How To Crack WEP Wireless Network

Reading Time: 4 minutes

What’s up, everyone! Today, I’ll talk about how to crack a WIFI network. More specifically, we will be focusing on wireless networks using WEP encryption.

After today’s post, you will be able to:

  • Identify WEP wireless networks around you
  • Understand the methodology to crack such networks
  • Be smart enough not to use WEP encryption for your home Wi-Fi 😉

Alright, let’s get started!

What you’ll need

In order to follow along this post, you’ll need to prepare a few things like below:

  • Kali Linux: you can use VirtualBox or VMWare to install it on your laptop/PC
  • A wireless access point: the wireless home router would be sufficient
  • A WiFi adapter: the wireless interface of your laptop or the tiny Wi-Fi dongle won’t cut it. You’ll want one with the ability to switch to monitor mode (I’m using an Alfa model called AWUS036NHA)

Disclaimer: this blog post is for educational purposes only. Do not use what you learn from this to hack into networks that you don’t have permissions to. It’s illegal.

Methodology

We’re ready to discuss the steps that we’re gonna take in order to crack a wireless network that uses WEP encryption. But first, we’re better off understanding a little bit of how wireless networks implement security features.

You may be surprised to know that a wireless access point does act like a hub, which means that apart from having a lower throughput, wireless networks are less secure than wired networks (which would normally involve switches).

That’s why methods to make wireless networks more secure was required. And WEP, which stands for Wired Equivalent Privacy, was one of the first attempts to achieve that.

As you might have guessed, it’s not uncommon for first attempts to have flaws, and so does WEP. I won’t go into details about how WEP works but in short, it is relatively easy to crack with just a few steps below:

  • Capture a significantly big amount of packets going through the network
  • Use the captured packets to decrypt the encryption key

Doesn’t that sound a little bit too simple? Yeah, because it really is that simple!

The first step sometimes does come with a challenge, but we’ll see about that.

So we’re clear about the methodology, let’s break that down into actionable steps.

Step 1: prepare the network

WEP is a relatively old encryption so it’s unlikely that your home network is using it. Hacking your neighbors (consider one of them is using WEP) is obviously off the table so I’ll show you how to create one.

Head over to your default gateway’s IP (your home router’s), which in my case is 192.168.100.1. Log in using the username/password under the router (or you can search Google for the account of a specific model).

Home router setting page

Then, find the setup page for WLAN and create a new wireless network, which you can specify the encryption to WEP without affecting other members of your family.

Create a new WEP Wi-Fi

As you can see, I have created a new wireless network named chun-test, with Authentication Mode set to Open and Encryption Mode set to WEP.

After that, fill in the Encryption Key. If you set the Encryption Key Length to 128 bits, the Encryption Key will have to contain 13 ASCII characters. I chose a pretty strong password: k0skp@n!do2d0. We’ll see whether I can crack it.

Finally, make sure that you can actually connect to that network and have access to the Internet.

Step 2: change wireless adapter mode to Monitor

Alright, first thing first, let’s connect the wireless adapter and change it to monitor mode.

Running the following command to check your adapter’s name and current mode:

iwconfig
iwconfig result

In my case, the wireless adapter’s name is wlan0 and its current mode is Managed. Before attempting to change its mode, we should kill all the network related process. Note that this will also cut the connection of other interfaces (e.g. eth0 etc).

airmon-ng check kill

Next, let’s bring the interface down, change its mode and bring it up again.

ifconfig wlan0 down
iwconfig wlan0 mode monitor
ifconfig wlan0 up
iwconfig
change wlan0 mode to Monitor

Now the adapter’s mode is Monitor.

Step 3: capture packets going through the network

Now that we have a legit WEP network to hack and a ready wireless adapter, let’s follow the first step in the methodology above. We will capture as much as we can traffic that going in and out the network.

Think about it like this. Remember multivariable linear equations we learned in Algebra class? Packets that we’ll collect are like equations to find the variables, which are the characters in the encryption key. The more we have, the more likely we can solve the problem.

Let’s start with gathering information about the surrounding wireless networks with airodump-ng wlan0 command:

Surrounding wireless networks information

As you can see, we got back a lot of information regarding the wireless networks around your house. Take note of the BSSID and channel number of your WEP network, we will use the same command to capture all packets going through that network in order to crack its key:

airodump-ng --bssid 2E:AB:00:0F:EA:A9 --channel 10 --write my_wep_network wlan0

Above I use --bssid and --channel flags to specify the BSSID and channel, respectively. As for the --write flag, it’s used to set the output filename where we’ll save all the captured packets.

airodump-ng for a specific network

As you can see in the #Data column, the number of packets is slowly increasing. We need approximately 60k packets to be able to crack the encryption key.

If the target network is busy, we can achieve that in a few minutes. To demonstrate, I’ll connect to that network and play a random video on Youtube. After roughly 2 to 3 minutes, I already captured more than 60k packets.

airodump-ng in a busy network

What if the network is not busy? Do we have to wait for a day or two? No, we won’t. There’s a solution for that.

What we’re gonna do consists of two small steps:

  • Establish an association with the target network
  • Repeatedly send ARP requests to the target network

That way, even though we’re not connected to the network, we can still force it to response to our requests which in turns, generates more packets to for us to capture.

Okay, in order to establish an association with the target network, we will use a command called aireplay-ng with --fake-auth flag to indicate that we’re sending a fake authentication request. We need two more flags: -a for the target MAC address (BSSID) and -h for our adapter’s MAC address.

aireplay-ng --fakeauth 0 -a 2E:AB:00:0F:EA:A9 -h 00:C0:CA:99:06:C4 wlan0
fake authentication request with aireplay-ng

Then again, we will use aireplay-ng with --arprequest to continuously send ARP requests to the target network. Note that in this command, we use -b instead of -a for the target MAC address.

aireplay-ng --arpreplay -b 2E:AB:00:0F:EA:A9 -h 00:C0:CA:99:06:C4 wlan0
ARP request with aireplay-ng

Now, look at the window where airodump-ng is running, you’ll notice that the number at #Data column is increasing significantly fast. Give it a minute or two, it’ll soon reach 60k and be enough for what we need.

airodump-ng after sending a lot of ARP requests with aireplay-ng

Okay, we got enough packets, let’s move on.

Step 4: crack the password of the WEP network

As I mentioned above, the airodump-ng command will dump the result out to store the packets that it captured. In fact, it stores the data in not one but multiple files. We can verify that by ls:

results from airodump-ng

Don’t worry, we only need to worry about the .cap file. The final step is actually easy. We will use the aircrack-ng command to crack the password using the information in the .cap file above:

aircrack-ng my_wep_network-01.cap

And here comes the result:

password cracked by aircrack-ng

As you can see, aircrack-ng was able to hack my WEP wireless network even though it has a pretty strong encryption key. Pretty simple, wasn’t it?

One tip on aircrack-ng is that you can use that command on the fly. What it means is you don’t have to wait until you capture ~60k packets. You can just run the command while airodump-ng is capturing traffic. aircrack-ng will attempt to retry to crack the password every time when 5000 new packets are captured.

Conclusion

In today’s post, we’ve had a look at how to crack a WEP wireless network. That’s a relatively simple encryption method used to secure Wi-Fi, which is why it’s so easy to hack into.

But that also means that wireless networks nowadays are using other encryption method other than WEP, and you should never ever set up your Wi-Fi with WEP.

That’s it for today. Thank you for reading and I will see you next time!

Trung Tran is a software developer + AI engineer. He also works on networking & cybersecurity on the side. He loves blogging about new technologies and all posts are from his own experiences and opinions.

Leave a reply:

Your email address will not be published.