Open in app

Sign in

Write

Sign in

A Comprehensive Guide to Hacking WEP

Amir Gholizadeh
5 min readAug 11, 2021

--

I know WEP is old and not much used nowadays but there are still peoples out there that use WEP! WEP is really easy to crack because of the flaws that it has which are covered and fixed in WPA/WPA2.

The flaw?

so about the flaw, WEP uses an old encryption called RC4. the way RC4 is implemented in WEP is wrong and is the reason WEP can be hacked.

so the data that is sent into the air when WEP is used, is encrypted using an IV which stands for Initialization Vector and is generated randomly each time plus the password of the access point which then is called a keystream. the data is encrypted using that keystream. now we need that IV which is sent in plaintext into the air to crack the WEP network. we need a busy network to do that so we can gather a lot of traffic and decrypt the key.

let’s put it into practice now.

Hacking WEP

I hope you are familiar with aircrack-ng suite!

let’s assume we have a busy network and there is a lot of traffic that we can capture. to check which access points are available and what is the encryption used we can use airodump-ng in monitor mode, meaning our adapter must be in monitor mode.

note: not wall wireless adapters support monitor mode, so make sure that your adapter supports it or buy a new one.

Changing adapter mode

to enable monitor mode manually:

ifconifg interface-name down
iwconfig interface-name mode monitor
ifconfig interface-name up

to reverse it:

ifconfig interface-name down
iwconfig interface-name mode managed
ifconfig interface-name up

or using airmon-ng:

airmon-ng check kill
airmon-ng start interface-name

to reverse it:

airmon-ng stop interfacemon
sudo systemctl restart NetworkManager

note that i added mon after interface because airmon-ng adds an interface with that name convention, like if it’s wlan0 it will be wlan0mon .

Checking for networks

now to check for networks around us using airodump-ng:

we will have a page like the following:

some properties that we need to know what they are used for:

  • BSSID is the MAC address of the router.
  • data is used for counting the packets.
  • ch basically routers have a specific channel set to them.
  • enc the encryption used, WPA, WPA2 or WEP. in this case my AP uses WPA2 but i will still try to show you how to crack WEP.
  • ESSID is the name of the access point.
  • below station will be the MAC address of the client that is connected to the corresponding BSSID.

capturing packets

now that we know the BSSID of the target AP, we can use airodump-ng to only show information about that AP. for this to work we need the ch and the BSSID and then we use the following command to target it:

we will have a similar screen like the one previous one with the exception that we target this specific AP now.

In order to capture the packets we need to pass yet another option to this command which is --write to save the packets in a file:

this will create several files:

the one that we are interested in is the one that ends in .cap .

hacking our way in

we will pass test-01.cap to aircrack-ng and it will crack it and give us the password, as easy as that!

How to secure yourself?

that’s precisely why WPA/WPA2 were created. seriously, just get a new router that supports WPA/WPA2 and there, you are protected(maybe :)).

Bonus

you may face some difficulties which I’m going to cover in this section.

discovering hidden networks

some APs might hide their ESSID, and it’s really easy to bypass. the only thing we need to do is to use airodump-ng against that particular AP and then wait or use aireplay-ng in deauth mode to disconnect one of the clients and wait for the client to connect back so that the ESSID that is sent into the air with the packet can be captured with airodump-ng and when it’s captured it will be shown in the screen. you already know how to use airodump-ng against a specific network, so let me show you how to disconnect one of the clients and get the ESSID. the command is as follows:

we use --deauth to disconnect a client using aireplay-ng , after specifying the option we have to pass a number, this number is how many packets we want to send to the router so that it will disconnect the client, in this case 4 to make sure that the client will disconnect. -a is used to specify the AP BSSID and -c is used for client MAC address. and that’s it! the hidden network’s ESSID will be shown in the airodump-ng screen.

generating packets

another difficulty that you may face is when a network is not busy so can’t capture many packets, in this case a thing that you can do is to use airodump-ng like we used to, to capture the packets, and then use aireplay-ng this time to retransmit ARP packets. the command is as follows:

almost the same as before except we pass --arpreplay and then use -b for AP BSSID and then -h for specifying the source MAC address of the client that we want to use and retransmit ARP packets as. note that source MAC address must be of the clients that are connected to the network, if there is none, then we should associate with the network using aireplay-ng --fakeauth .

and that’s it! happy hacking and securing your stuff! i’m always up for feedback, thanks for reading and hope you a great journey ahead.

Wep
Wifi
Wireless
Pentesting
Hacking

--

--

Amir Gholizadeh

Written by Amir Gholizadeh

5 Followers

Pentester and CTF player(hackthebox) from Iran.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams