If you’ve watched Episode 2, you know how to crack a WEP network using the clientless ARP replay attack. Good. Now let’s talk about what happens when you run into a WEP network that doesn’t behave the same way.

WEP networks can be configured with one of two authentication methods: Open Authentication or Shared Key Authentication (SKA). Most tutorials — and most targets — use Open Authentication. But Shared Key Authentication does show up, and if you try the standard fake authentication attack against it, aireplay-ng will tell you pretty quickly that something’s different.

This episode is about what you do next.

Open vs Shared Key Authentication — what’s actually different?

With Open Authentication, the access point lets anyone associate. There’s no challenge. The encryption happens at the data layer, not the association layer — which is why the fake auth attack in Episode 2 works so cleanly.

Shared Key Authentication adds a challenge-response step to association. The AP sends a challenge, the client encrypts it with the WEP key and sends it back, the AP checks the response. If you’re trying to fake authenticate without the key, you’re stuck.

Unless you can get the challenge-response exchange from somewhere else. Which you can.

The attack, step by step

1. Detect SKA and set up capture

When aireplay-ng attempts fake authentication against a SKA-protected network, it detects the authentication type and switches automatically. Once you know you’re dealing with SKA, airodump-ng is launched on channel 6 with output saved to a file — same as before — so everything happening on the network gets captured.

2. Force a client to reauthenticate

Here’s the key move: a deauthentication packet is sent to an already-associated client using aireplay-ng. This boots the client off the network and forces it to go through the full Shared Key Authentication handshake again to reconnect.

That handshake — the AP’s challenge and the client’s encrypted response — gets captured by airodump-ng. That’s your SKA material. You now have everything you need to impersonate an authenticated client.

3. Replay the captured SKA for fake authentication

With the captured SKA, aireplay-ng can use it to complete the challenge-response on your behalf when associating with the target network. The AP sees a valid encrypted response to its challenge and lets you associate. You’re in — at least as far as the AP is concerned.

From here, the attack follows the exact same path as Episode 2.

4. PRGA extraction, packet forging, and IV collection

With fake authentication established, the same technique from the previous episode applies: wait for broadcast ARP traffic, extract the PRGA keystream, use packetforge-ng to craft a broadcast ARP request packet, and inject it with aireplay-ng to prompt the AP into generating new IVs.

5. Crack the key with aircrack-ng

Once enough IVs have been collected, aircrack-ng recovers the WEP encryption key. Same as before — WEP’s fundamental weakness hasn’t changed just because SKA is in the way.

The takeaway

Shared Key Authentication sounds like it should be more secure. In practice, it’s arguably worse than Open Authentication — because the challenge-response exchange that’s supposed to prove the client knows the key actually leaks keystream material that an attacker can capture and reuse.

This is a recurring theme in wireless security: mechanisms designed to add security can introduce new weaknesses when they’re bolted onto a broken foundation. WEP is the broken foundation here. SKA is the bolt-on. Neither saves the other.

Keep that pattern in mind. You’ll see it again with more modern protocols.