The standard was introduced in 1997 and its goal was to provide the same level of privacy to wireless networks that wired ones had. Unfortunately, a series of severe flaws quickly made it obsolete and it was superseded by WPA and WPA2. While rare, it is still possible to find networks today which use WEP.

As a corollary of the IV's small size - only 24 bits - IVs will have to eventually be repeated. On average, this occurs every 6 000 frames. Due to the inner structure of WEP, once an attacker gets their hands on two ciphertexts (encrypted packets), and , which were encrypted with the same IV (the key is already the same for both of them), then they know . Now, the adversary can begin brute-forcing the corresponding plaintexts, and . Typically, there would be a large number of possible s and s, but it is known that they must look like packets which greatly reduces the possibilities. This is narrowed down even further when performing a fake authentication attack since the packets captured with identical IVs are likely ARP responses from the AP which have an even easier form to predict!
Since , with the correct and brute-forced, the keystream used to encrypt them can be calculated: . Through the use of a few more techniques such as Fluhrer, Mantin, and Shamir (FMS) attacks or PWT, the original key can be retrieved.

The only thing that's really required for this attack is enough captured packets with as many IVs as possible. The higher the number of frames, the better the odds that a pair of them was encrypted with the same IV.

airodump-ng can be used to listen for WEP networks with the following syntax.

sudo airodump-ng --encrypt WEP <dev>
Copy

Once the network to be attacked has been identified, it can be specifically monitored with airodump-ng. You should now also specify a capture file:

sudo airodump-ng --encrypt WEP --bssid <BSSID> -c <channel> -w <filename> <dev>
Copy

Now, you will need to be patient in order to gather a large amount of frames, typically in the range of 50K - 200K depending on whether the key is 64 or 128 bits in length. On a calm network, however, this process may take a very long time. Luckily, it can be sped up using a fake authentication attack and ARP packet replay.

The ultimate goal of this attack is to enable an adversary to force the AP to send out more and more packets, typically through ARP replay, so that more IVs can be captured. However, in order to elicit any proper response with an IV from the access point, the attacker must be authenticated and and their MAC address needs to be associated with it. Otherwise, the AP simply replies with a deauth frame in cleartext to any packets sent by the adversary, which generates no IVs.

WEP supports two types of authentication - Open System Authentication (OSA) and Shared Key Authentication.

On the other hand, now that they are associated with the network, they can elicit responses with IVs from the AP.

When OSA is enabled, you can use the following command to authenticate with the AP:

sudo aireplay-ng -1 <rate> -e <ESSID> -a <access point MAC> -h <MAC of your wireless adapter> <dev>
Copy

• -1 denotes fake authentication.
• <rate> - is the rate at which to attempt reassociation. 0 means a continuous stream of attempts until success.
• -e - the ESSID of the target network.
• -a - the BSSID of the target network.
• -h - the MAC address of your wireless adapter.

Note, airodump-ng should be locked to the target network and its channel, so as to prevent channel hopping.

Now that the client is associated with the network, they can elicit responses with IVs from the AP and can proceed to ARP relaying.

If OSA is not allowed by the target network, then the process is a bit more complicated, but still not secure.

If you are able to sniff on the network, you can just capture the shared key handshake when another client authenticates to the AP (either naturally or by dint of a deauth attack. Since you captured the plaintext challenge, from the AP and the correctly encrypted response challenge from the legitimate client, , you can obtain the keystream and use it to correctly encrypt the challenge you receive when attempting to connect to the AP yourself.

Faking shared key authentication requires a PRGA file containing the SKA (shared key authentication) handshake. To acquire it, all you need to do is sniff on the network and either wait for a client to connect to it or deauthenticate an existing one to force them to reconnect. When the handshake has been captured, SKA will appear beneath the AUTH column in airodump-ng.

sudo airodump-ng --encrypt WEP --bssid <BSSID> -c <channel> -w <filename> <dev>
Copy

The .xor file is the required PRGA file which can now be used with aireplay-ng to do fake authentication:

sudo aireplay-ng -1 <rate> -e <ESSID> -a <access point MAC> -h <MAC of your wireless adapter> -y <PRGA file> <dev>
Copy

You can now proceed with ARP replaying in order to generate IVs.

Once you have a sufficient number of IVs, you can use the .cap file generated by airodump to crack the key:

aircrack-ng <filename>
Copy

If the key isn't found, then that means that no identical IVs were captured and the process needs to be repeated.