How to use Airodump (from WEP cracking tutorial)

Airodump usage: airodump [interface] [output file prefix] [channel no.] [IVs flag]

1. The [channel no.] can be set to a single channel (1 thru 14) or set to 0 to hop between all channels
2. The [IVs flag] can be set to 1 to only save the captured IVs

e.g. airodump eth1 testfile1 6 produced the in progress capture below:


Basics to be aware of from the above screen capture are:

- BSSID = MAC address of the access point (but not always!)

- Beacons = Number of captured beacon packets (of no use!)

- # Data = Number of IVs captured so far (this is the all important figure!)

- MB = Data Rate '48' mixed mode in the above example. A '.' appears after the figures if the Data Rate is dedicated e.g. '48.'

- WEP = Network is configured as WEP

- Number of IVs required to break WEP depends on the WEP key length
* Approximately 300.000 IVs for 40-bit WEP (AKA 64-bit WEP)
* Approximately 1.000.000 IVs for 104-bit WEP (AKA 128-bit WEP)


Examples:

airodump wlan0 capture1 10 (Interface=wlan0, filename=capture1, channel=10)

airodump eth1 testfile 6 1 (Interface=eth1, filename=testfile, channel=6, only captured IVs saved)

airodump ath0 alpha 0 (Interface=ath0, filename=alpha, channel hopping mode)




Output Files:


An airodump capture with produce the following output files .txt, .cap and .gps

The .txt file contains:

* BSSID and MAC addresses

* Time/Date info

* Channel Info

* Data rate

* Encryption method

* No. of beacons captured

* No. of IVs captured

* LAN IP

* ESSID


The .cap file contains the packet capture from your session. This is the file that is input into aircrack for WEP cracking.

The .gps file contains GPS related info if you have a GPS device enabled


Troubleshooting:

Be aware of the modes of your card and target network (802.11b or 802.11g). I have observed Airodump capture only around 2,000 IVs an hour (on a busy network) when the card is an 802.11b card and the network is working in 802.11g mode. Be sure your card and the target network are using the same mode.

On a saturated 802.11b network we captured around 23,000 IVs a minute.

On a saturated 802.11g network we captured around 140,000 IVs a minute.


Source:http://wirelessdefence.org/Contents/Aircrack_airodump.htm

Wep Cracking - The Fbi Way

WEP cracking usually takes hours. Lots of hours, depending on the amount of traffic on the access point. A few months ago, two FBI agents demonstrated how they were able to crack a WEP enabled access point within a couple of minutes. 3 minutes to be exact. This is unbelievable when compared to, say 3 days of work. Here is how they did it, and how you can do it. You may need to know your way with each and every of these tools to get this done. You can ask Google for that. Anyway, if you are familiar with them, just do as follows :

1. Run Kismet to find your target network. Get the SSID and the channel.
2. Run Airodump and start capturing data.
3. With Aireplay, start replaying a packet on the target network. (You can find a ‘good packet’ by looking at the BSSID MAC on Kismet and comparing it to the captured packet’s BSSID MAC).
4. Watch as Airodump goes crazy with new IVs. Thanks to Aireplay.
5. Stop Airodump when you have about 1,000 IVs.
6. Run Aircrack on the captured file.
7. You should see the WEP key infront of you now.

The software runs on Linux, they are all available on the Knoppix Linux Live CD. And finally, I think you should always use a combination of 2 or more security features. As for what you need, get Aircrack (Includes Airodump, Aireplay, Aircrack and optional Airdecap for decrypting WEP/WPA capture files) and get Kismet.

Update: Kismet for Windows (Kiswin32) is available now.

Download this tools:

Kismet:Win32 version
http://www.kismetwireless.net/code/setup_kismet_2007-10-R1.exe

Aircrack:
http://download.aircrack-ng.org/aircrack-ng-0.9.3-win.zip

Source:h++p://masc2279.no-ip.org/gadgets-toys/internet/wep-cracking-the-fbi-way/