Gentoo Wiki


This article is part of the HOWTO series.
Installation Kernel & Hardware Networks Portage Software System X Server Gaming Non-x86 Emulators Misc



802.11 WEP was the first attempt at securing Wifi communication since 802.11b, and it has been shown that it can be broken rather easily. The most recent PTW algorithm (2007) improved the speed of cracking WEP by "an order of magnitude" - in the neighborhood of 10-20 minutes for 104-bit keys. The process of finding WEP key is related to the weakness of WEP protocol/encryption. We'll present a gentoo-specific steps for cracking a WEP key.

I don't need to tell you that cracking WEP keys without permission may land you in trouble. Check aircrack website for their full-on disclaimer. (

Hardware Setup

See for a list of PCI/PCCARD/USB devices that support "injection". Injection is how aircrack suite of tools speed up generation of data packets that are useful for finding the WEP key, using a technique called "arp replay". Without it, cracking is still possible, but will often take several days to gather the needed data.

I have tested the following using a Linksys WUSB54G v4 and will use it as the example in the following HOWTO. (I use the enhanced driver from

If your card requires a firmware, be sure to install it in /lib/firmware directory before loading (modprobe) driver. If your kernel or udev can load drivers automatically when hardware is present, good for you.

Certain drivers don't play well with newer kernels (mine doesn't compile against rt-sources), or doesn't work on SMP enabled kernels. Check with your card prior to going out and buy one.

Hardware Testing

The following command can be issued to test whether your hardware is capable of packet injection. You can change rausb0 to whatever your wireless card may be, eg. wlan0.

 aireplay-ng -9 rausb0

If your card is capable of packet injection, you should see output which starts similar to this:

 16:29:41  rausb0 channel: 9
 16:29:41  Trying broadcast probe requests...
 16:29:41  Injection is working!

If you don't see that "Injection is working!", see the Troubleshooting section.

Software Installation

You'll need the main aircrack package: (replace x86 with your arch keyword)

   echo "net-wireless/aircrack-ng" >> /etc/portage/package.keywords
   echo "net-wireless/aircrack-ng wifi" >> /etc/portage/package.use
   emerge -avt aircrack-ng

If the target network doesn't have DHCP server, you will need to inspect the packets to get an idea of the subnet address space, for that please install wireshark

   emerge -avt wireshark

Scanning Access Points

First step is to locate the access point that you want to crack (with written permission of course). You'll need to know the name of your network card interface you plan to use for this exercise: (this tutorial uses iproute2 instead of ifconfig, you can "emerge iproute2" and gentoo would automatically use that to manage your network after a reboot or network restart)

 /sbin/ip link

For this example, the network interface we'll use is 'rausb0', thus to monitor local wifi air space:

 airodump-ng rausb0

This shows a list of observable access points and their BSSID in the upper section of the text ui. The lower section shows the list of observed clients e.g. laptops or pdas that's associated (connected to) with a particular access point. For this example, we'll test on one where at least one client has associated because other cases are beyond my scope.

Associating with Access Point

Associating with an AP means not being completely ignored by it. This is prerequisite to the arp replay step. Recall that arp replay is to stimulate specific kind of traffic useful for WEP key recovery.

Locate the ESSID and BSSID for the access point you are planning to test with. Use the following command and replace <apssid> and <apmacaddr> with the ESSID and BSSID you've selected. For <clientmacaddr>, use a MAC address of any one associated client shown to be connected to your target AP.

 aireplay-ng rausb0 --fakeauth 0 -e <apssid> -a <apmacaddr> -h <clientmacaddr>

If you successfully associated, you can move on to arp replay. If not, try lowering the speed of your connection, e.g. "iwconfig rausb0 rate 1M" and try again.

ARP Replay

Replay is used to stimulate the access point to generate necessary traffic for key analysis.

 aireplay-ng rausb0 --arpreplay -b <apmacaddr> -h <clientmacaddr>

If the number of found arp packets increases from 0, you may move onto the capturing phase.

Capturing Relevant Data for Analysis

Capturing to the <outputfile>, here we specify airodump to only capture packets from specific AP, by specifying <apmacaddr>, and scanning only on one channel. You can find this channel by looking at the output of "airodump rausb0" if you don't remember what it was.

 airodump-ng rausb0 -w <outputfile> --channel <apchannel> --bssid <apmacaddr>

According to the aircrack website, the data rate around 200/s is typical for successful injection. Otherwise, you may have to wait for longer (or shorter) depending on what you got.

Finding WEP Key

Airodump append the suffix ".cap" to the <outputfile> prefix you provided in the previous step. The command below analyzes the captured data and will spit out a WEP key if sufficient data has been gathered.

 aircrack-ng -z <outputfile>.cap

Once the WEP key is found, you can test it using iwconfig commands to manually set the key, or test it by putting it into your /etc/wpa_supplicant/wpa_supplicant.conf or /etc/conf.d/net and then restart the net interface, e.g. /etc/init.d/wlan0 restart


  (for the /etc/wpa_supplicant/wpa_supplicant.conf case)
  (for the /etc/conf.d/net case)
  # rausb0 (WIFI)
  modules_rausb0=( "iwconfig" )
  iwconfig_rausb0="mode managed"
  config_rausb0=( "dhcp" )
  preferred_aps=( "blackbrain" )
  key_blackbrain="[1] 4C517CF47320E0A28BA40A800C key [1] enc open"

Once you are connected, you may be given an IP by the subnet's DHCP server (if you use dhcpclient for example). If no DHCP server was present then you may use wireshark to get an idea of the subnet address space, e.g. packets with src or dest address of means the subnet is of 192.168.1.x, and so on. Without DHCP server you'll need to hand set your IP, mask, and gateway.

Once you are in, you may verify your new found connectivity with the friend who gave your authorization, and if you do it quickly enough you may be able to get them (or help them) to switch to the more secure WPA sometime this year.

Let's keep this document reasonable and about computer security (like the aircrack home page) so it won't be taken down.


Disabling NetworkManager

The aircrack-ng suite doesn't play nicely with NetworkManager. If your packet injection is failing and you have NetworkManager installed, then this is more than likely the cause.

To disable NetworkManager while your computer is booting, switch to the console display if you have a splash screen, and then press 'i' at the appropriate time for an interactive boot, load all other services as normal but skip loading the NetworkManager. Once logged in, you should try the Hardware Test above once more to see you can successfully inject packets.

See Also

Retrieved from ""

Last modified: Tue, 26 Aug 2008 15:47:00 +0000 Hits: 20,378