WEP (Wired Equivalent Privacy) is the weakest and an outdated encryption mechanism used by the routers(access points) to encrypt data packets passing through the router itself.

As we studied here, WEP uses 64-bit and 128-bit encryption as a standard, but security researchers discovered many flaws in the encryption mechanism of WEP , like static key generation, fast re-keying method. Many vulnerabilities were discovered and many attacks were designed accordingly . Attacks like:

  • Korek’s Chop-Chop Attack, By Korek
  • Caffe Latte attack, By Vivek Ramachandran
  • Fragmentation attack
  • Hirte attack, an extension to Caffe Late attack


WEP has been broken in so many different ways that, regardless of the encryption size i.e 64-bit or 128-bit or 152-bit or the complexity and length of your key, your password for WEP encrypted AP will be broken. All it takes is a significant number of IVs (Initialization Vectors), or in simple terms Data Packets that will be used to decrypt the captured traffic and recover the key.

WEP is outdated now, we have better fixes for that. WPA2, WPS enabled routers, which by far are unbroken at this moment in terms of encryption mechanism. Although keys can be recovered in case of WPA2 and WPS also. that we will study in next chapter.

you might be thinking that,

Why are we studying WEP Cracking when it is outdated ?

Answer is, It is necessary to learn and understand WEP cracking mechanism, as

  • Necessary to learn where it all began.
  • It is easy to understand when start from small. Big will not be a mess anymore.
  • You can see many APs nearby using WEP as their encryption scheme.

This article is an excerpt from my WiFi Penetration testing and Security eBook for aspiring WiFi hackers and Wireless security enthusiasts. Click here to learn more

Let’s Begin,

Step 1: Plug-in your wireless card and fire up your Kali Sana Terminal and type “airmon-ng”  to check that your wireless interface is detected by the airmon-ng utility.

We will use Wlan1 i.e our alfa card, in this tutorial

In Kali Linux 2.0, during WiFi pentesting users have faced a lot of issues related to the monitor mode interface we use to create for intercepting traffic. You might also been facing the same. Here’s a quick fix for that using airmon-ng.

Step 2: Type “airmon-ng check” in terminal to check for any program that can cause trouble.

Run this command before putting wireless card on monitor mode.

You might see a list of processes with their PIDs and corresponding name. These are the processes that can cause trouble to aircrack-ng suite during WiFi Pentest. So, we need to kill those processes before we move on to the next step.

Step 3: Simply type “airmon-ng check kill” and press [ENTER]

After completing the above 3 steps you should see a similar output on your terminal.


Apart from using airmon-ng, there is one more way to do the same, we will discuss that a bit later.

Step 4: Now let’s put Alfa card(wlan1) on monitor mode. Type airmon-ng start wlan1 and you should see a similar output


Now, our alfa card is enabled monitor mode, time to scan the air. for that we will use airodump-ng utility from the aircrack-ng suite of tools.

Step 5: Type in terminal airodump-ng [monitor mode interface] i.e “airodump-ng wlan1mon” . Identify the WEP enabled AP.


After identifying WEP enabled AP, press CTRL-C and note the info.

Information we have:

BSSID (AP MAC): EC:1A:59:43:3F:FD

ESSID (AP Name): belkin.ffd

Channel (CH): 11

Station: 84:38:38:16:c6:b8

We are saving information as it will be used according to the scenario. and also to reduce the .cap file size by limiting the data capture specifically to this AP only. this can be done by passing some parameters to airodump-ng

Step 6: to limit the data capture we will tell airodump-ng, which access point data we need to capture and save to a file so that we can used the dump file to crack the WEP passphrase.

Type “airodump-ng –bssid EC:1A:59:43:3F:FD -c 11 -w belkin wlan1mon


–bssid : Access point MAC address

-c : Channel number on which AP is operating, see above image

-w : Output filename, put any

After executing the above command, notice the #Data section of the output. This is the data captured from the AP. In case of WEP, #Data is the IVs that will be used to decrypt the key.

Remember, more the Data packets, easier to crack WEP.


Now here’s a catch. Notice the #Data packets, only 111. To start the cracking process you must have atleast 5000 #Data as the easiest password of 5-digit like 11111, 12345 can be cracked with such low no. of IVs or Data packets.

But this is not an issue. Airodump-ng runs endlessly and will keep on capturing the data whilst we will start cracking in a new terminal.

Step 7: Type aircrack-ng [airodump-ng output filename].cap i.e “aircrack-ng belkin-01.cap” and wait for the key to appear.


Fortunately aircrack-ng also cracks in an endless process, so no need to enter commands again and again.

As you can see in the above image aircrack-ng got 5,017 IVs and didn’t succeed and waiting for #data to be written to cap file and try again on 10,000 IVs.

After a significant no. of #Data packets are captured and dumped, aircrack-ng will display the password with a similar output


This is the ideal way of cracking a WEP enabled network key.

Factors affecting fast #Data capture:

  1. User connecting/Disconnecting, SLOW
  2. Data downloading accross the network, FASTEST(takes seconds for 10-20K #Data)

It is being called ideal because just at any point it is not sure that a user is downloading, connecting, browsing or even connected to the network.

Now what then ?

Here comes the attacks described above to push the #Data to the limits and get us the IVs quickly. We will learn about them later in the series. that’s all for now. Hope you found it helpful.


Another way to fix the “Monitor mode” error in Kali Linux 2.0

Kill the network manager,

  1. Open terminal
  2. Type “service network-manager stop

After you are done with the pentesting and want to connect to a network, you’ll need to restart the network manager.

Start/Restart network manager

  1. Open terminal
  2. Type “service network-manager start

Even if you killed the processes using airmon-ng check kill command, you can still use the above command to start the network manager and connect to WiFi.

Cracked a WEP network ? Share your experience in the comments below, I would love to hear from you!

Subscribe for staying updated with the rootsh3ll Wireless Security and Pentesting Series

Thank you!