Firstly, I am just posting this for Information only. I do not want people asking me how they can hack into their neighbours wireless and computers. I believe this setup gives an interesting view on the weaknesses of WEP and wireless in General.
There are many tools available to do this. However I used a Live Linux Distribution, Audior and Backrtrack. You can get these downloaded from:
In order to crack any WEP network. You will need to first find a network. This is the sniffing stage. You will use a program called Kismet. All the programs I have used are available on the live cd's, so you do not have to worry about installing them if you are a noob to Linux. For those who are familiar with linux you can download the software from,
Kismet will give you a list of networks available, with their SSIDs, it will tell you what encryption they are using and the power levels also. The good think about this software is that it will be able to find networks with Hidden SSID's also which is a very neat feature. You can further check in the software the MAC addresses of the Access Points and the clients associated with them. This is very important when you want to do a packet Injection in order to collect more amounts of IV's.
Well, this gives you an overview of what networks are available. You can collect data from this program itself. You can now use a program called Airodump to collect all the IV's in order for you to crack the wep. This is part of the aircrack suite of programs, which also includes aireplay for injection. This is also included in the live distributions. However if you want to install it on your version of Linux then you can get it at
You can choose to collect as much data as possible with the traffic in the network, this could take ages unless there is high amounts of data being transfered. In order to crack 64 bit WEP you probably need atleast 50000 IV's which is not very easy to get. 128 bit is worse, you would need atleast 800000 upto 2 million and sometimes you may need upto 5 million. However one important thing to know is that aircrack does not support all wireless cards, you need to go and check on their website what cards are supported. In order to capture packets you will need to have a card able to run in monitoring mode.
The concept of doing an Injection is straight forward. You are trying to capture an interesting packet (encrypted one which has some value) and then you will do a replay of this, continously throwing it back onto the network. WHy does this work? because the iplementation of WEP does not have anything to prevent this. This is the loophole that you can use to generate more IV's. This is done by the Aireplay program.
For this post I am not going to put any syntax for the softwares, It would be a good idea for you to have alook and mess around. It will better help you understand. Though it can be frustrating. But just be aware there are only some chipsets that support Injection, Including Ralink and Atheros. Intel Chipsets are very problemalistic and do not support this. And the other thing is that the chipsets supported mostly need to be patched, you need the MadWIFIdrivers for this. You can get more information on the aircrack website. However the Live cd's support some cards and you do not need to patch these. It can be quite difficult for Linux Noobs to try this out.
Once you collect enough IV's you can use the aircrack program to run the file and try and crack it, it would take seconds to do this for a 64 bit but it could take several minutes to crack a 128 bit key.
There are several other programs you can use for Injection, such as Void 11, or KisMAC (if you are using an Apple Machine). There are several live cd distributions also, Whax, Whoppix, so there is loads to explore.
Hope you guys have fun with this. Let us know how it works out for you.