WEP is dead. Has been for years. The cryptography is fundamentally broken — not “weak with a long enough password” broken, but mathematically impossible to secure broken. No configuration, no complexity, no passphrase length fixes it.
And yet. It still shows up.
Embedded devices, legacy industrial equipment, older access points that haven’t been touched in a decade — WEP is out there in the real world. So yes, it’s worth knowing how to crack it. Not because it’s a common target, but because when it does appear on scope, you want to understand exactly what you’re doing and why it works.
This episode also covers the scenario that trips most people up: cracking a WEP network when there are no authenticated clients. The standard ARP Request Replay attack relies on replaying traffic from existing clients to generate IVs. No clients means no traffic to replay. This video shows you how to get around that.
Quick note on the setup
This was recorded on BackTrack 4 R1. The default drivers weren’t playing nicely with the Alfa AWUS036H, so the more stable BackTrack 3 drivers were swapped in. Driver issues with wireless adapters are a rite of passage — you’ll encounter this. It’s not fun, but sorting it out is part of knowing your kit.
The attack, step by step
1. Monitor mode and initial scan
As always, the starting point is monitor mode via airmon-ng, followed by airodump-ng on channel 6 to survey what’s in range. Once the target network is identified, airodump-ng is relaunched inside a screen session to capture data to a file — in this case, named linksys — while the rest of the attack plays out in parallel.
2. Fake authentication
Here’s where the clientless scenario gets interesting. Without a legitimate associated client, the network isn’t generating the traffic you’d normally replay. So the first move is a fake authentication attack using aireplay-ng — essentially convincing the access point that you’re an associated client. You’re not actually getting network access. You’re just getting the AP to acknowledge you so you can interact with it.
3. Capturing a PRGA
WiFi routers periodically send out broadcast ARP requests to check for client connectivity — even when no clients are connected. With fake authentication in place, you can listen for these and extract a PRGA (Pseudo-Random Generation Algorithm keystream). Think of this as a fragment of the WEP keystream that you can use to craft your own packets for later injection.
This is the clever bit that makes the clientless attack work.
4. Forging a packet with packetforge-ng
With the PRGA in hand, packetforge-ng is used to craft a generic ARP request packet targeting the broadcast address 255.255.255.255. Most wireless access points respond to broadcast ARPs, which means injecting this packet should prompt the AP to generate new IVs — and that’s exactly what you need.
5. Injection and IV collection
The forged packet is injected using aireplay-ng. The access point responds, generating new IVs with each response. Rinse and repeat until you have enough.
6. Cracking with aircrack-ng
Once enough IVs are captured — and with WEP, “enough” is very achievable — aircrack-ng does the maths and recovers the hex encryption key.
Why this matters beyond WEP
The techniques here — fake authentication, packet forging, keystream extraction — build intuition for how wireless protocols handle identity and trust at a low level. That intuition carries forward when you get into more modern attacks. Understanding how the AP is fooled by fake authentication helps you think more clearly about rogue AP attacks later on.
WEP is the floor. Everything above it builds on understanding why this works.