Next we need to scout out our target using ‘airodump-ng rausb0‘. After a few seconds airodump should display all of the wireless access points in range.
At the top, all of the access points are listed. Write down the bssid (MAC address) of the AP you want to attack and the channel (listed under CH) that the access point is broadcasting on. The access point I want to attack has the essid ‘g47m60′, the bssid 00:11:F5:0F:7B:43 and is broadcasting on channel 11. At the bottom, are all the ’stations’. Stations are clients connected to the access points. Listed under bssid is the bssid of the access point the client is connected to, and listed under station is the MAC address of the client. You can tell what access point the client is trying to connect to by correlating the bssids at the bottom with the bssids at the top. I see that one client is connecting to the access point I want to attack. Write down the MAC address of a client that is connected to your device (if none are connected, wait until one is). My client’s MAC address is 00:1C:B3:BC:E9:2B.
Next we want to make a more specific call of airodump-ng so that it monitors only traffic from and to our chosen access point. We want to capture this traffic in a file that aircrack-ng will later use to crack the WEP key.
airodump-ng --channel <channel> --bssid <bssid of accesspoint> -w dumpfile rausb0
Be sure to replace rausb0 with the name of your wireless device. You should notice that the #data column has started to increase. We need to get this number to about 20 000. To speed up this process we are going to stage an ARP replay attack. Open a new Konsole window and run
aireplay-ng --arpreplay -b <bssid of accesspoint> -h <MAC address of client> rausb0
In my case the command would be: 'aireplay-ng –arpreplay -b 00:11:F5:0F:7B:43 -h 00:1C:B3:BC:E9:2B rausb0'
First aireplay-ng will capture ARP requests.
Then, once it has captured some ARP requests it will start sending packets to generate traffic. Switch back to your konsole window running airodump-ng. You should see that the #Data column is raising more quickly now and that the #/s number has increased to about 200 or more. Now wait until the #Data column reaches 20 000.
Now open a new konsole, we will now use the captured data to find the key. It’s finally time to run aircrack-ng.
aircrack-ng -z -b <bssid of the accesspoint> dumpfile*.cap We got it! For me it failed 5 times until I got 50 000 IVs, so if it fails the first time just wait a few minutes for more IVs.
This is only a very basic guide, and this was my first time using the program so my knowledge is somewhat limited. The aircrack-ng website has some great information if you want to know more. A page containing a basic description of how aircrack-ng works is of specific interest.
Happy Cracking! If you enjoyed this article, be sure to check out Bright Hub's Wireshark Sniffing, Ettercap DNS Redirection and Ettercap Wifi Sniffing tutorials!