireless beacons. Find a wireless network with reasonable signal strength and clients connected to it. You'll want to gather the following information:
- $BSSID (MAC ADDR of WirelessAccessPoint)
- $SSID (Network Name)
- $Channel# (Wireless Channel of WAP)
- $ClientAddr (MAC ADDR of Client connected to WAP)
- $NIC (Your wireless interface, Usually Ath0 or Wifi0)
Step 2) The Attack.
What we are going to do next is capture ARP requests between the Client and WAP. If you are attempting to crack a busy network (constant traffic) you can skip the first command below.
- aireplay-ng -a $BSSID --deauth 10 $NIC
- aireplay-ng -b $BSSID -h $ClientAddr -x 512 --arpreplay $NIC
- airodump-ng --ivs -w $SSID --channel $Channel# $NIC
Step 3) Cracking the code.
Once you have captured enough IVs (200,000 for 64 bit keys and at least 700,000 for 128 bit keys) use Aircrack-ng to get the WEP key. While Airodump-ng is still running, make a copy of the IVs output file and attempt to crack it periodically (every 20 minutes or so).
- aircrack-ng -a 1 $SSID.ivs
