Updated on 10 Dec, 2005 on Windows XP

Aircrack-2.3 Windows (Wireless WEP crack)

Aircrack is a set of tools for auditing wireless networks:

airodump: 802.11 packet capture program

aireplay: 802.11 packet injection program

aircrack: static WEP and WPA-PSK key cracker

airdecap: decrypts WEP/WPA capture files

Wireless Card Installation

Download Aircrack from http://100h.org/wlan/aircrack/
Read the documentation (README.html) and follow. It has the most comprehensive explanation.
I have a CISCO Aironet 350 and PrismGT card (Corega WLCB-54GT) but only CISCO works fine on Windows. PrismGT does not work on Windows. Aironet 350 works for 11b network.

How to capture (airodump)

Search WLANs. 0 to hop between channels.

> airodump.exe
         airodump 2.3 - (C) 2004,2005 Christophe Devine

  usage: airodump     [ivs only flag]

  Known network adapters:

  18  Cisco Systems 350 Series PCMCIA Wireless LAN Adapter
   2  Intel(R) PRO/100 VE Network Connection
   3  1394 Net Adapter

  Network interface index number  -> 18

  Interface types:  'o' = HermesI/Realtek
                    'a' = Aironet/Atheros

  Network interface type (o/a)  -> a

  Channel(s): 1 to 14, 0 = all  -> 0

  (note: if you specify the same output prefix, airodump will resume
   the capture session by appending data to the existing capture file)

  Output filename prefix        -> out

  (note: to save space and only store the captured WEP IVs, press y.
   The resulting capture file will only be useful for WEP cracking)

  Only write WEP IVs (y/n)      -> y

From this screen, you select the channel

 BSSID              PWR  Beacons   # Data  CH  MB  ENC   ESSID

 00:0D:0B:98:96:7F   48        2        0  11  54  WEP?  4B18E8C83ABD
 00:A0:B0:40:5C:84   87       13       16   1  54  WEP   HOGE

 BSSID              STATION            PWR  Packets  ESSID

 00:A0:B0:40:5C:84  00:04:23:52:80:41   86        4  HOGE

Press Ctl+c. Next we will capture only channel 1 (ESSID HOGE), and specify only caturing unique WEP IVs. It saves space.

 BSSID              PWR  Beacons   # Data  CH  MB  ENC   ESSID

 00:A0:B0:40:5C:84   87       36       48   1  54  WEP   HOGE

 BSSID              STATION            PWR  Packets  ESSID

 00:A0:B0:40:5C:84   00:04:23:52:80:41   87       38  HOGE

How to crack (aircrack)

Open a new console, and type following command. Aircrack can read the updated file automatically so you can run airodump and aircrack at the same time.
```
# aircrack.exe -x -0 out.ivs
```
For 104bit WEP needs about one million IVs. You may need one day or more time to capture the packets. However if you use aireplay by airocrack on Linux and inject, you need only few hours.
This is the result. It needed only a quarter a million. Aircrack can also run on Windows but aireplay is not supported though.

Note: In my experience, using Aircrack is the best tool compare to others. Aircrack on Linux supports packet injection which means we can increase the traffic, so we need only few hours to capture sufficient packets. Otherwise you will need several days.

Here is other my reports.

Tool	OS	CPU usage	Encryption	802.	NIC Support	Packet injection	My recommendation
Airsnort (note)	Windows	High	WEP	11b?	Few	Not supported	Low
Airsnort (note)	Linux	High	WEP	11b?	Few	Not supported	Low
Aircrack	Windows	Low	WEP, WPA	11a/b/g	Many	Not supported	Mid
Aircrack (note)	Linux	Low	WEP, WPA	11a/b/g	Many	Supported!	Recommended!

Back - Support