How to Crack Your Own WEP Network to Find Out Just How Insecure It Really Is

James Bruce 19-08-2011

crack wepWe’re constantly telling you that using WEP to ‘secure’ your wireless network is really a fools game, yet people still do it. Today I’d like to show you exactly how insecure WEP really is, by showing you how to crack a WEP-secured network password in less than 5 minutes.


Disclaimer: This is for educational purposes only to show you why you should seriously upgrade your router or change your wireless security. To break into a wireless network that doesn’t belong to you is a criminal offence, and we don’t accept any legal responsibility if you decide to use this tutorial maliciously.


Download & Boot Up Backtrack

Once you’ve got your Backtrack live-CD burned and ready, boot off it. You should get a screen similar to this.

crack wep

Press enter to start the Backtrack boot menu, and choose the first option.

how to crack wep


Eventually, you’ll boot into a command line Linux. Type


to load a graphical interface (not needed really, but makes some of us feel more comfortable).

how to crack wep

Once you’ve booted into the graphical interface, open a terminal so we can begin. It’s the >_ icon at the top of the screen. Yes, we’re going to use the command line, but don’t worry I’ll be here to hold your hand through the whole process.


how to crack wep

Check Your Wireless Card

Start by typing


This will list all the network interfaces on your computer, so we’re looking for either a wlan0, ath0, or wifi0 – which means it’s found a wireless card.

wep password crack


Next, we’ll attempt to put that card into “monitor mode”. This means that instead of trying to join a single network and ignoring everything else not destined for itself, it’s going to instead record everything we tell it to – literally grabbing everything it can possibly see. Type :

airmon-ng start wlan0

If all goes well, you should see something that says: monitor mode enabled on mon0. This means it’s managed to successfully switch your device into monitor mode.

wep password crack

Now, let’s scan the airwaves to figure out some more information about our wifi networks. Type:

airodump-ng mon0

This command is going to give you a screen full of information about every single wireless network and every client connected to them.

wep password crack

Find your Wifi network in the list, and copy the long hexadecimal number from the column labelled BSSID (this is actually the physical MAC address of the router in question). In this case my network is called wep-network, and I can see from the security column that it’s been secured with WEP. The next step is to focus the wifi card to listen only to the packets relating to this network, and lock it to the correct channel (as seen in the CH column) – by default, it’s actually scanning every channel, so you’re only seeing a small percentage of the traffic you want. We can lock it down by first copying the BSSID down, then pressing CTRL-C to end the current command, and typing this:

airodump-ng -c <channel> -w <output filename> - -bssid <bssid including :'s> mon0

for example, for the network with BSSID of 22:22:22:22:22:22 on channel 11, saving to a file set named “crackme”, I’d type this:

airodump-ng -c 11 -w crackme - -bssid 22:22:22:22:22:22 mon0

When you’ve done this, the same display will appear again, but this time it will actually be recording the data packets to a file, and it’ll be locked into your target network (so you won’t see any unrelated clients).

How to Crack Your Own WEP Network to Find Out Just How Insecure It Really Is airodump locked

Two things I want you to take notice of here – first is the bottom half of the screen that shows connected clients. You need to have at least one person connected to the network in order for this to work. Second is the column labelled #Data on the top half. This is how many useful packets of data we’ve captured so far. With any luck, it should be rising – albeit slowly. I’ll tell you now that we need around 5,000 – 25,000 to be able to crack the password. Don’t worry if it’s rising really slowly though, this next command will forcibly inject a bunch of data packets until we have enough.

Open up a new terminal tab by hitting SHIFT-CTRL-T and enter the following command, replacing where appropriate. The client station address is shown on the airodump tab, in the bottom half where it says STATION. Copy and paste it at the appropriate place into the command:

aireplay-ng --arpreplay -b <bssid> -h <client STATION address> mon0

For example

aireplay-ng --arpreplay -b 22:22:22:22:22:22 -h 33:33:33:33:33:33 mon0

After about a minute or so, you should start to see the number of data packets reported in the airodump window rise dramatically, depending on how good your connection to the network is.

How to Crack Your Own WEP Network to Find Out Just How Insecure It Really Is arp replay

Once the number of packets collected has reached about 5,000, we are ready to start cracking those packets. Open up yet another new console window, and type:

aircrack-ng -z -b <bssid> <output filename from earlier>*.cap

The output filename is the one you specified earlier when we narrowed down the airodump utility to a particular network. In my example, I used the name “crackme”. Don’t forget to add a “*.cap” to the end of your chosen filename. In my case, it would be:

aircrack-ng -z -b 22:22:22:22:22:22 crackme*.cap

If you have enough packets, the screen will tell you the key within a few seconds. If not, it will wait until there is another 5,000 packets to work with, then try again. Now you can go make coffee. In my case, it found the password instantly with 35,000 packets – the entire process took about 3 minutes.

crack wep

If it gives you a password in hexadecimal form, like 34:f2:a3:d4:e4 , then just take the punctuation out and type in the password as a string of numbers and letters, in this case 34f2a3d4e4 . That’s it – that’s how easy it is to hack a WEP-secured network.


I hope you agree – friends don’t let friends use WEP! There really is no excuse for using WEP in this day and age, and if your router truly doesn’t support any other forms of security then either buy a new one or contact your ISP quickly to give you a free replacement. Aibek actually showed you how to change your wireless security back in 2008 7 Simple Tips to Secure Your Router and Wi-Fi Network in Minutes Is someone sniffing and eavesdropping on your Wi-Fi traffic, stealing your passwords and credit card numbers? Would you even know if somebody was? Probably not, so secure your wireless network with these 7 simple steps. Read More ! Unfortunately, Nintendo DS devices will only work with WEP networks, so perhaps it’s about time to switch your portable gaming to the iPhone.

If you’re still not convinced, next time I’ll show you some of the devious things a hacker can do once they’ve obtained access to your network – think along the lines of stealing all your passwords, and seeing everything you browse on the Internet!

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. akash saha
    May 19, 2015 at 10:07 am

    i like it

  2. Ankur
    August 20, 2011 at 5:55 am

    Useful. would definitely try this .
    Also i have laptop with Wifi. I am confused whether it will work as you mentioned that it should be capable of packet injection. how do i check that ?

    • James Bruce
      August 20, 2011 at 1:52 pm

      Difficult to check, just try. Atheros chipsets are the best I believe. 

  3. LectricKoolAid
    August 19, 2011 at 10:22 pm

    WPA and WPA2 are not foolproof. These are only effective if you use a SECURE password. Use the FULL amount of alpha/numeric characters that you can (if I'm correct WPA2 allows passwords up to 62 characters). Throw in uppercase and lowercase, special characters (symbols), and DO NOT use real words, as these can be cracked using a brute force dictionary crack. Gigabytes worth of rainbow tables have already been computed and can be downloaded for this. And as for Rpaul9578, if you had actually read the article, this is for testing YOUR OWN NETWORK. If you know and understand what dangers are lurking out there, you might actually be able to thwart them yourself. 

    • James Bruce
      August 20, 2011 at 1:53 pm

      Very good point lectric, in the end it pretty much comes down to password complexity. No amount of technology can fix dumb humans. 

      • Joe
        August 21, 2011 at 5:13 am

        Very valuable information, thanks! Definitively the best way to prevent is by first knowing how it could be hacked! It's obvious what a hacker can do after gaining access, but it would be great to see another article on this, so in case it DOES happen (hopefully not after this article) the victim will know how to spot and correct those areas that are being monitored or what kind of information is missing or exposed. I look forward to it, thanks again!

    • Akash Bartlett
      January 14, 2016 at 11:43 pm

      I must say, the information about having a long password is correct. What you said about uppercase, lowercase, symbols etc. is wrong. An uppercase letter is treated as a different letter. To the eye, a password full of symbols may seem complex, but to computers it might as well be all lowercase letters, it makes no difference. Instead, the length of the password is the determining factor in strength. XKCD has a good comic on this, see below.

  4. Rpaul9578
    August 19, 2011 at 8:36 pm

    Instead of showing people exactly how to do something criminal, how about showing people exactly how to fix it instead?  I think this is irresponsible.

    • Bart
      August 19, 2011 at 8:52 pm

      In order to fix something you have to understand how it is made.  I'm a carpenter by trade and I had to be taught how to hang a door.  This now allows me to fix it correctly when the hinge fails

      • Aibek
        August 20, 2011 at 10:52 am

        I agree with Bart. In order to be able to secure Wireless connection someone should see and understand how it can be hacked first. That's what this article does.

    • Hunterminator
      August 19, 2011 at 9:25 pm

      just change the security protocol from WEP to WPA2. All will b well

    • Jagdish Bhandarkar
      August 20, 2011 at 5:28 am

      To know what is Irresponsible, we must first know what is responsibility. So there is nothing wrong in showing what is criminal first and making us responsible for the mistakes we do.
      As a CISSP, I have always advised clients and friends on the shortcomings from our side and "Ignorance is always not Bliss". All said, there is nothing safe in this world, but we are responsible for our act till we are on this earth. 
      It's a great article by James Bruce and i am sure we can expect another write-up from him regarding the various ways in which we can safeguard ourselves...
      Hope James is hearing... :)

      • James Bruce
        August 20, 2011 at 1:44 pm

        Thanks Jagdish, you and the other commenters have covered what I wanted to say here I think. 

        As for safeguarding ourselves, Hunterminator seems to have the best answer there - just switch to WPA2 with a long password. The article was really meant to just be a push for people who hadn't got around to it yet! 

  5. LectricKoolAid
    August 19, 2011 at 8:29 pm

    Not only should your wireless card be able to support monitor mode, but it should be capable of packet injection, which will speed up the process of capturing data IV's if the wireless AP isn't currently being used by the network. The ALFA AWUS036H IS capable of packet injection. If you use the AWUS036H DO NOT install the drivers that come with the card. Backtrack5 comes with it's own drivers that can operate the card STRAIGHT OUT OF THE BOX for these purposes. Also, since the card utilizes an external antenna, you can also look into a cantenna (Google it if you've never heard of it), and then couple that with an old parabolic dish antenna (DishTV, Primestar, etc.), theoretically you can get about 25dbi of gain from the wireless card that already operates at 1000mW of power. This should make it so you can test YOUR OWN NETWORK from a considerable distance.

    As for MAC filtering, the bottom half of the Airodump-ng screen shows you stations (which are wireless devices, e.g. printers, laptops, etc., and the BSSID they are associated with. If this is the BSSID of your network that you are testing, Backtrack5 comes with an application called MAC Changer. Change the MAC Address of your wireless card to the same as a device associated with your target AP, and the AP thinks you're just the device that has an association to it. MAC filtering defeated.

    P.S. This is just what I've heard........ 

    • James Bruce
      August 20, 2011 at 1:39 pm

      Thanks Mr Kool Aid, good point indeed that I neglected. I think  the best way to find out if its support injection is just to try it though ;)

  6. Faunce Cynthia Marie Zepeda
    August 19, 2011 at 8:14 pm

    well, im glad no one in my neighborhood is smart enough to hack into things. 

    • James Bruce
      August 20, 2011 at 1:39 pm

      Better make sure they can't afford one these either:

  7. Ruben Dario Hiciano
    August 19, 2011 at 5:46 pm

    There´s always MAC Filtering which does not tax data throughput on routers as security standards such as WEP and WPA do.