Cracking WEP

BackTrack is Linux  network security audit tool for security professionals. This tool is used for testing and penetrating networks. That being said This tutorial is for educational use only. This is meant only to teach that WEP is an insecure option, and is recommend to use a harder encryption. Using this tutorial on a network that you do not have permission to access or is not yours, could be illegal! 

This was tested on BackTrack version 4 and the steps outlined in this tutorial were successful.
(this tutorial is assuming that you have BackTrack 4 installed and are ready with a shell prompt)

 The first thing you want to do is start your wireless interface in most cases this is wlan0

airmon-ng start wlan0

In the output look for the monitor interface in most cases this is mon0
The next thing you want to do is copy down the target AP’s ESSID, the MAC address of the AP,  also copy down the channel of the target AP. 

airodump-ng mon0

There must be a client or clients using the AP if not you can’t crack it. Match the MAC address of the AP to the available clients you have listed.
Next only output what you want (for example I have an AP on channel 8 and that MAC address of the AP is 00:dd:aa:cc:88:33 and it’s out monitor 0) the command would be:

airodump-ng --channel 8 --write output --bssid 00:dd:aa:cc:88:33 mon0

(Open a new shell prompt) The next step is you want to associate your wireless card with the AP(for example I have the AP’s MAC and ESSID (which is test) and my wireless MAC address (which is aa:00:55:bb:DD:FF) the command would look like:

aireplay-ng -1 0 -e test -a 00:dd:aa:cc:88:33 -h aa:00:55:bb:DD:FF

(Open a new shell prompt) The next step is start the packet injection (for example you will need the target AP’s MAC address (which is 00:dd:aa:cc:88:33 and my(yours) wireless MAC address (which is 00:55:bb:DD:FF) the command would look like:

aireplay-ng -3 -b 00:dd:aa:cc:88:33 -h 00:55:bb:DD:FF mon0

(Open a new shell prompt) The final step depends were the outputs are saved and the name of the output (for this example they were on /root and the name of the file was output-01.cap) so the command would look like:

aircrack-ng output-01.cap

Again this depends were the file was saved it could be in a different location. But after that command aircrack will attempt to crack the WEP key it will tell you that it either failed or if it was able to find it. (If it does fail wait for more packets and try again.)
The way aircrack works is that it reads the packet injection file, (this file is continues to update as packets move across the network) aircrack then finds the common key because that key is sent back and forth in the network. Depending on how active the network is aircrack is able to find the key in less than a minute!
Keep in mind when I was setting this up on a test AP I did run into some difficulties, although cracking a WEP key is relatively easy it still took me some time in troubleshooting. I hope this tutorial is helpful, you can find more information at Also check my tutorial on Installing BackTrack