Basic WiFi Hacking – Cracking WEP Security

The WEP WiFi hack is the oldest one around. Increasingly, it’s less and less likely to be an option in your security audits and penetration tests. This is because most people now use more robust encryption methods like WPA2 and WiFi routers come with WPA/WPA2 enabled as default.

However, some IoT (Internet of things), devices that use the internet, or simply a WiFi network to work, like wireless security cameras, wireless printers, ‘smart’ thermostats, and even ‘smart’ refrigerators still use WEP security.

Numerous security holes exist in WEP which is why you’re less likely to encounter it on an engagement. WEP, or Wired Equivalency Protection) was the first serious attempt to secure wireless networks.

WEP sought to give users the same amount of protection and confidentiality as wired networks provided. We can easily perform WEP-based WiFi hacks on those access points still dumb enough to use it. By exploiting a flaw in WEP’s RC 4 stream cipher, we can decrypt the password based on traffic we collect from the access point over time.

We’ll need to capture a ton of packets (Tens of thousands). The more packets we capture from the wireless access point, the more likely we are to have enough data to perform statistical cryptanalysis to decode the password.  (But don’t worry, we’re going to drastically speed up the time it takes to collect enough packets to do this).

If you haven’t read my original post on the basics of a WiFi hack, you really should because it gives you a general understanding of WiFi security. There are, of course videos and hacking tutorials on more advanced wireless attacks. But stay here for right now, because as long as you’ve already read the overview, you can move forward in time.

The easiest WiFi hack – Cracking WEP Wireless Encryption

Let’s get started. Boot into your Back Track or Kali Linux Live CD. Make sure you are connected to the Internet, then run updates:

apt-get update

Then run:

apt-get upgrade

Connect your wireless network adapter.We need to discover the name Back Track (or Kali) has assigned to the adapter. Run the following command and hit Enter:

Before we can do this WiFi hack, we need to enable packet injection on our wireless adapter.

Now run:

airodump-ng monO

Airodump will literally dump the WiFi networks it detects in the air, as seen below:

As we can see above, only one network that airodump picks up uses WEP encryption, so we will focus our WiFi hack on this particular network. Once we make note of the BSSID and the CH, (Channel) fields, we are almost ready to perform our WiFi hack. We’ll run airodump again, but instead of a broad sweep of the WiFi spectrum, we will focus only on the access point we picked out above.

Our command syntax is:

airodump-ng -c (channel) -w (file name) —bssid (bssid) (interface)

We just need to plug in the channel, BSSID, our packet-injecting interface, and supply  a file name to save the packets to. To see the file (because you will need it soon) browse your Home directory and it should be there.

Hit Enter and let the packet capturing begin.

Now, we could simply wait to capture enough packets, but remember we need tens of thousands, and that could take way too long to reasonably wait. Wireless security consultants don’t have to to wait around. If time is short for a WiFi hack, you can use the aireplay took to inject the access points with packets. These packets trick the access point into tossing out even more of its own packets. This can happen very fast!  

(This particular WiFi hack may only take a matter of seconds, depending on the number of packets you capture and how close you are to the access point.)

Open a new terminal window.

Remember to plug in your target’s BSSID and ESSID into the correct fields, and be sure to specific the name of your monitoring interface. It’s usually monO, but yours may be different so check. Also, you need to specify your spoofed MAC address after the -h switch.

aireplay-ng -1 0 -a (bssid) -h (your spoofed MAC address) -e (essid) (interface)


You should get an Association successful message. Now you can begin flooding the access point in order to capture more packets. Plug in the target’s BSSID,your spoofed MAC address, and your interface again. Hit Enter.

aireplay-ng -3 -b (bssid) -h (your spoofed MAC address) (interface)

Plan on hanging around until enough packets are harvested to run your WiFi hack.

Go back to your second airodump window where you are capturing packets to file. Keep an eye on the number in the Data column. It needs to be between 10,000 and 20,000. When you’ve captured 10,000 to 20,000, you can hit Control C to stop the capture.

Now you can attempt the actual WiFi Hack by running the aircrack tool. Plug in the target’s BSSID and the name of the capture file you started with the airodump command.  (The capture file should be located in your Home directory.)

aircrack-ng -b (bssid) (yourcapturefilename)


If you captured enough packets, the WEP key will appear next to the triumphant message Key Found. Use that key without the colons to log into the target’s wireless network.

Read up on Aircrack’s website. You can do much more than crack WEP  (as we’ll see later), and any security consultant worth their salt should be familiar with the ins and outs of aircrack. Congratulations on your first successful WiFi hack! Keep going!