WEP

Manual Cracking WEP

You need to understand the goal: we are exploiting the mathematical weakness of WEP by capturing and re-injecting packets to force the Access Point (AP) to generate a high volume of Initialization Vectors (IVs). Once we have enough IVs, we can solve for the key.

Phase 1: Environment Setup

1. Put wlan2 into Monitor Mode:

airmon-ng start wlan6 

Note: This usually creates an interface named wlan6mon.

Phase 2: The Attack Walkthrough (Multi-Tab)

Tab A: Targeted Capture

First, see the running networks

This tab stays open to collect the "votes" (IVs) needed to crack the key.

• Monitor: Watch the #Data column. You need this number to start climbing fast.

Tab B: Fake Authentication (If no active clients connected to the AP, essential then)

We use wlan6mon to "introduce" ourselves to the AP. Without this, the AP will ignore our injected traffic.

Command Breakdown

• aireplay-ng: The core tool used for 802.11 packet injection and generation.

• -1 6000: Specifies Fake Authentication mode. The 6000 tells the tool to re-authenticate every 6,000 seconds to keep the connection alive.

• -o 1: Sends only one set of authentication/association packets at a time (standard for most APs).

• -q 10: Sends "keep-alive" packets every 10 seconds to ensure the AP doesn't drop your connection due to inactivity.

• -e SweetB-WEP: The ESSID (name) of the target network.

• -a 02:00:00:00:00:00: The BSSID (MAC address) of the target Access Point.

• -h 02:00:00:00:06:00: Your Source MAC address. This is the MAC of the interface you are using to attack (e.g., wlan2mon).

• wlan2mon: The specific wireless interface you are using in monitor mode

• Success: Look for Association successful :-) (AID: 1).

Same command with limited parameters

Tab C: ARP Replay Attack

This is the engine. It listens for a network packet and re-broadcasts it 500 times per second.

Command Breakdown

• aireplay-ng: The tool used for 802.11 packet injection.

• -3: Specifies the ARP Request Replay attack mode.

• -b 02:00:00:00:00:00: Sets the BSSID (MAC address) of the target Access Point.

• -h 02:00:00:00:01:00: Sets the Source MAC address (usually your own interface's MAC or a successfully associated client).

• wlan6mon: The specific wireless interface you are using in monitor mode

• Troubleshooting: If data isn't rising, go to another tab and run ping 192.168.8.5 to generate the initial ARP packets the attack needs.

or use the following

Tab D: Cracking the Key

You can run this while the other tabs are still working. It will update as more IVs are captured.

Expected Results

• IV Count: The attack will restart every 5,000 captured IVs until it finds the key.

• Key Found: When successful, you will see KEY FOUND! [ EA:BC:DE:F1:23 ] (example key).

• Decryption: It should report Decrypted correctly: 100%.

Automated WEP cracking with besside-ng

1. besside-ng (Automated WEP/WPA Attack Tool)

• A tool that automatically captures handshakes for WPA/WPA2 networks and cracks WEP encryption.

2. -c 3 (Target Channel 3)

• This forces besside-ng to only scan and attack Wi-Fi networks on channel 3.

• Useful for faster attack execution instead of scanning all channels.

3. -b F0:9F:C2:71:22:11 (Target Specific BSSID)

• F0:9F:C2:71:22:11 is the BSSID (MAC address of the target router/AP).

• Ensures besside-ng attacks only this specific access point rather than scanning for all available networks.

4. wlan2 (Wireless Interface)

• Specifies that wlan2 is the wireless adapter being used.

5. -v (Verbose Mode)

• Enables detailed output for better tracking of the attack progress.

Connecting to the cracked WEP Wifi Network

Once we have the password we can connect to the WEP network:

Create a configuration file to connect to the WEP network.

The content should look like this.

Now we can connect to the WEP network with our configuration file.

We should try to retrieve an IP address from the DHCP server.