Capture Beacon frames using wlan0mon (which is already in monitor mode) to identify the target network:

Note: Damn Vulnerable Drone is configured to use the mac80211_hwsim kernel module. This module creates virtual wireless interfaces that can be used to simulate a wireless network. The virtual wireless interface used in this scenario is wlan0mon. However, in real-world scenarios, you may need to use the appropriate wireless hardware interfaces capable of monitoring-mode, here is a list of possible devices.

sudo airodump-ng wlan0mon

You should see a network SSID called Drone_Wifi, using WEP encryption, running on channel number 6 and has a BSSID of 02:00:00:00:01:00. Let's make a note of these parameters as they will be used in the next steps.

Note: If your network card is not in monitor mode, you can use the following commands to enable it.

sudo ip link set wlan0 down
sudo iw wlan0 set type monitor
sudo ip link set wlan0 up

Alternatively, you can use the airmon-ng tool to enable monitor mode on your network card. This, however, may break your Damn Vulnerable Drone simulation network as it requires processes like wpa_supplicant and other network tools to be terminated. You may be required to restart Damn Vulnerable Drone as a result.

sudo airmon-ng start wlan0

Begin capturing packets on channel 6, focusing on the target BSSID, and save the capture to a file:

sudo airodump-ng -c 6 --bssid 02:00:00:00:01:00 -w capture wlan0mon

Note that we can now click on the "Initial Boot" flight stage to simulate the drone booting up and connecting to the network. This will generate some traffic that can be captured and analyzed. These data packets contain IVs (Initialization Vectors) that can be used to crack the WEP key. Our goal is to capture as many of these packets as possible to increase our chances of cracking the WEP key.

As we can see, there is now a couple of Data packets being captured. This is a good sign that the drone is now connected. We can also see a STATION address of 02:00:00:00:02:00 which is a wifi client that is connected to the Drone_Wifi network. Let's take a note of this other client address as well.

Before we can use the captured data to crack the WEP key, we need to generate more traffic. We can do this by initiating ARP replay attacks using the aireplay-ng tool.

Note: We will need roughly 50,000 packets to crack the WEP key. This can be achieved by either waiting a couple of minutes or we can speed up the process by running the following command for a few minutes.

Open a new terminal window. Next, perform an ARP replay attack to increase the number of IVs (Initialization Vectors) for cracking:

sudo aireplay-ng --arpreplay -b 02:00:00:00:01:00 -h 02:00:00:00:02:00 wlan0mon

After we collect enough IVs, we can cancel our aireplay and airodump processes and proceed to crack the WEP key using the aircrack-ng tool and our new capture-01.cap file.

Use the captured packets to crack the Wi-Fi password:

 sudo aircrack-ng capture-01.cap

Let's make a note of the WEP key 1234567890 as we will need it to connect to the Drone_Wifi network.

Use the following command to use the wlan3 interface to connect to the Drone_Wifi network:

nmcli dev wifi connect "Drone_Wifi" password "1234567890"

If everything went well, you should now be connected to the Drone_Wifi network. You can use the command below to verify that your wlan3 interface is connected to the network.

ifconfig wlan3

Congratulations! You have successfully cracked the WEP key and connected to the Drone_Wifi network. Our wlan3 interface has been assigned an IP address of 192.168.13.10 and is now ready to interact with the drone network.

Another way to get the Wi-Fi password to the Drone_Wifi network is to find the sticky note on the Ground Control Station laptop. This sticky note contains the password to the network.