WepAttack is a WLAN open source Linux tool for breaking 802.11 WEP keys. This tool is based on an active dictionary attack that tests millions of words to find the right key. Only one packet is required to start an attack.
Our SourceForge development area is at http://sourceforge.net/projects/wepattack/.
The full documentation of our diploma thesis in german is available there too.
The network data has been captured by a WLAN card in monitor mode. A network sniffer captures the data to a dumpfile. The use of a Lucent Orinoco Gold Card in combination with Kismet seems to work without any problems.
A working WLAN card is required to work with WepAttack.
WepAttack accepts every dumpfile of pcap structure. Every Tool that can handle dumpfiles in pcap format, as Kismet, Tcpdump or Ethereal does, can be used for sniffing data. Kismet is highly recommended because it offers lots of convenience.
The Following libraries are required to install WepAttack:
ZLib - http://www.gzip.org/zlib/
ZLib is usually present in most Linux distributions. No installation is required.
LibPcap – http://www.tcpdump.org
Recent Release is proposed. PrismII Patch is required for WLAN Capturing.
# tar xvzf
–p0 < libpcap-0.7.1-prism.diff
libCrypto - http://www.openssl.org
libcrypto is part of OpenSSL project.
Kismet is available at http://www.kismetwireless.net. Full capturing is enabled by Kismet CRC Patch:
# cd kismet-2.6.1
Kismet is using a hopper function,
passing through all WLAN channels. Manually switching is not necessary. With „
–H“ the card will be put in monitor mode and
the hopper function will be activated.
If all installations are passed without any problems, WepAttack can be installed. With this the installation is finished.
Download it here.
# tar WepAttack-0.1.3.tar.gz
# cd WepAttack-0.1.3/src
# make install
WepAttack needs a dumpfile for attacking networks. If the network data is captured by kismet a dumpfile is generated automatically. This file is in format „Kismet-[date]-[no].dump“ and can be passed to WepAttack.
wepattack -f dumpfile
[-m mode] [-w wordlist] [-n network]
network dumpfile to read from
run WepAttack in different modes. If this option
is empty, all modes are executed sequentially (default)
WEP 64, ASCII mapping
WEP128, ASCII mapping
WEP64, KEYGEN function
WEP128, KEYGEN function
wordlist to use, without any wordlist stdin is
network number, can be passed to attack only one network. Default is attacking
all available networks (recommended)
–f Kismet-Oct-21-2002-3.dump –w wordlist.txt
The attack can be improved by using
John the Ripper (http://www.openwall.com/john).
John generates the words and writes them to the standard output. WepAttack
reads them back over standard input. In this case the wordfile is used by John
not WepAttack. For both John modes (see John documentation) wordfile and
incremental, two shell scripts are available. The scripts are using
A 30MB wordlist is used for the attack. The decryption of WEP keys is only possible if the key is contained in the dictionary (or at least part of).
Get a wordlist created by us at https://sourceforge.net/projects/wepattack/.
For comments and questions, please contact:
Dominik Blunk firstname.lastname@example.org
Alain Girardet email@example.com
CVS web interface:
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. See http://www.fsf.org/copyleft/gpl.txt.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.