Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Router Charts

Click for Router Charts

Router Ranker

Click for Router Ranker

NAS Charts

Click for NAS Charts

NAS Ranker

Click for NAS Ranker

More Tools

Click for More Tools

Wireless How To

Step 4 - Performing the Crack

Once a packet is successfully captured and the ARP replay starts, aireplay-ng will look something like Figure 8. Once again, the key is the "sent N packets", which now indicates the number of ARP packets injected by the spoofed STA.

aireplay with ARP replay running
Click to enlarge image

Figure 8: aireplay with ARP replay running

You can now switch back to your airodump window and you should see that the #/s column should have increased from about zero to somewhere in the hundreds, as shown in Figure 9.

airodump with ARP replay running
Click to enlarge image

Figure 9: airodump with ARP replay running

You need to leave this running until the number in the #Data column reaches at least 300,000 IVs for a WEP 64 key or around 1,500,000 for a WEP 128 key. The problem is, with a "zero knowledge" attack, you don't know the length of the key, since it is not contained in any packets.

Since we knew we had set a 128 bit key, we waited until we had more than the suggested 1,500,000 IVs, which took about an hour, with the target AP and all notebooks involved in the same room. Under normal conditions with an AP located some distance away, it would take longer. We then opened a third shell window and started aircrack-ng:

aircrack-ng -b [AP BSSID] [capture file(s) name]

Note that the command can take a wildcard so that it uses all capture files. For our example, the command was:

aircrack-ng -b 00:06:25:B2:D4:19 capturefile*.ivs

Aircrack will start to chug through the captured packets trying to find the WEP key. This may take some time, and in some cases aircrack-ng will quit without finding the key, but offer some suggestions for things you might try. But when it succeeds, the aircrack screen will look like Figure 10.

aircrack-ng with key found

Figure 10: aircrack-ng with key found

The 128 bit WEP key is in hexadecimal form and can be entered directly into a wireless client, omitting the ":".

More Wireless

Wi-Fi System Tools
Check out our Wi-Fi System Charts, Ranker and Finder!

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

...

Over In The Forums

Hi everyone,Just recently connected 2 AX86U via 2.5GBE backhaul as AiMesh, and the connection quality appears as "Great" according to the firmware.How...
Based on the RT-AX55, are there any sub-200.00 routers that have better ranges, in the AX class? I have to set up a network for my dad, who is long di...
Update again on 2021/1/21 We are patching DNSmasq vulnerability disclosed by JSOF and will start to put beta firmware on ASUS support site for this i...
I recently picked up a AC86U for a relatively good price. I bought it on the recommendation that it had DFS channels available (https://www.duckware.c...
Hi everyone,I suspect that the 2.4Ghz radio in my RT-AC66U has finally bit the dust. No complaints though - It has performed almost flawlessly for an ...

Don't Miss These

  • 1
  • 2
  • 3