Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Wi-Fi Router Charts

Click for Wi-Fi Router Charts

Mesh System Charts

Click for Wi-Fi Mesh System Charts

Packet capture and cracking

At this point Auditor-A is running a replay attack and producing plenty of IVs. Now it's finally time to do the actual WEP cracking. Stop void11 on AUDITOR-B, if you haven't done so already. Type in the following commands to set up airodump to capture packets for cracking.

Starting up airodump after stopping void11
cardctl eject
cardctl insert
monitor.wlan wlan0 THECHANNELNUM
cd /ramdisk
airodump wlan0 cap1

- switch-to-wlanng and monitor.wlan are custom scripts that come installed on the Auditor CD to simplify commands and reduce typing
- Replace THECHANNELNUM with the channel number of your Target WLAN
- If there are many wireless access points in range, append the MAC address of your target AP to the end of the airodump command, i.e.
airodump wlan0 cap1 MACADDRESSOFAP

After airodump starts, you should now see the IV count rise to about 200 per second, thanks to the aireplay replay attack running on Auditor-A

After ten minutes of aireplay

Figure 14: After ten minutes of aireplay
(click image to enlarge)

With airodump writing IVs into a capture file, we can run aircrack at the same time to find the WEP key. Keep airodump running and open another shell window. Type the following commands into the new window to start aircrack:

Starting aircrack
cd /ramdisk

- FUDGEFACTOR is an integer (default is 2)
- MACADDRESSOFAP is the MAC address of the Target AP
- WEPKEYLENGTH is the length of the WEP key you are trying to crack (64, 128, 256 or 512)

Figure 15 shows an example of a complete command.

aircrack usage

Figure 15: aircrack usage
(click image to enlarge)

Aircrack will read in unique IVs from all the capture files and then perform a statistical attack on those IVs. A lower "fudge factor" (-f parameter) has less chance of succeeding, but is very fast. A high fudge factor is slower, but has a higher chance of finding the WEP key. A fudge factor of 2 is the default starting point.

You can stop aircrack by typing control-C or just let it run to completion (it will give up after awhile if it doesn't find the WEP key, at least for 64 bit WEP keys). If you followed our syntax above, you can simply hit the up arrow then enter. You can then restart aircrack by hitting the up arrow then enter keys, and aircrack will automatically include the updated contents of the airodump capture file. At some point, you should be rewarded with the screen shown in Figure 16.

Gotcha, Key Found!

Figure 16: Gotcha, Key Found!
(click image to enlarge)

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Don't Miss These

  • 1
  • 2