28 May 2018

How to Crack WEP Wireless with BackTrack 4 running on Windows

Cracking a wireless network protected with WEP security is very easy as described in How to Protect Your Wireless Network and takes around 5min to achieve. Here you will learn step by step instructions how to crack the WEP key of the wireless network.

Before you begin

  1. You need to have BackTrack installed and running on VMWare Player. How to Install VMWare & Backtrack 4
  2. Check if your wireless adapter is compatible with Backtrack 4 from List of compatible adapters
  3. I am using the Alfa AWUS036H which is a very well known usb wireless adapter because of its good performance and cheap price.
  4. Make sure that your wireless adapter is plugged into your virtual machine. In VMWare goto the menu “Virtual Machine” -> “Removable Devices” -> “YOUR ADAPTER MUST BE TICKED”

Start Cracking the WEP Password

Launch the Konsole, which is the BackTrack’s built-in command line. It can be found in the lower left corner of the taskbar as showing in the image below.

BackTrack Konsole

Run the following command to get a list of your network interfaces:


You may get something like “ath1″, “wlan0″, “wifi0″, or “ra0″…. This is called your interface and you need to substitute it everywhere you see (interface) in the coming commands.

In my case: (interface)=wlan0 (see image below)

Now run the following commands to change the MAC address of your wireless adapter.

airmon-ng stop (interface)
ifconfig (interface) down
macchanger --mac 00:11:22:33:44:55 (interface)
airmon-ng start (interface)

In my case

airmon-ng stop wlan0
ifconfig wlan0 down
macchanger --mac 00:11:22:33:44:55 wlan0
airmon-ng start wlan0

Don’t forget to change (interface) with its value. Now your MAC address is changed to the fake new address 00:11:22:33:44:55

BackTrack WEP Commands 1

Now it is time to view the list of available networks and pick one for cracking. Run:

airodump-ng (interface)

In my case

airodump-ng wlan0

Wait for some time for all the networks to load then press Ctrl+C to stop the updates. Now choose the wireless network that you wish to crack which has “WEP” encryption in the “ENC” column. “OPN” means that the network is open and you can connect to it without a key, WPA & WPA2 will not work here but you can check How to Crack WPA & WPA2 Wireless with BackTrack 4 running on Windows if you wish to crack a WPA or WPA2 wireless network.

After selecting the network that you want to crack take note of the BSSID, the channel (CH), and ESSID values. In my case: (bssid)=00:1F:9F:4B:B3:DF, (channel)=1, and (essid)=barQ

BackTrack List of Networks

Now we are going to monitor and record the data passing through that network to a file. Run:

airodump-ng -c (channel) -w (filename) --bssid (bssid) (interface)

In my case

airodump-ng -c 1 -w barQ --bssid 00:1F:9F:4B:B3:DF wlan0

Replace (channel), (bssid), and (interface) with their respective values noted before. (filename) can be any name. I usually use the same name of the network which is “barQ” in this case.

BackTrack WEP Commands 2

The data now is being collected and recorded and you should get an output similar to the window in the background shown in the picture below. Leave that window running.

We now need to create traffic on that network to capture more data faster to speed up the cracking process. Launch a second Konsole window and run:

aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 -e (essid) (interface)

In my case

aireplay-ng -1 0 -a 00:1F:9F:4B:B3:DF -h 00:11:22:33:44:55 -e barQ wlan0

BackTrack WEP Command 3

You should get the message “Association successful :-)” which means that you are authenticated and ready to start generating traffic on that network to speed up the process. Run:

aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 (interface)

In my case

aireplay-ng -3 -b 00:1F:9F:4B:B3:DF -h 00:11:22:33:44:55 wlan0

BackTrack WEP Command 4

Now it is time to WAIT. We are creating router traffic to capture more data which will help us speed up our cracking process. After few minutes, the window might start showing “Read XXXXX packets” and might not, but the important thing to keep an eye on is the “#Data” value in the first window. We need it to go above “10,000”.

Wait until the “#Data” reaches a value above 10,000 which should take less than 2 minutes. you might need more than 10,000 depending on the security of the network but most of the time 10,000 should be enough.

Displaying the Key

Once you have collected more than 10,000 Data launch a third Konsole window and enter:

aircrack-ng -b (bssid) (filename-01.cap)

In my case

aircrack-ng -b 00:1F:9F:4B:B3:DF barQ-01.cap

The filename should be what you used in (filename) + “-01.cap”, if you are not sure about the (filename) enter “ls” to see list of all the files.

If you don’t have enough data then aircrack will ask you to collect more data. If you do then you should see something like:

BackTrack WEP Crack Successful

The WEP key is what you see besides “KEY FOUND!” inside the brackets without the colons “:” which is of the format “XXXXXXXXXX”

Note: The WEP key is the hex equivalent of the pass phrase that you type to connect to the wireless network. Entering the WEP key is more than enough to get you connected. The WEP ASCII password might be displayed if you collect more packets.


We have seen how easy it is to crack a WEP wireless network. This should give you the alert to change the security of your wireless network if it is still WEP.

Feel free to ask questions or let me know if I have missed something by leaving a comment below.


  • Thanks for the post

  • Really nice post,thank you

  • Great work keep it coming

  • my 2 cents. I was doing a research and found your site. Thanks.

  • Do you people have a facebook fan page? I looked for one on twitter but could not discover one, I would really like to become a fan!

  • Emil

    Ive tried this for fun on a home network but altough slightly above 10 000 data# it fails and says it will try again att 15 000. The encryption shouldn’t be anything out of the ordinary, its a regular wep encryption. How can I tell what complexity it has? 64bit or 128bit etc.

    Yes, I am a noob.

    • Usually it takes up to 10,000 data (IVs) to crack the password, but it’s not always the case; sometimes it might take 50,000 IVs, so your best bet is to try on 10,000, then 20,000, then 30,000 … until it gets cracked.

      BTW, there will be a new article which uses a much easier way (GUI) to crack the wireless network than theses steps so make sure to visit us soon

  • Coise.

    Hi, first of all congratz for the post :)

    you said: “We are creating router traffic to capture more data which will help us speed up our cracking process.” and my question is how do you create router traffic with other pc if you don’t have the pass yet??

    Thanks for your attention :)

    • The amount of IVs (data) that needs to be captured is 10,000, you do not need to attack the router from another pc since it is already being massively attacked by the pc that you are running. It should take you around 3min to collect the 10,000.
      Let me also suggest that you follow the easier way of cracking it using WiFite r68 or GRIM WEPA

  • fazeerul

    Make sure that your wireless adapter is plugged into your virtual machine. In VMWare goto the menu “Virtual Machine” -> “Removable Devices” -> “YOUR ADAPTER MUST BE TICKED”

    already done that but still the backtrack 4 r2 can’t detect my wireless adapter..i’m using Alfa AWUS036NHR.. please help me coz i’m new at this..

  • dang

    yeah nice!!!:D

  • Pingback: How to Install VMWare & Backtrack 4 R2 | HackedIn()

  • Pingback: How to Protect Your Wireless Network | HackedIn()

  • Muhammad Asif

    Dear Thanks its Working 100% i have cracked …

  • sootedel

    windows??or linux?
    iam working windows7

    • rabrabber

      Backtrack on Windows using VMWare

  • Markus

    hey guys, fisrt of all, thanks for this tutorial!

    i am using win7 and installed vmware player & backtrack4 rs2 on my machine and the login was working fine… but now i tried to run airmon-ng to get the name of my network interface. but the console´s output is only one line with the words “Interface Chipset Driver”. i guess this is supposed to be the headline of the list of my network interfaces, but the list seems to be empty…

    My wireless adapter should work with backtrack and also it seems to be connected.

    My Adapter is: braodcom 43225 802.11 b/g/n

    I saw on some websites that it should work with backtrack…

    My VMware player version is 5.0.1

    I checked the menu: Player -> removable devices -> network adapter -> settings.

    There by default “NAT” was checked. How do i configure this in the right way? I tried to check “bridge” and then “configure adapters” and it showed me the name of my adapter (i attached screenshots of the menu) so i guess that the adapter is working with backtrack. of course i tried the options and rebooted the virtual machine but still i don´t get any results. do u have any advice for me? thanks a lot in advance!


    • rabrabber

      Download the latest Backtrack version, which is 5 R3 at this time.

      • Markus

        thanks, i´ll try… but with my connection it will take a while :-)

      • does 5 R3 need VMWARE ? and after u got the hex key u sjould convert it or what ?

        • Basil Banbouk

          VMWare is used to run Backtrack inside windows. You can still format your computer and install Backtrack if you want. You don’t need to convert the key, just type it without the colons and spaces.

    • Markus

      i tried to get further information concerning my Wifi adapter… maybe i have to update my driver… but i´m completely new to linux. how can i install a driver (or anything else …) in BT? Or is it enough to update the driver on windows??

  • Jason

    Hey I had a question my friend installed backtrack 5 on my laptop and so I currently getting used to it, every time I try and crack a wep or wpa I get a message at the end saying…
    “Failed.Next try with 5000 IVS.”
    If anyone has a answer that can help me please.
    Write on here or an email would be appreciated
    [email protected]

    • rabrabber

      You need to collect more IVs, usually 10,000 is a decent number, but if it fails collect more. BTW you are getting this message comes when cracking a WEP, not WPA.

      • valapsp

        i dont get the Association successful message. help.

      • valapsp

        also after 10 mins I roughly get 23 datas. Is it because I’m far away from the network? what are some factors?

        • Basil Banbouk

          You are not getting enough IVs (data) because you are waiting for the normal traffic to be collected. You need to do a successful association and generate traffic so that you can collect IVs more quickly. One common reason for unsuccessful association is typing the wrong mac address, or misspelled essid, etc..

          • valapsp

            Im entering the correct values but still get the “Got a deauthentication packet!” error.

          • valapsp

            even after getting the association successful message the data capture sped is extremely low.

  • BillyBoon

    Hey on bt4 it says waiting for beackn frame on channel 1 and wlan0 is on channel 1, but the AP uses channel 11…… any help