This weekend I was house- (and dog-) sitting for a friend and had been told that I could use the internet while at their place. Sadly, however, the way this was configured was a guest account added my friend's laptop and she had not left the WEP key for their router. I was unable to obtain the WEP key as Windows 7 encrypts this data and the guest account cannot decrypt it. As I had permission (and really wanted wireless on my own laptop for ssh etc.), I decided to crack the WEP key and wanted to share my experience.
For this to work you need to have at least one other computer that can connect to the router.
My hardware setup is a Toshiba Satellite laptop and the first thing I did was to install the requisite packages:
sudo apt-get install aircrack-ng
I then determined the name of my wifi adapter by using:
and noting down the output (for example):
lo no wireless extensions.
eth0 no wireless extensions.
wlan0 IEEE 802.11bg ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=15 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
In this case, the adapter is called wlan0.
Now, if on standard Ubuntu 10.10, the next step is to disable wireless from network manager. Right click the network manager icon at the top right of the screen and deselect "Enable Wireless".
After that, you need to put the adapter into monitor mode and start airmon-ng:
sudo iwconfig wlan0 mode monitor
sudo airmon-ng start wlan0
When that's up and running, you can do your initial reconnaissance work with:
From here, note down the BSSID, Channel of the router you want to crack. Then, from the bottom, note the MAC address of the station that can connect to the router.
At this stage, we want to start collecting data:
airodump-ng --channel <channel> --bssid <bssid of accesspoint> -w ~/dump wlan0
The "data" column should start filling up (slowly) -- it needs to be at about 20,000 (preferably higher) before the key can be cracked. There are two ways to speed up this process. The first is to stge an ARP relay attack:
aireplay-ng --arpreplay -b <bssid of accesspoint> -h <MAC address of client> wlan0
although, note, I wasn't able to get this working.
The easier way, if you have access to the machine that can connect, is to just download a large (100mb+) file.
Once you've got 20,000 (or more) data values, you can use (in a separate terminal):
aircrack-ng -z -b <bssid of the accesspoint> ~/dump*.cap
to obtain the key. If it fails, collect more data and retry. Total time: 10 mins.
My original source for this howto was: http://www.brighthub.com/computing/smb-security/articles/17866.aspx