Finding WEP keys can be useful and/or fun.

First off, you have to have a card that can go into monitor mode. My card, a Intel 3945 (ipw3945 driver), can, if I compile the module with a config option enabled. (see the Makefile)

To test if your card can go into monitor mode, do this: {{{iwconfig eth1 mode Monitor iwconfig eth1 # check the listing for the mode }}} If you don't get an error, it probably worked. Don't forget to change it back into normal mode: {{{iwconfig eth1 mode Managed }}}


  1. Decide your goal. {{{iwlist scan



  1. Put the interface into monitor mode on this channel {{{iwconfig eth1 mode monitor channel 9


  1. You now have to capture lots of packets. to do this, I liked using wireshark (formerley Ethereal). Have it save the capture into a file. Any libpcap-enabled utility should be able to serve this purpose. You need about 300,000 packets to crack a 40-bit key and 800,000 packets to crack a 104-bit key. Not just any packet will do-- it must be wireless packets for that network (in particular, you are looking for initialization vectors (IVs)). The numbers reported by wireshark don't necessaraly correspond to IVs. What I do is tell ethereal to save the capture to a file as it's capturing, and then run aircrack on it while it is in-progress to determine how many IVs you have.

  2. Use aircrack-ng on it {{{aircrack-ng SSalant.pcap


ifup eth1 }}}

WirelessKeyFinding (last edited 2008-03-10 01:38:17 by localhost)