Nice tute, Biosphear. I have a few notes to add: First of all, in order to crack wifi, your wireless adapter must be capable of these two functions: monitor mode and packet injection. You can think of monitor mode as sort of like "hyper-promiscuous mode for wireless cards." In monitor mode you can listen to all traffic on the air from any AP or other 802.11 device within range. "Packet injection" means crafting custom packets and sending them out on the air through your wireless adapter. If your wireless adapter's chipset does not support monitor mode and packet injection, or if there's no driver or patch available that supports these features, then sorry; you're not going to be cracking wifi networks with that adapter. There's a limited number of chipsets with available drivers to support monitor mode and injection, but luckily most of them are extremely popular so finding one is not too difficult. All the Atheros, most Realtek and Railink, and some Broadcom chipsets are supported. In some cases a special driver is required, and sometimes it might even be necessary to apply a kernel patch to enable these features. If your adapter just won't work or will require a lot of trouble to get working, you can always buy an external USB wifi adapter. They're pretty cheap these days. If you do need a replacement adapter, I strongly recommend the Alfa AWUS036H. Retailing at $30-45, it's a freaking bargain considering its performance over similarly-priced adapters by Linksys and Netgear. It may be ugly, but this adapter is the wardriver's best friend. It's built on a well-supported Realtek chipset, and its 500mW transceiver provides perhaps the best range of any USB Wifi adapter. The best part is, you can plug in a high-gain replacement antenna which will take full advantage of the Alfa's performance. With a 7dBi antenna and optimum conditions, this thing can pick up networks a quarter-mile away. Regarding step 4 in Biosphear's tutorial: The device ID that Linux gives to your wireless adapter may vary from device to device and from distro to distro. Sometimes you'll see "wlan0," sometimes "ath0" or "eth1." The Alfa AWUS036H (which I pimped in the paragraph above) shows up on my netbook as "wlan0" until I use airmon-ng to put it into monitor mode, whereupon a new device ID is created with the name "mon0". When you run ifconfig, it's really not too difficult to figure out which device is your ethernet and which is your wireless. Just be aware that the device IDs may not be consistent with tutorials you find on the Internets. Before you start any cracking, type "sudo cd /root" and sudo mkdir a new directory called .ac-ng in your /root directory. If you do all your cracking from this directory you can keep all your stuff organized. All aircrack-ng tools must be run as root, so either sudo them or else type "sudo -s" at the start of every cracking operation to get a root prompt. (If you choose the second option, be sure to close the terminal after you're done working as root!) Regarding step 7 in Biosphear's tutorial: When using airodump-ng to choose a target network to crack, look for a network with a high power (PWR) and preferably one with at least a few nodes connected. Of course, you'll want one with "WEP" specified in the encoding (ENC) column. Another good thing to look for is any network with an SSID containing "2WIRE". (More about this later ) Once you've selected your target network, mkdir a new subdirectory inside /root/.ac-ng, name it after the target network's SSID, and cd into there before pointing airodump-ng at the target AP. This method will keep all your data organized by network and avoid having a crap-ton of .cap files piling up all over the place. Make a note of the network's BSSID and also the channel it's operating on. It's a good idea to open up a text editor and copy/paste all this info into a text document, along with the MAC addresses of any hosts connected to the target network. Name this text document after the network SSID and save it in the /root/.ac-ng/<target network SSID> directory. Go back to the terminal and hit Ctrl-C to quit airodump-ng. When you restart it, make sure to specify both the BSSID ("-b") and the channel ("-c") of the target AP, and don't forget to add "-w" followed by the filename you want to write the file to (you might want to use the target network's SSID for this as well). Between steps 9 and 10, it's important to recognize whether the target AP is filtering clients by MAC address. If the target is set up for MAC filtering, then you'll need to use a slightly different approach to crack the network. When you run your fakeauth, if you're able to connect OK, then you know MAC filtering is not enabled and you can proceed as described in Biosphear's tutorial. If, however, you start receiving deauth packets then that's a good sign that MAC filtering is enabled on the AP. If you're getting filtered out by MAC address, then you'll need to see some connected hosts in order to attack the network. If another host is connected to the network, you can run a deauth attack against that host (specify its MAC address) and then fakeauth using its MAC address in place of your own. It's important to remember that deauth attacks against a connected host will bump that host offline. Because deauth attacks tend to be 'noisy,' you should keep them to a minimum. If people on the target network keep getting repeatedly knocked offline, they'll probably realize there's something wrong with the router and you might gain the attention of a network admin. A stealthier approach in the case of MAC addy filtering is to bide your time: make a log of all the client MAC addresses connected to the target AP, then try again at a time of day when there's little or no traffic. Find a MAC address on your list which is not connected, then carry out your dissociation/ARP replay attacks under the guise of that trusted client. Finally, a (hopefully) useful bit of information: Due to a ridiculously stupid "ease-of-use" feature, many 2WIRE routers have a vulnerability that allows anyone who cracks the WEP key to easily gain full administrative access to the router (2WIRE wifi routers are standard equipment on AT&T, Bellsouth and Qwest home DSL networks, BTW). After cracking the WEP key of a 2WIRE router, you can easily gain admin access by the following method: 1. Connect to the network using the cracked WEP key you acquired from aircrack-ng. 2. Open a browser window and type the IP address of the 2WIRE router in the address bar. This should not be too hard to guess. For routers on AT&T service it will most likely be 192.168.1.254, but other companies might use different numbers. As usual, Google is your friend here. 3. When you get to the router setup login page, click the link for "I forgot my password." 4. The next page will have a text field with instructions to enter a number printed on a label on the bottom of the router. Instead, just enter the cracked WEP key you just used to log on to the network (the same one you acquired from aircrack-ng). 5. You're in. Now you can change any admin settings you please. If the router is filtering by MAC address, this would be a prime opportunity to add your own MAC address (spoofed, of course!) to the whitelist. I don't know if this works on all 2WIRE routers, but it seems to work on quite a lot of them. As always, this info is provided purely for educational purposes and should in no way be construed as encouragement or endorsement to fuck with other people's belongings without permission. OK?