WiFi Episode 4: WEP ARP Amplification — Cracking WEP Faster

If you’ve worked through Episode 2 and Episode 3, you can already crack WEP. The question this episode answers is: how do you do it faster?

IV generation rate is the bottleneck in every WEP attack. You need enough IVs for aircrack-ng to do its thing, and how quickly you collect them depends entirely on how much traffic you can force the AP to generate. A generic ARP broadcast attack gets you to around 400 IVs per second — workable, but not optimal.

ARP Amplification is the technique that changes that. Done right, you can push IV generation rates up to 1500 per second — more than four times faster. This episode covers two methods to get there.

Why IV generation rate matters

WEP’s encryption is based on RC4, and the weakness that makes it crackable lies in how IVs (Initialisation Vectors) are reused. The more IVs you can collect, the more statistical material aircrack-ng has to work with — and the faster it can recover the key. At 400 IVs per second, you’re waiting. At 1500, you’re done.

Method 1: Generic ARP broadcast attack

This is the baseline — the same technique from the previous episodes. A broadcast ARP request packet is crafted using packetforge-ng, targeting 255.255.255.255, and injected with aireplay-ng. The AP responds to each injected packet, generating new IVs each time.

At around 400 IVs per second, it works. But it’s leaving performance on the table.

Method 2: ARP Amplification with targeted injection

Here’s where it gets interesting.

During an active attack on a network, it’s common to passively collect subnet information from the traffic around you. One reliable source is the Korek Chop-Chop attack — a technique that can decrypt individual WEP packets without knowing the key, revealing the plaintext. When that plaintext is ARP traffic, it hands you something valuable: valid IP addresses of clients actually authenticated on the network.

That changes everything about how you craft your injection packets.

Instead of broadcasting to 255.255.255.255 from an arbitrary source, you use packetforge-ng to build a targeted ARP request packet — this time from a valid IP address on the subnet, directed at a specific authenticated client IP. The effect is a chain reaction: the AP responds, the client responds, the AP responds again. Each exchange generates IVs. That back-and-forth is what drives the rate up to 1500 per second.

The key difference between generic and targeted

With a generic broadcast, the AP is doing all the responding. With a targeted ARP request to a real client, both the AP and the client respond — and they respond to each other’s responses. You’ve essentially created a loop. The IV generation rate reflects that.

What to take away from this

Two things worth internalising here:

First, recon during an active attack isn’t just a nice-to-have. The IP information you pick up passively — via Chop-Chop or just watching traffic — directly improves your attack efficiency. Information compounds.

Second, understanding why the targeted packet generates more IVs than the broadcast packet is more useful than just knowing the commands. If you can explain the loop, you understand the attack. If you can only reproduce the commands, you’re going to struggle when something doesn’t behave as expected.

That understanding is the difference between following a tutorial and actually knowing wireless pentesting.