How To Crack A Wi-Fi Network’s WEP Password

How To Crack A Wi-Fi Network’s WEP Password

You already know that if you want to lock down your Wi-Fi network, you should opt for WPA encryption because WEP is easy to crack. But did you know how easy? Take a look.

Today we’re going to run down, step-by-step, how to crack a Wi-Fi network with WEP security turned on. But first, a word: Knowledge is power, but power doesn’t mean you should be a jerk, or do anything illegal. Knowing how to pick a lock doesn’t make you a thief. Consider this post educational, or a proof-of-concept intellectual exercise.

Dozens of tutorials on how to crack WEP are already all over the internet using this method. Seriously—Google it. This ain’t what you’d call “news”. But what is surprising is that someone like me, with minimal networking experience, can get this done with free software and a cheap Wi-Fi adaptor. Here’s how it goes.

What You’ll Need

Unless you’re a computer security and networking ninja, chances are you don’t have all the tools on hand to get this job done. Here’s what you’ll need:

  • A compatible wireless adaptor—This is the biggest requirement. You’ll need a wireless adaptor that’s capable of packet injection, and chances are the one in your computer is not. After consulting with my friendly neighbourhood security expert, I purchased an Alfa AWUS050NH USB adaptor, pictured here, and it set me back about $US50 on Amazon. The guy in this video below is using a $US12 model he bought on Ebay (and is even selling his router of choice). You won’t go wrong with the Alfa, but do your research. There are plenty of resources on getting aircrack-compatible adapters out there.
  • A BackTrack 3 Live CD. We already took you on a full screenshot tour of how to install and use BackTrack 3, the Linux Live CD that lets you do all sorts of security testing and tasks. Download yourself a copy of the CD and burn it, or load it up in VMware to get started. (I tried the BackTrack 4 pre-release, and it didn’t work as well as BT3. Do yourself a favour and stick with BackTrack 3 for now.)
  • A nearby WEP-enabled Wi-Fi network. The signal should be strong and ideally people are using it, connecting and disconnecting their devices from it. The more use it gets while you collect the data you need to run your crack, the better your chances of success.
  • Patience with the command line. This is an ten-step process that requires typing in long, arcane commands and waiting around for your Wi-Fi card to collect data in order to crack the password. Like the doctor said to the short person, be a little patient.

Crack that WEP

To crack WEP, you’ll need to launch Konsole, BackTrack’s built-in command line. It’s right there on the taskbar in the lower left corner, second button to the right. Now, the commands.

First run the following to get a list of your network interfaces:


The only one I’ve got there is labelled ra0. Yours may be different; take note of the label and write it down. From here on in, substitute it in everywhere a command includes (interface).

Now, run the following four commands. See the output that I got for them in the screenshot below.

airmon-ng stop (interface)
ifconfig (interface) down
macchanger –mac 00:11:22:33:44:55 (interface)
airmon-ng start (interface)

If you don’t get the same results from these commands as pictured here, most likely your network adaptor won’t work with this particular crack. If you do, you’ve successfully “faked” a new MAC address on your network interface, 00:11:22:33:44:55.

Now it’s time to pick your network. Run:

airodump-ng (interface)

To see a list of wireless networks around you. When you see the one you want, hit Ctrl+C to stop the list. Highlight the row pertaining to the network of interest, and take note of two things: its BSSID and its channel (in the column labelled CH), as pictured below. Obviously the network you want to crack should have WEP encryption (in the ENC) column, not WPA or anything else.

Like I said, hit Ctrl+C to stop this listing. (I had to do this once or twice to find the network I was looking for.) Once you’ve got it, highlight the BSSID and copy it to your clipboard for reuse in the upcoming commands.

Now we’re going to watch what’s going on with that network you chose and capture that information to a file. Run:

airodump-ng -c (channel) -w (file name) –bssid (bssid) (interface)

aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 -e (essid) (interface)

Here the ESSID is the access point’s SSID name, which in my case is yoyo. What you want to get after this command is the reassuring “Association successful” message with that smiley face.

You’re almost there. Now it’s time for:

aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 (interface)

Here we’re creating router traffic to capture more throughput faster to speed up our crack. After a few minutes, that front window will start going crazy with read/write packets. (Also, I was unable to surf the web with the yoyo network on a separate computer while this was going on.) Here’s the part where you might have to grab yourself a cup of coffee or take a walk. Basically you want to wait until enough data has been collected to run your crack. Watch the number in the “#Data” column—you want it to go above 10,000. (Pictured below it’s only at 854.)

Depending on the power of your network (mine is inexplicably low at -32 in that screenshot, even though the yoyo AP was in the same room as my adaptor), this process could take some time. Wait until that #Data goes over 10k, though—because the crack won’t work if it doesn’t. In fact, you may need more than 10k, though that seems to be a working threshold for many.

Once you’ve collected enough data, it’s the moment of truth. Launch a third Konsole window and run the following to crack that data you’ve collected:

aircrack-ng -b (bssid) (file name-01.cap)

Here the filename should be whatever you entered above for (file name). You can browse to your Home directory to see it; it’s the one with .cap as the extension.

If you didn’t get enough data, aircrack will fail and tell you to try again with more. If it succeeds, it will look like this:

The WEP key appears next to “KEY FOUND.” Drop the colons and enter it to log onto the network.

Problems Along the Way

With this article I set out to prove that cracking WEP is a relatively “easy” process for someone determined and willing to get the hardware and software going. I still think that’s true, but unlike the guy in the video below, I had several difficulties along the way. In fact, you’ll notice that the last screenshot up there doesn’t look like the others—it’s because it’s not mine. Even though the AP which I was cracking was my own and in the same room as my Alfa, the power reading on the signal was always around -30, and so the data collection was very slow, and BackTrack would consistently crash before it was complete. After about half a dozen attempts (and trying BackTrack on both my Mac and PC, as a live CD and a virtual machine), I still haven’t captured enough data for aircrack to decrypt the key.

So while this process is easy in theory, your mileage may vary depending on your hardware, proximity to the AP point, and the way the planets are aligned. Oh yeah, and if you’re on deadline—Murphy’s Law almost guarantees it won’t work if you’re on deadline.

To see the video version of these exact instructions, check out this dude’s YouTube video.

Got any experience with the WEP cracking courtesy of BackTrack? What do you have to say about it? Give it up in the comments.

Gina Trapani, Lifehacker’s founding editor, is tired of typing commands that start with “air”. Her feature Smarterware appears every week on Lifehacker.


  • I’d never realised these things could be cracked with that kind of $$ outlay! I think I’ve got WEP 2 (or maybe WPA 2, I’m not confident), anyone know if this would this offer much more protection?

    • WEP is flawed because of the way it handles its IV’s (Initialisation Vectors)

      WPA1 and WPA2 also include what is called the MIC(Message Integrity Check) which prevents packet replay (the reason so many packets can be actively injected..)

      WPA2 (with AES) has no published flaws as of yet..

      WPA1 however has a really small replay flaw that takes advantage of the WMM Services..

      Otherwise, the brief: You are fine, for now, but nothing is 100%.

    • Yes, all the WPA variants are much much more secure than WEP. Following the steps given in the article with a good connection to the AP will yield the WEP key in a few minutes.

      Some of the weaker WPA variants (ie. TKIP/RC4) are vulnerable to an attack where short packets (none that contain sensitive information) can be decrypted and injected a few times. The stronger variants (CCMP/AES) are really only vulnerable to guessing the key.

      I think the TKIP/RC4 variant is marketed as “WPA” and the CCMP/AES variant is marketed as “WPA2”, but I could be off on those. AFAIK, there is no such thing as “WEP2”.

  • Hey, very interesting read, a friend of mine leaves his wi-fi unsecured and instead locks it down to mac addresses, how secure is this compared to the WEP/WPA security?

  • @Luke – Since the communication is unencrypted, his mac-address will be rather simple to intercept. And thus by spoofing his address, anyone can easily use his connection. (To connect to the web, as well to his computer…)

  • Great tutorial =) You did a very good job of going through step by step what to do.

    One thing I did notice was you seemed to have a wrong impression about wireless signal power. A wireless signal’s strength is measured in decibels(dB) and ranges from -100(no signal) to 0(impossibly full signal). So your signal of -30dB is actually very good and makes sense since your in the same room as the router.

    Why your #data rate was low is beyond me though.

  • just a note to the writer -> your result of -32 for your signal strength is actually ridiculously high. the scale you’re seeing doesn’t go from 0 to negative 100, with a larger negative value being better… imagine it more like 10^(signal strength), so 10^-50 is a lot smaller value than 10^-30. with my router in the same room, i get about -45… neighbors give me -50 through walls, which makes me wonder what they have… and signal strengths down to -75 are still strong enough for me to crack.

    great article! i do this every few months to keep in practice and usually i have to hope i’ve saved a text file with instructions, or i have to teach myself again. now i have this page all nice and bookmarked.

  • Whoa, this thing really works! but anyway i tried to hack into a wep encryted network with wesside but it doesnt work out well. I’m so happy that my atheros AR9285 works well with this one. anyone know how to hack into a WPA/WPA2 without using some kind of wordlist? I still can’t figured it out.

  • Pragyaa, WPA/WPA2 cracks must be down with a wordlist, you are essentially brute forcing your way into the network after aquiring the handshake. Everything after that is luck (and a solid wordlist).
    In conclusion, WPA is only as strong as its password, and you are only as strong as your wordlist when cracking.

    And dont worry Mike, the amount of people who ‘encrypt’ their network with a crappy password like “password1234” is bewildering…

  • Hello guys. I should start with Thanks, because the article was really helpful.
    But i’m rather stuck. I get the message:
    Waiting for beacon frame (BSSID: ??:??:??:??:??:??) on channel -1
    mon0 is on channel -1, but the AP uses channel 11
    so if anyone can tell me how to set the “mon0” to the specific channel, i’d be very thankful.

    Thanks in advance : ))

Show more comments

Log in to comment on this story!