WEP and WPA are two common encryption protocols that are meant to protect wireless communications. Both WEP and WPA require you to know a key (or passphrase) in order to view or send packets to the protected wireless network. There are various weaknesses in the WEP encryption algorithms that allow you to learn the key by sniffing the encrypted packets (see Aircrack). Because WEP is becoming very common, and learning WEP keys is not too difficult, Airpwn has the ability to decode WEP traffic and inject WEP-encrypted responses.
To use Airpwn with a WEP-protected network, simply add the network's key to the Airpwn command line using the -k keystring option. Since Airpwn can work on multiple networks simultaneously, you can add multiple keys by using the -k option multiple times. The keystring is a colon-separated sequence of hex-encoded bytes that make up the WEP key. 40-bit WEP (sometimes referred to as 64-bit) requires 5-key bytes, and 104-bit WEP (sometimes referred to as 128-bit) requires 13-key bytes. Here is an example of using Airpwn on 2 wireless networks, one with a 40-bit key and one with a 104-bit key:
airpwn -c conf -d madwifi -k 11:22:33:44:55 -k 11:22:33:44:55:66:77:88:99:AA:BB:CC:DD
Using the -v flag three times provides WEP decryption logs to the console. A log is printed for each WEP packet found, and another log is printed to inform you whether the decryption was successful.
If decryption is failing even though you are sure you are using the correct key, try adding the -F flag (or unsetting it if you are using it already). Some wireless drivers add a Frame Check Sequence (FCS) to the end of the packets that prevents the packets from decrypting properly. The -F flag tells Airpwn to treat the end of the packet as an FCS value and not to try to decrypt those bytes.
If you happen to know the passphrase for a WEP network, but are not sure of the keybytes, you can use the wep_keygen utility that comes with Airpwn to generate the keybytes. wep_keygen creates four 40-bit keys and one 104-bit key to pass to Airpwn with the -k option. If the passphrase you provide is 5 or 13 characters long, wep_keygen provides an additional ASCII key, which is a direct mapping of the passphrase characters to keybytes, as this is another common way of creating keys from passphrases. Here is an example of wep_keygen with a 5-character passphrase:
$wep_keygen"hugs!"40-bit keys: 0: f2:4c:3d:9f:4b 1: 84:0d:00:ef:7d 2: ad:c0:10:38:69 3: 09:ff:4c:cb:4d 104-bit key: 92:55:07:70:95:8a:0b:ba:72:c5:ab:33:81 40-bit ASCII key: 68:75:67:73:21
If you are unsure which key provided by wep_keygen is the correct one, you can provide all of them to Airpwn simultaneously with multiple -k options to quickly determine whether your passphrase is correct.