Capture WEP Initialization Vectors with airodump-ng

Introduction

WEP (Wired Equivalent Privacy) is an outdated and insecure Wi-Fi security protocol. Its primary weakness lies in its implementation of Initialization Vectors (IVs), which are used in the encryption process. By capturing a large number of these IVs, an attacker can analyze them to discover the WEP key.

In this lab, you will learn the first and most critical phase of a WEP attack: capturing network packets that contain these valuable IVs. You will use airodump-ng, a powerful tool from the Aircrack-ng suite, to monitor a target WEP network and collect the necessary data. This lab provides the foundation for understanding how WEP vulnerabilities are exploited in practice.

Start airodump-ng Targeting a WEP Encrypted Network

In this step, you will begin the process by putting your wireless interface into "monitor mode." This mode allows the network card to listen to all Wi-Fi traffic in the air, not just traffic addressed to it. Then, you will use airodump-ng to start capturing packets from a specific target network.

First, let's enable monitor mode on the wlan0 interface. The airmon-ng command is used for this purpose. It may create a new virtual interface, typically named wlan0mon.

Execute the following command in your terminal:

sudo airmon-ng start wlan0

The output will confirm that monitor mode has been enabled. Now, you can use airodump-ng to target a specific network. For this lab, we will pretend our target network has a BSSID of 00:11:22:33:44:55 and is operating on channel 6.

Run the command below. This will start the capture process, and your terminal will be filled with information about the target network.

Note: This command will take over your current terminal window. You will need to open a new terminal for the subsequent steps by clicking the "+" icon in the terminal tab bar. Please leave this command running.

sudo airodump-ng --bssid 00:11:22:33:44:55 --channel 6 wlan0mon

--bssid 00:11:22:33:44:55: This option tells airodump-ng to only capture packets from the access point with this specific MAC address.
--channel 6: This specifies the channel that the target network is on.
wlan0mon: This is the name of our interface in monitor mode.

Observe the airodump-ng Output

In this step, you will analyze the information displayed by airodump-ng. With the command from the previous step still running in your first terminal, let's examine its output.

The airodump-ng screen is divided into two main parts. The top part lists the access points it detects, and the bottom part lists the clients connected to them.

Here is an example of what the top section looks like:

 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC   CIPHER AUTH ESSID

 00:11:22:33:44:55  -30       10        0    0   6  54   WEP   WEP         MyWEPNetwork

Let's break down the most important columns for our task:

BSSID: The MAC address of the Access Point.
PWR: The signal power level. A higher number (closer to 0) means a stronger signal.
Beacons: These are management frames sent out by the access point to announce its presence.
#Data: This is the most critical column for a WEP attack. It counts the number of captured data packets that contain Initialization Vectors (IVs).
CH: The channel the network is operating on.
ESSID: The human-readable name of the Wi-Fi network.

In a live environment with active users, you would see the #Data count steadily increase. Each increment represents another captured IV, bringing you one step closer to cracking the key. For this lab, the number may not increase as there is no live traffic.

Understand the Importance of IVs in WEP Cracking

In this step, we will take a moment to understand why collecting data packets is so important for breaking WEP encryption. This is a conceptual step with no commands to run.

WEP encryption uses a shared secret key combined with a 24-bit value called an Initialization Vector (IV) to encrypt each data packet. The IV is sent in plaintext as part of the packet, which is a fundamental design flaw.

Here's why this is a problem:

Small IV Size: A 24-bit IV means there are only about 16.7 million possible IVs. On a busy network, these IVs are quickly reused.
IV Reuse: When the same IV is reused with the same key, it creates patterns in the encrypted data that can be analyzed.
Weak IVs: A certain percentage of these IVs are considered "weak." Weak IVs, when captured, can leak small amounts of information about the secret key itself.

The core principle of a WEP attack is to collect a massive number of packets, extract the IV from each one, and analyze the collection of IVs (especially the weak ones) to statistically deduce the original WEP key. The #Data column you observed in airodump-ng is a direct counter of how many of these crucial IVs you have collected. Without a sufficient number of IVs, a cracking tool like aircrack-ng has no data to work with and will fail.

Wait for Sufficient Data Packets to Accumulate

In this step, you would normally wait for the #Data count in airodump-ng to reach a high enough number. This is the most time-consuming part of a real-world WEP attack.

How many IVs are "sufficient"?

For a 64-bit WEP key (often called 40-bit), you typically need around 5,000 to 10,000 IVs.
For a 128-bit WEP key (often called 104-bit), the requirement is much higher, usually between 20,000 and 100,000 IVs, or even more.

The more IVs you collect, the higher the probability of a successful crack. In a real scenario, you would keep the airodump-ng process running while waiting for this number to grow. To speed things up, an attacker might perform an "ARP replay attack" to actively generate a large amount of traffic, but that is beyond the scope of this lab.

For the purpose of this lab, we will assume that enough time has passed and a sufficient number of data packets have been collected. You can now proceed to the final step to save the captured data.

Save the Capture Containing IVs to a File

In this final step, you will stop the capture process and save all the collected data to a file. This file can then be used by other tools, like aircrack-ng, to perform the actual key-cracking.

First, go back to the terminal where airodump-ng is running and press Ctrl+C to stop it.

Now, we will run the command again, but this time we'll add the --write (or -w) option to save the output. This tells airodump-ng to write all captured packets into a file.

In your terminal, run the following command. We'll name our capture file wep_capture.

sudo airodump-ng --bssid 00:11:22:33:44:55 --channel 6 --write wep_capture wlan0mon

Let this command run for a few seconds, then press Ctrl+C to stop it.

Now, use the ls command to see the files that were created in your ~/project directory.

ls -l

You should see several files starting with wep_capture, including wep_capture-01.cap.

-rw-r--r-- 1 root root  1234 Jan 01 12:00 wep_capture-01.cap
-rw-r--r-- 1 root root  5678 Jan 01 12:00 wep_capture-01.csv
...

The most important file is wep_capture-01.cap. This .cap file contains the raw packet data, including all the IVs you have collected. It is the primary input for the WEP cracking process.

Summary

In this lab, you successfully completed the first and most fundamental stage of a WEP attack. You learned how to use tools from the Aircrack-ng suite to capture the data necessary for cracking a WEP key.

Specifically, you learned to:

Enable monitor mode on a wireless interface using airmon-ng.
Use airodump-ng to target a specific WEP-encrypted network by its BSSID and channel.
Understand the airodump-ng output, particularly the importance of the #Data column which counts captured Initialization Vectors (IVs).
Recognize why a large number of IVs are required to exploit the weaknesses in the WEP protocol.
Save the captured packet data to a .cap file, which is now ready for analysis.

The wep_capture-01.cap file you created is the key artifact from this process. In a subsequent lab, you would feed this file into aircrack-ng to perform the final step: cracking the WEP key.

Capture WEP Initialization Vectors for a WEP Attack