Make your 2026 legendary, the HTB way — 25% off our HTB Academy Annual Plans for a limited time. Learn More

Wired Equivalent Privacy (WEP) Attacks

In this module, we delve into Wired Equivalent Privacy (WEP) and the various attacks that can compromise it. We'll explore how to identify access points configured with WEP and demonstrate different methods to exploit its vulnerabilities. As WEP is an outdated and insecure protocol, understanding its weaknesses is crucial for recognizing the need to upgrade to more secure protocols. This module aims to provide insights into WEP’s vulnerabilities and practical techniques for testing its security.

4.71

Created by Sentinal
Co-Authors: N1tr0x

Medium Offensive

Summary

Wired Equivalent Privacy (WEP) is an older Wi-Fi standard that is actively being phased out due to numerous security issues. However, it still sees use in some legacy environments, allowing attackers to take advantage and compromise a network's security more easily. This module specifically focuses on the WEP algorithm, the reasons it's insecure, and the various methods to exploit this once ubiquitous technology.

In this module, we will cover:

  • Wired Equivalent Privacy Overview
  • WEP Encryption
    • Seed Generation and the RC4 Algorithm
    • CRC32 Generation aka WEP's ICV Algorithm
    • Finding the Initialization Vector (IV) using Wireshark
  • WEP Attacks
    • ARP Request Replay Attack
    • Fragmentation Attack
    • Korek Chop Chop Attack
    • The Cafe Latte Attack
    • Attacking WEP Access Points without Clients
  • WEP Cracking
    • Advanced WEP Bruteforce with custom Python Script
  • Skills Assessment

Upon completion of this module, you should be ready to compromise almost all types of networks utilizing Wired Equivalent Privacy (WEP).

This module is broken into sections with accompanying hands-on exercises to practice the tactics and techniques we cover. The module ends with a practical hands-on skills assessment to gauge your understanding of the various topic areas. There are no specific Wi-Fi hardware requirements for this module, as Hack The Box manages all necessary resources. You will need to RDP into the provided attacker VM to perform the exercises.

As you work through the module, you will see example commands and command output for the topics introduced. It is worth reproducing as many of these examples as possible to reinforce further the concepts presented in each section. You can do this in the target host provided in the interactive sections or your virtual machine.

You can start and stop the module anytime and pick up where you left off. There is no time limit or "grading," but you must complete all of the exercises and the skills assessment to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.

The module is classified as "Medium" but assumes a working knowledge of Linux systems and network fundamentals.

A firm grasp of the following modules can be considered prerequisites for successful completion of this module:

Wired Equivalent Privacy Overview

Open networks are vulnerable to eavesdropping because their traffic is not encrypted. To address this, Wired Equivalent Privacy (WEP) was introduced in 1997 as part of the IEEE 802.11 standard. It aimed to provide a level of privacy for data transmitted over wireless networks.

WEP, being an older standard, offers valuable lessons for us when dealing with communication ciphers. It has since been replaced by Wi-Fi Protected Access, but can still be found in some business environments. WEP makes use of initialization vectors (IVs), a 40-bit or 104-bit shared key (also referred to as the WEP key), the Rivest Cipher 4 (RC4) algorithm, and cyclic redundancy checks (CRC32) to provide encryption for wireless communications. When WEP was developed, it originally incorporated a 24-bit initialization vector due to U.S. government export restrictions on cryptographic technologies, which limited key sizes. After these restrictions were lifted, WEP was updated to support a 128-bit encryption key, but incidentally it continued to use the same 24-bit initialization vector.

Although WEP held firm as a standard for a while, the discovery of different attacks led to multiple ways of compromising the shared key. This is due to the initialization vectors and cyclic redundancy checks used in the overall cipher. Regardless of whether WEP uses a 64-bit or 128-bit encryption key, the IV remains 24 bits. As a result, the algorithm is prone to repeated IVs during transmission. This has since enabled adversaries to construct decryption tables and retrieve the key with a high degree of statistical certainty, typically through packet building and replay attacks.

RC4 Algorithm

In cryptography, RC4 (Rivest Cipher 4), also known as ARC4 or ARCFOUR (Alleged RC4), is a stream cipher. It was designed by Ron Rivest of RSA Security in 1987 and became part of several commonly used encryption protocols and standards (including WEP) due to its simplicity and high speed.

RC4 is a symmetric cipher, which means the same key is used for both encryption and decryption. It generates a stream of bits that are XORed with the plaintext to produce the ciphertext. To decrypt the data, the ciphertext is XORed with the same key stream to recover the plaintext.

RC4 consists of two key components:

  1. Key Scheduling Algorithm (KSA)
  2. Pseudo Random Generation Algorithm (PRGA)

The Key Scheduling Algorithm initializes the state table using the WEP key and the initialization vector (IV). The Pseudo Random Generation Algorithm produces the keystream used for the encryption and decryption process. In the upcoming section, we will delve deeper into the RC4 algorithm, exploring its mechanisms and functionality in greater detail.

WEP Authentication

WEP supports two types of authentication systems: Open and Shared. In open authentication, a client does not provide any credentials when connecting to the access point (AP). However, to encrypt and decrypt data frames, the client must have the correct key.

In shared authentication, a challenge text is sent to the client during the authentication process. The client must encrypt this challenge text with the WEP key and send it back to the AP for verification. This process allows the client to prove that it knows the key. Upon receiving the encrypted challenge text, the AP attempts to decrypt it. If the decryption is successful and the decrypted text matches the original challenge text, the client is permitted to associate with the access point.

Diagram showing a four-step authentication process between Client and AP: 1. Client sends Authentication Request to AP. 2. AP sends Challenge to Client. 3. Client sends Challenge Response to AP. 4. AP confirms Success or Failure to Client.

Below is a step-by-step description of the shared WEP authentication process, which can be visualized in the diagram above:

  1. Authentication Request: The process begins with the client sending an authentication request to the access point.
  2. Challenge: The access point responds with a custom authentication response that includes challenge text for the client.
  3. Challenge Response: The client then replies with the encrypted challenge, which is encrypted using the WEP key.
  4. Verification: The AP decrypts the challenge, and sends back an indication of success or failure.

The use of WEP is less common in modern environments, but can still be encountered in older systems with compatibility issues. As such, WEP attacks are a valuable addition to a wireless pentester's arsenal.

Note: After spawning, please wait 3-4 minutes before connecting to the target(s).

Sign Up / Log In to Unlock the Module

Please Sign Up or Log In to unlock the module and access the rest of the sections.

Sections

Relevant Paths

This module progresses you towards the following Paths

Wi-Fi Penetration Tester

Wi-Fi Penetration Tester

The Wi-Fi Penetration Tester Job Role Path is designed for professionals and aspiring security practitioners who want to build expertise in assessing and securing corporate wireless networks. The course provides hands-on training in evaluating the security of Wi-Fi environments, from attacking modern authentication and encryption protocols to simulating real-world attack scenarios such as rogue access points, man-in-the-middle attacks, and credential harvesting. Students will gain practical experience with industry-standard tools and methodologies, learning how to identify vulnerabilities, exploit misconfigurations, and recommend effective countermeasures. By the end of this Path the participants will be equipped with the knowledge and skills required to perform authorized Wi-Fi penetration tests and strengthen the wireless security posture of enterprise corporate environments.

Hard Path Sections 170 Sections
Required: 3400
Reward: +680
Path Modules
Wi-Fi Penetration Testing Basics
Medium
Path Sections 16 Sections
Reward: +20
In today's digital age, wireless networks are ubiquitous, connecting countless devices in homes, businesses, and public spaces. With this widespread connectivity comes an increased risk of security vulnerabilities that can be exploited by malicious actors. As such, understanding and securing Wi-Fi networks has become a crucial aspect of cybersecurity. Whether you are an aspiring ethical hacker, a network administrator, or simply a tech enthusiast, gaining a solid foundation in Wi-Fi penetration testing is essential for safeguarding your digital environment.
Attacking Wi-Fi Protected Setup (WPS)
Medium
Path Sections 13 Sections
Reward: +20
In this module, we delve into the intricacies of WPS, uncovering the common vulnerabilities that plague this technology. From brute-force attacks to more sophisticated exploitation techniques, we will explore how attackers compromise WPS-enabled networks. By understanding these vulnerabilities and their related attacks, you will gain the knowledge necessary to protect your networks and mitigate the risks associated with WPS.
Wired Equivalent Privacy (WEP) Attacks
Medium
Path Sections 13 Sections
Reward: +20
In this module, we delve into Wired Equivalent Privacy (WEP) and the various attacks that can compromise it. We'll explore how to identify access points configured with WEP and demonstrate different methods to exploit its vulnerabilities. As WEP is an outdated and insecure protocol, understanding its weaknesses is crucial for recognizing the need to upgrade to more secure protocols. This module aims to provide insights into WEP’s vulnerabilities and practical techniques for testing its security.
Attacking WPA/WPA2 Wi-Fi Networks
Medium
Path Sections 15 Sections
Reward: +100
This module explores the security challenges of WPA and WPA2 Wi-Fi networks, focusing on WPA/WPA2-Personal and WPA/WPA2-Enterprise. Although these protocols aim to secure wireless communication, attackers can exploit various weaknesses in home and enterprise environments. This module will delve deeper into WPA-Personal and WPA-Enterprise, demonstrating multiple attack vectors to compromise each. Understanding these attack vectors will give you insight into the vulnerabilities that could compromise WPA/WPA2 networks and how to secure them.
Wi-Fi Evil Twin Attacks
Medium
Path Sections 16 Sections
Reward: +100
This module explores the concept of evil twin attacks on Wi-Fi networks, focusing on WPA2, WPA3, and WPA-Enterprise. Despite these protocols being designed with strong security measures, they remain vulnerable to social engineering and rogue access point attacks. We will delve into both manual and automated methods for executing evil twin attacks, demonstrating practical approaches for each network type. Additionally, we will cover advanced MiTM techniques, including DNS spoofing and SSL interception, to highlight how attackers can exploit compromised connections for data interception.
Attacking WPA3 Wi-Fi Networks
Medium
Path Sections 16 Sections
Reward: +100
Wi-Fi Protected Access 3 improves upon WPA2 by offering stronger encryption, SAE for personal networks, OWE for open networks, and mandatory Protected Management Frames. However, it is not immune to compromise. In this module, we’ll explore practical attack techniques against WPA3 implementations, including OWE, SAE, and Enterprise networks (EAP-PWD), highlighting how vulnerabilities and misconfigurations can be exploited in real-world scenarios.
Bypassing Wi-Fi Captive Portals
Medium
Path Sections 17 Sections
Reward: +100
In this module, we delve into a range of methods for identifying and bypassing captive portals, employing both indirect and direct exploitation techniques. We cover tactics such as MAC spoofing, ARP poisoning, DNS tunneling, and credential interception, alongside direct attack vectors like Cross-Site Scripting (XSS), file upload vulnerabilities, file inclusion, and brute force attacks. Additionally, we will examine client hijacking strategies to extract credentials and circumvent portal restrictions. By understanding these attack methods, we can evaluate and enhance the security of captive portal implementations.
Wi-Fi Password Cracking Techniques
Medium
Path Sections 16 Sections
Reward: +20
Password cracking is a cornerstone of wireless penetration testing, as many real-world assessments hinge on the strength of the Wi-Fi password and our ability to break it. Despite its importance, many testers continue to rely solely on dictionary attacks with basic tools and minimal customization. In this module, we’ll go beyond the basics and explore the full spectrum of practical techniques, targeted strategies, and performance-driven optimizations for cracking Wi-Fi passwords.
Wi-Fi Penetration Testing Tools and Techniques
Medium
Path Sections 30 Sections
Reward: +100 NEW
Wireless network penetration testing presents a unique challenge due to the wide variety of technologies, protocols, and security configurations encountered in the field. This module introduces learners to a range of Wi-Fi pentesting tools, each selected to demonstrate techniques suited for different environments and stages of an engagement. By working through practical examples, learners will gain hands-on experience in choosing and applying the right tool for the task.
Attacking Corporate Wi-Fi Networks
Medium
Path Sections 18 Sections
Reward: +100 NEW
This module incorporates a simulated Wi-Fi penetration test from start to finish, emphasizing hands-on techniques that reflect real-world engagements. It involves conducting scoped reconnaissance, assessing wireless configurations, and evaluating common attack surfaces across WPA2, WPA3, and Enterprise deployments. The environment culminates in a demonstration of internal network pivoting, including Active Directory access, all performed within a controlled, simulated environment and in adherence to strict legal and ethical boundaries.