Thread: How to Crack a WEP key

WEP is the most insecure encryption method today, it's full of holes and crap. If you're still using that shiz, get off it and switch to WPA2 or something. Much more secure.

Anyways, if your neighbor or something is still using WEP, or you're trying to get into a wifi hotspot at an airport and they're using WEP, punish them for their idiocy. >:D

Things you'll need:
Kismet- wireless network detector
airodump- captures packets from wireless router
aireplay- forges ARP requests
aircrack- decrypts the WEP key

1. You'll need a wireless access point with its bssid, essid, and channel number. Open up your terminal and type in kismet. You might need the appropriate adapter which in my case would be ath0. You can find that out by typing iwconfig.

2. Your wireless adapter needs to be put in monitor mode. Kismet automatically does this, so keep it open.

3. In kismet you will see the flags Y/N/0. Each stands for a different type of encryption. You're looking for ones with WEP, so look for ones with Y.

4. Once you find the access point, open a text document, paste in the essid (network broadcast name), bssid (mac address), and channel number. To get the above info, use the arrow keys to select an access point and hit <ENTER> to get more info about it.

5. Start collecting adata from the access point with airodump. Open a new terminal and type
airodump-ng -c [channel numnber] -w [filename] --bssid [bssid] [device]
The information you collected goes obviously within the brackets. Leave out the brackets.

6. Leave the above running and open another terminal. Generate some fake packets to the access point so the data output will increase, allowing you to capture the key. :D
Put in the following:
aireplay-ng -1 0 -a [bssid] -h 00:11:22:33:44:55:66 -e [essid] [device]

7. Now we're forcing the access point to send out a huge number of packets. Check your airodump-ng terminal and monitor the ARP packet count increasing. The command is:
aireplay-ng -3 -b [bssid] -h 00:11:22:33:44:55:66 [device]

8. Once you have collected around 50k-100k packets, you can start trying to crack it.
aircrack-ng -a 1 -b [bssid] -n 128 [filename].ivs
-n 128 tells the program the WEP key length. If you don't know it, then leave it out.

THE MORE PACKETS YOU HAVE, THE GREATER CHANCE OF CRACKING. So wait longer if you can.


Good luck! If something doesn't work right, remember: Google's your best friend. There's multiple methods with other programs like Backtrack.

Im going to try this out right now. Thank you very much, nicely written and well explained.

Rep +1 :)

is it the same principle with smart telephone?

Does this work?

This will work. I have used Backtrack to crack WEP in the past several times to good effect. You Tube has several good instructional vids on this. Rare to find a WEP network anymore.

So we need wap and long pass to protect our wifi^^

Is there any good software out there that can detect when someone is hacking into your WiFi network?

How about cracking WPA2? :D

Originally Posted by malcomb

Is there any good software out there that can detect when someone is hacking into your WiFi network?

You would need to monitor your network for activity. Unless you have a fairly sophisticated network and an IDS then you will need to monitor your router and make sure it isn't distributing IPs to unknown devices.

One simple way to do this is to disable DHCP and assign a static IP to all the devices on your network. This might not be realistic for everyone though.

Originally Posted by Hyper

How about cracking WPA2? :D

There is a theoretical method, but nothing practical from a technological standpoint. You would be better off social engineering your way in.