Retrieve key for WEP networks (by passive means)
Its quite simple really.
Just follow these steps and you should be fine.
And also, this can only work on a computer with wireless card or USB WiFi dongle.
Step 1
Get yourself Backtrack and install the .iso file to a thumbdrive using unetbootin.
Step 2
After all that done, boot the thumbdrive on your computer.
Tips :To boot from a USB storage device such as a thumbdrive, you have to use the 'boot list menu' which is usually accessible by spamming F12 (or some other f keys) during the boot screen, or change the boot sequence so that it boots the USB device first via your computer's BIOS.
Step 3
You will then be presented with a list of Unetbootin boot options, choose the default option which is the 1st one. After all the gibberish finished rolling, type
startx
and wait till it settles to desktop.
Step 4
Open up 'konsole', which is a program similar to CMD in Windows, or just click the little black square at the taskbar.
Step 5
Just to check if your wireless card is compatible, type in
airmon-ng
and see if it lists any wireless interface. If there is, Linux will usually name the interface as 'wlan0' or in rare cases 'eth0'. In this case we will use the interface 'wlan0'.
Step 6
Now it's time to determine your prey, or rather sniff and capture packets. To do this, type
airodump-ng wlan0
This will list the WiFi networks that can be seen by the computer. Here we will just work on WEP networks, so under the 'security' tab, look for networks that uses 'WEP', anything other than 'WEP' should not be used. Let the airodump-ng run for a while and note networks that has the highest number of packets captured, or the highest packets/s value. Note down the BSSID (the name of the access point), MAC Address (in the AB:CD:EF:GH:IJ:KL format) and channel that the access point is on. Then ctrl+c the airodump to stop the sniffing.
Step 7
Now we will try to capture the packets coming to and fro the chosen access point(AP). Type
airodump-ng --channel [the channel of the AP] --bssid [name of AP] -w [a random name for the captured packets file] wlan0
Let it run for as long as it takes. If there is a lot of network activity, you should see the number of packets captured (from clients and from the AP) to rise very rapidly, or if the network is quite idle, be patient.
Step 8
Open up another 'konsole', here we will try to retrieve the key from the captured packets. The captured packets is dumped into a file called [random name that you entered earlier].cap which you can see on your desktop. So type in
aircrack-ng -b [name of AP] -m [MAC address of the AP] -n 128 [name of the cap file].cap
Aircrack-ng will run while the packets are being captured. The key should be found when the number of captured packets reaches around 100,000 or more, this may vary a lot. You can also try rerun aircrack-ng with the value of WEP key length of 64 or 256 or 512 instead of 128 if you feel that it's taking too many packets and still has yet found the key.
Lastly
If all goes well, aircrack-ng should happily print out the WEP key. There you have retrieved the key of the WEP network.
