Cracking WEP

Remember when we set the access point’s security mode to Disabled? Now let’s go to the same settings and change the Security Mode to WEP. There needs to be a key length set for the WEP Key. We chose 128bits for WEP key length – or when talking in a more simple way, it is 26 characters. We chose as the WEP Key to be babdebbabdebbabdebbabdeb23 as our key – this is the password that you would have to type in order to access the WEP protected Wi-Fi. You can type anything you want in the WEP Key – as long as it only consists of letters A-F and numbers 1-9.


After we have set our WEP key, lets start our attacker laptop and configure it.

Open up the terminal and bring up the wlan1 interface with the command:

ifconfig wlan1 up

Then let’s start the wlan1 in the monitor mode with the command:

airmon-ng start wlan1

This changes the wlan1 to wlan1mon, you can check with the ifconfig command that the wireless adapter is in monitor mode.


Now lets locate our access point from the local networks using the command:

airodump-ng wlan1mon

From the list of machines, find the one that has the SSID that you set for your Access Point.


Since we only want to find out what’s happening with our own network, we can filter the airodump to only show our router’s traffic with the following command:

airodump-ng wlan1mon --bssid D4:6E:0E:FC:AB:E4 --channel X --write testiwep wlan1mon


You can change the “testiwep” to be whatever name you wish, it’s the name of the pcap file generated on your computer. For our exercise, we set it to testiwep . The –write command saves the traffic into a pcap file, that we will use to crack into the network.

Remember when in the beginning we said that you need two laptops? The other one should have Kali with the adapter up and running, and the other one shouldn’t be doing anything at the moment.

Connect the laptop that is inactive into the wifi and sign in – use the WEP Key as the password for the wi-fi (for us it was babdebbabdebbabdebbabdeb23) to sign into the network.  The laptop that has airodump-ng up and running should show that the other laptop connected to the network.


If you type in ls in the terminal, you can see that the kali laptop has now files stored on the machine. It automatically generates traffic dump files from every authentication and connection that the router receives.


To break through WEP encryption, we will need numerous data packets that have the same encryption key to exploit the protocols weakness. Currently we have 27 (shown on the #Data column).


So to generate more data packets we will use the aireplay-ng tool.

With aireplay, we will capture ARP packets on the wireless network, and then replicate those same packets back into the network by injecting. By replaying these same packets some few thousand times, we will generate a lot of traffic on the network. By generating a large traffic on the network, Aireplay is able to identify the ARP packets by their size.

We will run the aireplay-ng with a few specified options. Firstly we will have the -3 option listed in the command, which stands for ARP replay, -b which is the router’s MAC address, -h which specifies the client MAC address that we will use to replay the ARP packets and lastly add the wireless adapter into the command, in our case it is wlan1mon.

Open a second Terminal window with CTRL + SHIFT + T and type the following command into the terminal:

aireplay-ng -3 -b *mac address of the router* -h *mac address of the client machine* wlan1mon

For us it looked like this:


Should you encounter any errors related to channels, include –ignore-negative-one to the end of the command. Whichever command worked for you, the result should look like this:


Now that the aireplay is up and running, airodump-ng should start showing more data packets. All of these sniffed packets will be saved in the testiwep-* files that we previously created on the home directory.


Now that the airodump has registered datapackets, and aireplay shows new ARP and ACK requests, it’s time to open a third terminal window.

We will use aircrack-ng. The airodump tool will collect all the packets and save them in the testiwep-* files, aireplay will generate traffic by injecting ARP packets into the network, and aircrack will use the files generated by airodump to break through WEP encryption.

To start the aircrack tool, type in the following command:

aircrack-ng testiwep-0*.cap

The result should look like this, aircrack-ng is working with the sniffed packets to try and crack the WEP key:


The aircrack tool will automatically try to break through the encryption. One of WEP encryption’s biggest weaknesses is that it recycles it’s IV values, and there is a 50% chance of four IV reuses every 5000 packets. This is why we have aireplay up and running, to increase the probability of IV reuse so that aircrack can recognize the packets and exploit this to gain access.


And success! As you can see on the bottom row, the aircrack now shows the password babdebbabdebbabdebbabdeb23 for our wi-fi.

Let’s try to log in to the wi-fi using this key that we found.


We can also see that we are now in the wi-fi network, and can use the internet normally.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s