WepBuster if something’s insecure in your wifihood…

Read from source

This small utility was written for Information Security Professionals to aid in conducting  Wireless  Security  Assessment.  The program executes
various utilities included in the  aircrack-ng suite, a set of tools for auditing wireless networks, in order to obtain the WEP encryption key of a wireless access point. aircrack-ng can be obtained from http://www.aircrack-ng.org


Cracks all access points within the range in one go!!
– Mac address filtering bypass (via mac spoofing)
– Auto reveal hidden SSID
– Client-less Access Point injection (fragmentation, -p0841)
– Shared Key Authentication
– WEP Decloacking (future version)
– whitelist (crack only APs included in the list)
– blacklist (do not crack AP if it’s included in the list)


perl wepbuster [channel/s] (or any combination, space separated )
perl wepbuster (sort | connect) [HOST | IP]  (Defaults to: gateway)

Typically, one would invoke the program without any arguments. Doing this will set the mode to ‘crack’ and will try to crack all wep-enabled access points within the range on each of those non-overlapping channels depending on which country was specified (1,6,11 for US) and (1, 5, 9, 13 for EU).

Given an argument of numbers, mode will be set to ‘crack’ and will crack all APs on those particular channel/s specified.

If passed with a ‘sort’ argument, followed by an optional IP address or a hostname, the program will try to sort the list of cracked access points
(obtained after running ‘crack’ mode) in the order of decreasing ping round trip time to the gateway or to the IP address or hostname specified.

If passed with a ‘connect’ argument, followed by an optional IP address or a hostname, the program will try to connect to each access point included in
in the list of cracked access points. The program exits once connection is made to an access point and verified, e.g, if it can successfully ping the
gateway or the IP address or hostname specified.


Starting with beta_0.4, the first two modifications to the source and header file of the two aircrack-ng utilities (aircrack-ng, airodump-ng), are not required.
Those modifications will just make the decryption of WEP key more accurate (in terms of number of IVs needed in order to obtain the key. The third one however, is needed in order for fragmentation attack to work.

1.) Instead of 5000, change PTW_TRY_STEP to 100 to tell aircrack-ng to start cracking the WEP key again (from a previous failed attempt) as soon as it
has collected 100 new IVs.

Look for this line below in “aircrack-ng.h”

2.) The script relies heavily on reading and parsing the .csv file output of airodump-ng. As such, instead of airodump-ng waiting for 20 seconds before
writing the .csv text output, it is recommended that you make it 2 seconds.
If not changing this line below, you should set $airodumpwait and $scan_duration to at least more than 20 to avoid getting errors. A value of 23 should be safe.

Look for this line below in “airodump-ng.c”
if( time( NULL ) – tt1 >= 20)

3.) When IVs did not go beyond 300 after 40 sleeps, wepbuster will try aireplay-ng’s fragmentation attack (-5). By default, this attack is interactive, meaning,
aireplay-ng will not try a data packet until you say yes or no. In order for wepbuster to try all data packets collected so far, the following lines in
aireplay-ng’s source must be changed:

Look for these lines in “aireplay-ng.c” and comment the two as shown below:

printf( “\n\nUse this packet ? ” );
// while(!ret) ret = scanf( “%s”, tmpbuf );
//  if( tmpbuf[0] == ‘y’ || tmpbuf[0] == ‘Y’ )

Also, to shorten the amount of tries when there is no answer from the AP, change “round > 10” to “round > 2”

PCT; printf(“No answer, repeating…\n”);
if (round > 10)


The only module used in this script is the module “Term::ReadKey”. This module is used when the ‘Enter’ key is pressed, e.g, if the user wants
to skip injecting into a particular Access Point. This module can be obtained from http://search.cpan.org”.

A typical installation procedure of any perl module consists of the following steps:

perl Makefile.PL
make install

On Debian systems, this can be installed using apt-get
e.g, “apt-get install libterm-readkey-perl”


–  macchanger (http://www.alobbs.com/macchanger)

This tool is used for spoofing the macaddress when the AP is using mac address filtering.


During the development, this program was tested inside an Ubuntu Linux installation, using Alfa AWUS036H with R8187 driver.
The access points tested were Aztech DSL605EW and Linksys WAG54G2


Other linux platforms, were not tested. The wireless card mentioned above is the only card that was used, others are not guaranteed to work without
making any changes. I don’t have all the necessary hardwares to test.
I’m leaving this work to the community. Please contribute so that everyone
can benefit. =)


This is the first program I have provided to the opensource community. I hope you’ll find it useful. Donations are welcome if you do =).
Send them to my paypal account: markjayson.alvarez_AT_gmail.com

Please use this program in a good way and remember:

“Morality works best when chosen not when mandated”
– Larry Wall

  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: