Cracking WEP with BackTrack 3 – Step by Step instructions

This tutorial will show you, in explanatory detail, how to Break or crack WEP encryption using a simple linux-based security suite titled BackTrack 3. You don’t even need linux! A free, downloadable CD ISO image will do all the work for you! The steps outlined here have been tested for clarity in a controlled, legal home networking environment, and work great.

What you need:

  1. A Computer (laptop) with a CD-ROM Drive and a wireless adapter (Preferrably not USB)
  2. The ability to burn ISO images to CD or DVDThe ability to burn ISO images to CD or DVD
  3. A copy of BackTrack 3 Security Suite from

Brief Background:

BackTrack 3 is a legal and mostly open-source security suite designed by security experts in the computer and software Industry. It’s creation is intended as both an educational tool, and as a toolbox for network adminstrators who wish to secure a private or corporate network, or used in testing a ‘secured’ network. When searching for it, you’ll often see it titled as BackTrack3 or Backtrack 3. 3 is the version number, and will change with time.

As I’m sure you’re now well aware, WEP is a first generation wireless encrpytion technology that was used to provide basic security to users utilizing 802.11 wireless on their portable computers or devices. It was soon found to be extremely vulnerable to hack attemptions, and has since been replaced by the much more robust WPA technologies.


Common Shortcut terminiology (Important):

Throughout this post, I’ll be referring to ID’s, names, and addresses unique to your configuration. Look for these in italics and replace them with values you’ve collected throughout the tutorial. Although I will always show the # in front of the values, never include it in the actual command.

  • #SSID – Target SSID (ex: linksys)
  • #BSSID - Target BSSID (ex: 2D:3F:33:45:56:53)
  • #Channel - Target Channel (ex: 8 )
  • #adapter – Your adapter (ex: ath0 or eth1)

 Step 1 – Get BT3 and Burn the Image:

Download Backtrack 3 from You’ll need to download the bt3-final.iso image. You can also use the USB version, bt3final_usb.iso which includes some extra tools, but we won’t be using them here.

Burn the ISO images to a CD or DVD. You won’t need to make any changes. I won’t go into specifics of how to burn an ISO here. If you don’t have the vaguest idea how to do this, then it’s highly likely that “cracking WEP” is definitely not for you. However for those of you know think you can figure it out on your own, I have used CDBurnerXP. It’s open-source and simple to use, so that’s good.

Alternatively, you can image a thumbdrive with the ISO. That’ll be MUCH faster than the optical drive at any rate.

 Step 2 – Boot BackTrack 3:

Throw the Backtrack 3 disc into your laptop or desktop (I haven’t tested this on a desktop, but I’m sure the steps are the same), set your BIOS to boot from your optical drive, and BOOT! You’ll get a prompt asking how to boot into Backtrack 3. You should boot using the KDE method. If you have weird display issues, you can try the VESA boot method. At any rate, one of these should work. Once you’ve become an elite hackmaster, and have memorized this process, you can use the command console.

Step 3 – Obtain your target:

Now is were we get to the fun part. We need to know which router, or Access Point, we intend on attacking.

First we’re going to use KISMET. Kismet is graphic 802.11 locator. It will show detailed information about all the wireless networks  and devices  that are being picked up by your wireless router.

To use kismet, head to your KDE Menu (Where a Windows Startmenu would be). Then navigate to:

Backtrack 3 > Radio Network Analysis > 80211 > Analyser > Kismet

Wireless Networks will begin to appear in Kismet as it begins to gather and analyze radio packets. These are all the wireless networks in your neighborhood or general area. You can see there is a wealth of information here. From this point, we’ll need to use the keyboard, so get rid of your mouse.

We need to sort our data, so while in the kismet window, hit the “s” key and then “w” for WEP. This will sort all of the wireless networks by their WEP encrpytion. You’ll see everythng is reordered and sorted via the ‘w’ column.

Once you’ve determined your target, you can use your keyboard arrow keys to navigate to your target, and hit enter.  You’ll need some of the information on the new screen. You can write it down, or you can use kedit by going to IDE > Editors > Kedit. This works like Windows Notepad, so you can cut and past at your leisure.

You’ll ned the following information:

  • SSID
  • Channel

The SSID is essentially the friendly wireless name you see all the time. the BSSID is the MAC address, or unique-hardware address of the AP or router.

Exit Kismet with “CNTRL-Q”. Note the Capital Q.

Step 4 – Get system ready to record:

Now the fun part. We need to get your computer ready to record all the radio packets you want to capture, so you can analyze them later. Down by the KDE start menu, you’ll see a little Black Monitor which will bring up a command console. We’ll be using these a lot, so just remember where it is.

Launch a new command window and enter the following:


This will tell us how many adapters we have running. Stop everything that is running:

airmon-ng stop #adapter

Repeat the above command for every adapter listed from the airmon-ng command.

Now we have no running adapters, or virtual adapters. essentially, anything Kismet started to capture radio packets has been turned off. On some laptops the above steps were absolutely essential, on other laptops, not so much.

Start your adapter, capture only the channel that your target AP is broadcast on. We got this information above:

airmon-ng start #adapter #channel

run airmon-ng one more time to see what your new adapter is named. You’ll want to keep this in mind as your adapter from here on out.

Step 5 – Recording packets:

We’re going to be gathering radio packets from you target router (AP) but we haven’t started recording them yet. Obviously if we don’t record, we won’t be able to analyze them, so let’s start recording them now:

airodump-ng adapter  -w /hackme channel #channel –ivs

We’ve now begun recording all data packets on your channel  and started writing them to a hackme file located in the linux root, or /. For those of you really curious, the –ivs tells it to record only authentication data packets, which is the heart of WEP exploitation.

Leave this recording in this console Window. it will remain open for the remainder of this insane adventure.

Step 6 – AP assocation:

Now that we’re recording data, we need to do kind of a handshake with your target WEP router. You see, when WEP computers and routers talk to one another, they initation their conversation with a little handshake or hello. this comes before authentication ever happens. If you try to do some authentication (step 7) without this hello, your target AP will simply ignore the authentication, because, like most people, there’s no sense in talking to some jerk who won’t even say hello.

To associate your laptop with your access point, run the following command:

 aireplay-ng -1 0 -e ssid -a #bssid  #adapter

This is absolutely critical. Your return should try a couple of authentication requests, and then return “Assocation successful :-) ”. If it does not, you’re not going to be able to do packet injection (step 7). If you don’t get a friendly return, you can try this:

aireplay-ng –test

If you get a return indicating that Packet Injection should be possible, try another AP. You can also try getting physically closer to your target. Assocation and injection are difficult from distances, and may not work at all. I won’t go into deep troubleshooting of assocation at this point.

If for some terrible reason, your computer is not capable of assocation, don’t fret. You won’t be able to do packet injection though. Which means the process of collecting packets will take MUCH longer. Skip step 7 & 8 if you can’t associate, but be advised it will likely take you hours if not days to collect enough packets to crack WEP. That’s why injection is so useful.

Once you’ve associated successfully, continue on to the next step!

Step 7 – Packet Injection:

In step 6, we said hello to the AP. The target AP or router is now aware of us. It knows we exist, and won’t be surprised when we try to shake hands and authenticate with the network (Send a WEP key, authenticate, and get online to surf the web). This is where a major exploit becomes possible.

With every IVS packet we receive (The packets sent from the AP when we try to authenticate) we become closer to cracking WEP. The best way to get hundreds of thousands of packets, is to repeatedly try to authenticate with the AP or router. This process is knowing as packet injection. We’re injecting authentication packets repeatedly into the target AP, and forcing it to send us data back telling us “OMG! You’re sending me the wrong AUTH DATA! NOOB!”. What’s funny about it, is that with every “wrong WEP Key. Try again!” message it sends, we’re getting closer to the packets needed to mathetmically break down WEP and help ourselves to the target AP.

To begin injection, do this (You can reuse the window created in step 6 if Authentication was successful):

aireplay-ng -3 -b #bssid #adapter

This will send thousands of fake authentication requests. This process doesn’t end, and will continue to send until you’ve manually stopped it using CNTRL-C or close the window. Keep in mind, there is no reason to stop it until we’ve received the WEP key.

You’ll see your IVS packet count going higher and higher, likely incredibly quickly. Meaning, hundreds every few minutes.

After you’ve collected between 300,000 (300k) and 500,000 (500k) IVS data packets, you can move on to the next step.

If you’re not collecting IVS packets, you can open a new command console and rerun step 6 while step 7 is still running in another window. If you do this, you’ll notice that your ARP packet count begins to go up with every connection attempt in the other window.

If you can’t collect IVS packets, you’ll never get a WEP key. If your IVS count isn’t going up, your whole process is hosed. Figure out where the kink is, and try again.

Step 8 – Breaking the WEP key:

Okay, you’ve made it! You’ve collected at least 300k IVS keys. If you haven’t, but you have at least 100, you can try this step anyway. It’ll be fun.

Now that we have all this recorded IVS packet information, we can crack the WEP key in a matter of moments. Run this command:

aircrack-ng -s /hackme-01.ivs

Now select the number that corrresponds to your target Access Point, or ssid. The screen will flash with a bunch of crazy, matrix looking numbers, and in 5 seconds or less will actually give you your Broken WEP key.

If it doesn’t return a WEP practically immediately, just exit (CNTRL-C) and wait a few more minutes. Eventually, you’ll have enough iVS packets to break the WEP key in literally just a few seconds.

Congratulations! You’re done!

I was one of the poor saps who couldn’t associate, or do packet injection. Do I still have a chance?

Yes! IVS packets are the whole key to successfully using airecrack to break a WEP key. If your attempts at packet injection have failed, or you can’t associate (which forces injection to fail by default) then obviously, it becomes much harder to crack WEP. But you can still do it. Just record (Step 5) IVS information until you’ve built up enough packets by watching OTHER  computers connecting to the AP. The more legitimate devices connecting to the AP, the better chance you have at getting enough IVS data without waiting for a lifetime. If your AP has 2 or 3 laptops connecting to it every few hours, you can leave your computer capturing IVS information for a couple of days, and still break the WEP key using Step 8.

Why can’t I crack WEP in Windows? I’ve looked everywhere, and there just isn’t a tutorial!

You can thank most Windows Hardware Vendors for that. The ability to snoop IVS packets comes from a wireless card’s ability to enter Promiscious mode, Monitor mode, or rfmon mode. This allows a wireless card to captures all data packets, headers and all. Unfortunately, most windows drivers, with the exception of a few custom hardware solutions (AirPcap), don’t allow you to put your wireless card into this kind of mode. It’s not necessarily intentional. The likely explanation is that they simply didn’t realize Windows users would like this functionality. Heaven forbid someone desire to use Windows hardware for something other than it was intended for.

So the linux community, like in many situations, simply wrote custom drivers to work with hardware, and put it into promiscuous mode. No one has yet done this with Windows.

There are some, very limited wireless cards out there that will go into rfmon mode without much effort, but my friend, I have to tell you, you probably don’t have one of those cards.

So for now, just continue to boot off of BackTrack 3 and have it do all the work for you!