How to Hack Wireless WEP Connections in 10 Minutes or Less
Nowadays, many people tend to use wireless connections since utp cables are sometimes not acceptable. When their routers become access points, too few of them are properly protected. Most of them tend to use WEP as a means to protect their internet connection. Well, this is surely better than leaving the connection without any key, but it’s still not enough. From now on you’re highly adviced to use WPA2 for your internet connection security and you’ll shortly see why 
For starters, for such tasks it’s a whole lot easier to use a linux system. I suspect that most of you have one if you’re looking at that tutorial or at least can easily get to one. We’ll be using aircrack-ng for this task, so go ahead and install it to your system.
At first open a root shell and issue the command:
iwconfig
This will show your your wireless connection adapter name and information. Remember what its name is, most probably it would be something like wlan0 or wifi.
If you need to be totally anonymous while doing this, you can also masquarade your mac number with the command:
macchanger --mac 00:11:22:33:44:66 [wireless interface name]
(don’t forget that you need to install macchanger if you do that, since it’s not an aircrack tool)
The first thing to do is put your wireless card in monitor mode. If you use a packet sniffer on your network, you’ll have probably heard of promiscuous mode. This is the mode in which ethernet cards work when a sniffer is fired. At this mode, when a network card gets associated to a network, the root user can capture every packet from every connection of the network. Monitor mode is something like that, but for wireless networks, with the important difference that one does not need to associate with the access point to monitor the traffic(which is great of course 
).
In order to put our card into that mode and start sniffing around, we need to issue the command :
airmon-ng stop [wireless interface name]
Now our wireless connection gets lost if we are connected to some router and we can now sniff freely. First of all, let’s see what wireless access points are out there.
airodump-ng [wireless interface name]
This command dumps all the wireless access points along with any clients that are probably connected to them. Just pick a wireless access point and see if it uses WEP. If it does, note its BSSID(which is in fact the mac address), its ESSID, which is its appearing name and channel(column CH).
Let me now tell you what the attack will be like. WEP used to be the standard for protecting a wireless network. WEP uses an RC family encryption algorithm, RC4 particularly. However, since RC4 is a stream cipher, statistical analysis is a real threat and it so happens that it’s devastating to WEP. At the process to follow, you will see that IVs are the important information to collect. If you need to know why WEP is not a good idea, read this great analysis at http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html and especially the part i paste below :
WEP uses the RC4 encryption algorithm, which is known as a stream cipher. A stream cipher operates by expanding a short key into an infinite pseudo-random key stream. The sender XORs the key stream with the plaintext to produce ciphertext. The receiver has a copy of the same key, and uses it to generate identical key stream. XORing the key stream with the ciphertext yields the original plaintext.
This mode of operation makes stream ciphers vulnerable to several attacks. If an attacker flips a bit in the ciphertext, then upon decryption, the corresponding bit in the plaintext will be flipped. Also, if an eavesdropper intercepts two ciphertexts encrypted with the same key stream, it is possible to obtain the XOR of the two plaintexts. Knowledge of this XOR can enable statistical attacks to recover the plaintexts. The statistical attacks become increasingly practical as more ciphertexts that use the same key stream are known. Once one of the plaintexts becomes known, it is trivial to recover all of the others.
WEP has defenses against both of these attacks. To ensure that a packet has not been modified in transit, it uses an Integrity Check (IC) field in the packet. To avoid encrypting two ciphertexts with the same key stream, an Initialization Vector (IV) is used to augment the shared secret key and produce a different RC4 key for each packet. The IV is also included in the packet. However, both of these measures are implemented incorrectly, resulting in poor security.
The integrity check field is implemented as a CRC-32 checksum, which is part of the encrypted payload of the packet. However, CRC-32 is linear, which means that it is possible to compute the bit difference of two CRCs based on the bit difference of the messages over which they are taken. In other words, flipping bit n in the message results in a deterministic set of bits in the CRC that must be flipped to produce a correct checksum on the modified message. Because flipping bits carries through after an RC4 decryption, this allows the attacker to flip arbitrary bits in an encrypted message and correctly adjust the checksum so that the resulting message appears valid.
The initialization vector in WEP is a 24-bit field, which is sent in the cleartext part of a message. Such a small space of initialization vectors guarantees the reuse of the same key stream. A busy access point, which constantly sends 1500 byte packets at 11Mbps, will exhaust the space of IVs after 1500*8/(11*10^6)*2^24 = ~18000 seconds, or 5 hours. (The amount of time may be even smaller, since many packets are smaller than 1500 bytes.) This allows an attacker to collect two ciphertexts that are encrypted with the same key stream and perform statistical attacks to recover the plaintext. Worse, when the same key is used by all mobile stations, there are even more chances of IV collision. For example, a common wireless card from Lucent resets the IV to 0 each time a card is initialized, and increments the IV by 1 with each packet. This means that two cards inserted at roughly the same time will provide an abundance of IV collisions for an attacker. (Worse still, the 802.11 standard specifies that changing the IV with each packet is optional!)
Ok, since we now know that if we capture enough packets we can crack this, let’s go on and try it. Ok , so now you noticed the BSSID, ESSID and CHANNEL and we can go on and issue the command :
airodump-ng -c [channel] -w [packets.out] --bssid [bssid] [wireless interface name]
After you issue this command, packets.out will be capturing packets from that access point in order to be used for the statistical hack. However, it’s most certain that somebody is not downloading a new movie and so packets around the network will be scarce if any. So, what we need to do is inject our own packets to that connection. At that point, you need to have a network card that can inject packets, just do an “lspci | grep Wireless” and take a look at your model, or just go on and see if it goes on with injecting, if you encounter an error you’ll need to purchase a card that is able to do such a thing.
Mine, whi shows as Network controller: Intel Corporation Wireless WiFi Link 5100 is doing well
Now that you have your sniffer capturing packets, open another root shell and let’s try to cause some traffic. Issue the command :
aireplay-ng -1 0 -a [bssid] -e [essid] [wireless interface name]
This creates the connection to the AP, if it fails on the channel number, try again. When it connects, we now try to inject packets with :
airplay-ng -3 -b [bssid] [wireless interface name]
If things go well, your shell will go crazy with newlines saying that it injects more and more packets. In my case this worked but for some reason, after around 10.000IVs for some reason the connection was hanged and those IVs were not enough. So if this happens at your case, use this command:
aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b [bssid] [wireless interface name]
It will ask you if you want to use a certain packet, answer yes and watch it injecting loads of packets.
Now, open a new shell and issue the command :
aircrack-ng -n 128 -b [bssid] [filename]-01.cap
Remember to try both with -n 128 and -n 64 for 64-bit keys. From my experience, you’ll need about 20,000 IVs to hack a wep key. Once you have enough IVs the key will be presented to you. Just remove the “:” characters and you can now use these digits as your wep key
![dynamite[11]](http://www.codercaste.com/wp-content/uploads/2009/10/dynamite11.jpg)
Loading ...
Very interesting article. I am especially interested in Internet/computer related posts as my website is on Internet security and privacy. I actually just went through the process of configuring my wireless router to be WEP encryption today. Before that I believe it was WPA2, but my room mate was having problems logging on. The ISP technician said that WEP tends to work better for older computers, which is what my room mate has. Now that I’ve changed the encryption to WEP he has no problems logging on. I had no problems logging on with WPA2 encryption. You sound like you are very knowledgable about computers and computer programming. I look forward to reading more posts in your blog. Keep up the good work.
Chris H.
Hey Chris,
thank you for the nice words, hope that you find interesting information here and if you feel like having any questions, please don’t hesitate to leave a comment or contact me in person.
WEP is actually a not secure algorithm since it depends on the RC encryption family. I’ve heard of situations where WPA2 wouldn’t just work correctly and have also heard of the opposite. One thing to notice that is sometimes important is using MAC address filtering. If you use that, there is a case that you may be having wifi connection problems as well (for the price of what is not real security since mac filtering can easily be bypassed). Other than that, most problems depend on the actual router and the operating system (make sure that you obtain latest fixes especially if you’re using windows).
Thanx again for the comments, see you around
Have you ever thought about including videos to your web site posts to keep the readers more entertained? What i’m saying is I just went through the whole post of yours and it was very good but because I’m alot more of a visual learner, I found that way to be much more useful. well, let me know what you think.
That is a pretty good idea Hank. Videos are a great way to do, but the drawback is that they require lots of time to be made. Maybe in the future i will give it a try, thanx for bringing it up
I want to know that,what website or application should i ues to hack the wireless key? Where can i download it?
I havent seen any wireless connection that cannot be “hacked”. In 15 years of security, I have yet to see anything completely invulnerable, and today, all you really have to do is download utilities especially made for hacking/cracking etc…not like the good old days when you actually had to code something…sad really…
Hi Spyros
i wanted 2 ask u 4 something
i have access point TP-link 54 MG and its macc address isn’t changable
could u plz tell me how 2 hack the other Wlan using it ??!??
Hello Moussa,
the mac address of the access point does not need to change at any point. You may just want to change the client machine (the attacker) mac address for the sake of total anonymity.
.WEP has defenses against both of these attacks. To ensure that a packet has not been modified in transit, it uses an Integrity Check (IC) field in the packet. To avoid encrypting two ciphertexts with the same key stream, an Initialization Vector (IV) is used to augment the shared secret key and produce a different RC4 key for each packet. The IV is also included in the packet. However, both of these measures are implemented incorrectly, resulting in poor security.
The integrity check field is implemented as a CRC-32 checksum, which is part of the encrypted payload of the packet. However, CRC-32 is linear, which means that it is possible to compute the bit difference of two CRCs based on the bit difference of the messages over which they are taken. In other words, flipping bit n in the message results in a deterministic set of bits in the CRC that must be flipped to produce a correct checksum on the modified message. Because flipping bits carries through after an RC4 decryption, this allows the attacker to flip arbitrary bits in an encrypted message and correctly adjust the checksum so that the resulting message appears valid.
Very interesting article. I am especially interested in Internet/computer related posts as my website is on Internet security and privacy. I actually just went through the process of configuring my wireless router to be WEP encryption today. Before that I believe it was WPA2, but my room mate was having problems logging on. The ISP technician said that WEP tends to work better for older computers, which is what my room mate has. Now that I’ve changed the encryption to WEP he has no problems logging on. I had no problems logging on with WPA2 encryption. You sound like you are very knowledgable about computers and computer programming. I look forward to reading more posts in your blog. Keep up the good work.
@dinesh, thank you for the nice comments, you are right on spot. I’m glad you found this interesting to read and also wrote some very nice comments there.
Sorry this does not work. At least I cant make it work.
It does work, i have done it many times. You are most probably doing something wrong.
How can I hack wifi, I don’t have an internet connection to download any programmes is there any codes worth trying?
hi plz tell me how to hack a wep with samsung galaxy y s5360.plz.plz.pllz
hello bro
i am abhijeet i want to ask to you as where i live there comes wifi network (strenth) but i am not able to connect from that have any trick to connect to it .. detail about wifi (unsecure)
why most of this sort of programs are made for Linux, any for windows pls, I am using windows 8
in my college wi fi i cant able to download any video, is there any technique to download video?
@Chandru : Please don’t ask such questions here, they are a bit irrelevant. Instead use http://www.codercaste.com/questions and make your question there with a few more details of the error messages that you get so that we will be able to help
Thanks !
I still can’t hack the wifi plz give few tips more
Sorry this does not work. At least I cant make it work.
I can assure you that it works, i’ve done it multiple times. You’re most probably doing something wrong.
in my college wi fi i cant able to download any video, is there any technique to download video?
I would suggest all of you to A) learn how to Program because it allows for you to get the Gist of command line syntax & Argument passing B) learn how to use the Aircrack-ng suite !! There are about 15 + tools to use and learn from (in the suite)& you are begging for advise; No Hackers can get by without knowledge of Programming & Scripting, and if you happen to get one off by chance.. good for you… you’re still a skript kiddie and no real hacker likes skript kiddies! take your time and learn what it is you’re doing and what is being done in the scripts & why!!
does it work on windows 7 ?? How ?? Steps !! PLEASE
Peace!
Brother in my universit they have set timings for accessing the internet like 9 am to 5:00 pm and we can only access the University website that is on the local network and we cannot connect to the internet. We used to connect hotspot sheild before the university would set the limited access and used to access the internet but then they even turned down the hotspot to get connected. Could you please help us and tell how to connect to internet anytime? any technique software available, we cannot even open proxy tutorial website or any fishy website.
Please Help.
wooow
iam very angrey
this not work!!!!
LOL .. sometimes we can take the silent treatment as our answer.
Some of these guys have study their AZz’s off to learn how to program, just too be able to reverse and hack. It’s difficult for me to understand how some expect jump on their bill-boards and get it handed to you.
It’s like teach a dude to twist a duby and teach him how to get a buzz. But teach him how to plant and grow and he learns how to get a buzz for a life time.
If you ever get someone to do tedeus technical tasks for you … conciser your self lucky or it’s not going to be free. They might have some other idea for compensation … LOL look out.
Sabotauge
In my area the is an unsecured network. When I connect it is fine, there only problem it display the message “NO INTERNET ACCESS”. What can I do to get internet access.
PLEASE HELP.
Hello There. I discovered your blog the use of msn.
That is an extremely neatly written article. I’ll make sure
to bookmark it and return to read extra of your useful information.
Thanks for the post. I’ll certainly comeback.
Its like you read my mind! You appear to know a lot about this, like you wrote the book in it or something.
I think that you could do with some pics to drive the message home a
bit, but instead of that, this is fantastic blog. A fantastic read.
I’ll certainly be back.
Hi there excellent website! Does running a blog like this
require a massive amount work? I have virtually no knowledge of computer programming however
I was hoping to start my own blog in the near future.
Anyways, should you have any ideas or tips for new blog owners please share.
I know this is off subject however I just needed to ask.
Many thanks!
I blog quite often and I genuinely thank you for your
content. This great article has truly peaked my interest.
I’m going to bookmark your site and keep checking for new details about once a week.
I opted in for your Feed too.
I’m really enjoying the design and layout of your website.
It’s a very easy on the eyes which makes it much more enjoyable for me to come here and
visit more often. Did you hire out a developer to create your theme?
Outstanding work!
Spot on with this write-up, I honestly believe
that this amazing site needs far more attention. I’ll probably be returning
to read more, thanks for the info!
whpah this blog is greaat i like reading your articles. Keep upp the great work!
You already know, a lott of persokns aare hunting
around for this info, you can aid them greatly.
Naturally, none of such outdoor activities would be possible in
case you couldn’t stay on course in the first place.
The sailing experience will probably be enjoyable in case you know
a little more about it. You can enjoy the perfect cool breeze and splash some sea water.
Hello! I understand this is kind of off-topic but I needed to ask.
Does operating a well-established website such as yours require a large amount of
work? I am brand new to running a blog but I do write in my diary on a daily basis.
I’d like to start a blog so I will be able to
share my experience and feelings online. Please let
me know if you have any suggestions or tips
for new aspiring blog owners. Thankyou!