WEP Cracking with Kali Linux 2018.1 [Tutorial]

Wireless technology has become increasingly popular as it allows you to easily access the Internet from all sorts of locations around the world without requiring a network cable. But a wireless network isn’t always secure if you don’t understand its dangers, and especially if precautions are not taken.

In today’s society, we see a lot more users getting compromised, especially in public Wi-Fi locations. There may be an open wireless network, weak encryption, or just plain trust issues. But before we begin, you’ll probably need some proper equipment to follow the demonstrations.

Also Read: Crack WPA2-PSK with Dictionary | Crack WPA2-PSK with Hashcat | Crack WPA2-PSK with Fluxion

Today we’ll demonstrate the wireless cracking of WEP which is obviously a weak encryption protocol and the time has come to talk about WEP cracking! It is exactly as it sounds – capturing data to recover a WEP key using passive or active methods. With today’s improving hardware and software, WEP encryption can be cracked easily in less than 5 minutes!

WEP encryption should only be used in cases where old hardware is still in use; otherwise you should be using WPA2 encryption. Tools such as Aircrack-ng, AirSnort, Airoway, chopchop and dwepcrack can perform these attacks.

Wired Equivalent Privacy (WEP) encryption is a standard Wi-Fi wireless network security algorithm used to protect personal and business networks. WEP keys are created by the network administrator to allow groups of devices on a local network to securely connect. When each packet is sent from the client to the wireless access point, it is encoded in a sequence of hexadecimal digits. These digits include numbers 0 to 9 and letters A to F.

This is purely for Educational Purposes. We’re not responsible for your actions. Keeping that in mind.

In this article, we’ll go through step by step instructions on how to crack WEP encryption.

Step 1 – The very first step is to check whether your Kali Linux machine has a wireless interface or not by typing “iwconfig“.

If it shows something related to wlan0, then it means you’ve wireless interface, otherwise you need to attach external USB Wi-Fi adapter (TP-LINK or Alfa Card) which supports packet injection capability.

Step 2 – Now you need to start this wireless interface (wlan0) by typing “airmon-ng start wlan0” into monitor mode (wlan0mon).

Monitor mode is a feature that allows your computer to listen to every wireless packet within range of your wireless card. This mode will allow us to inject packets into a wireless network.

Also you can change your mac address (optional) with macchanger tool which is an open source tool and is pre-installed in every Kali Linux machine.

Step 3 – Type the following command which enables monitor mode to search all near-by Wi-Fi devices.

Command: airodump-ng wlan0mon

After hitting, you’ll see the output something similar to below screenshot.

Here you can see that, the ESSID “Chandigarh” has WEP Encryption whose BSSID is “9C:D3:6D:FA:04:66” and is on channel 1.

Step 4 – Let’s capture the packets of Wi-Fi which you want to hack by typing the following command in your terminal.

Command: airodump-ng -c <channel> –bssid <target mac> -w <filename> <interface name>

The following are the components of above command:

-c: This is the channel
-w: This gives write access to a file
–bssid: This is the wireless access point MAC address

then you will see something like this on your screen after you hit the above command.

The first section here shows details about the router . The second section shows details about routers and connected devices to it.

The most important column in above step is to collect the Data Packets (collect at least 15000 packets), this is what helps us in understanding whether we have enough packets to crack the password. The column STATION in second section shows the list of all devices connected to the router. If you don’t have any device connected, it is very difficult to crack.

Though their are devices connected sometimes you wont get data packets quickly. you might have to wait for sometime . but here we will not wait for force to send packets. So you need to send data packets forcefully using fake authentication in same channel number.

Step 5 – Open a new terminal and type the following command to generate more data packets using Fake Authentication.

Command: aireplay-ng -1 0 -a <target mac> <interface name>


-1 means fake authentication (-0 in case if you want to deauthenticate)
0 means re-association timing in seconds
-a means target mac address

You can also use -h option with your fake mac address to get in association with your device.

The fake authentication attack allows you to perform the two types of WEP authentication (Open System and Shared Key) plus associate with the access point (AP). This is only useful when you need an associated MAC address in various aireplay-ng attacks and there is currently no associated client.

It should also be noted that the fake authentication attack does NOT generate any ARP packets. Fake authentication cannot be used to authenticate/associate with WPA/WPA2 Access Points.

Step 6 – In next step, you need to boost the data packets with ARP Request Replay Attack by typing the following command in your new terminal.

Command: aireplay-ng -3 -b <target mac> <interface name>


-3 means standard arp request replay,
-b is the target mac address

You can also use (optional) -h with your source mac address.

The classic ARP request replay attack is the most effective way to generate new initialization vectors (IVs), and works very reliably. The program listens for an ARP packet then re-transmits it back to the access point. This, in turn, causes the access point to repeat the ARP packet with a new IV. The program re-transmits the same ARP packet over and over. However, each ARP packet repeated by the access point has a new IVs. It is all these new IVs which allow you to determine the WEP key.

Once this starts , go back to the terminal which captures data packets in step 4 and observe the packets in the Data column, it raises exponentially.

Step 7 – Now it’s time to crack the key by typing “aircrack-ng <filename-01.cap>

Here chetan-01.cap is the filename containing the data.

Here you can see the output, which shows Failed result which means we didn’t get the key because of less packets (as 4796 packets).

Now try to capture more data packets (at least 15000) and then try to repeat the same command which results 100% key (with 17181 packets):

The WEP key is only displayed if 100 percent of the hex key has been converted to ASCII. Once you have received the key, you can try connecting to the wireless network.

And at the end, you need to close all the terminals by pressing CTRL + C key and run the following command to clear out all the stuff.


airmon-ng stop wlan0mon
service networking restart
service network-manager restart


You may also like:

Sarcastic Writer

Step by step hacking tutorials about wireless cracking, kali linux, metasploit, ethical hacking, seo tips and tricks, malware analysis and scanning.

Related Posts