wepwn is an automated WEP-cracking workflow in python. It is built on top of the aircrack-ng suite and intended to be run on Backtrack Linux 4, although it may work on other Linux distributions. It's easy to use and seems pretty reliable if the target has a decent signal.

wepwn is release under the BSD License.

Download wepwn (beta)

First release of wepwn.

There are usually two stages using wepwn: target selection and attack.

Target selection involves listing targets and deciding which to attack. This is done with the -w or -a options. The -w option lists only nearby access points using WEP while the -a options lists all nearby access points. NOTE: Not all access points will show up in a given scan. This seems to be a limitation of the iwlist command used by wepwn and may be fixed in a future release of either tool. In the meantime it may take multiple scans to find a specific target:

: Screenshot

Attacking an access point is accomplished with the -e or -b options. The -e option allows the user to specify the target by the name or ESSID. The -b option allows the user to specify the target by hardware address or BSSID. These options are not mutually exclusive but specifying BSSID makes specifying ESSID redundant. Multiple access points may have the same ESSID but no two access points should have the same BSSID.

wepwn needs to determine more information about the target than what is provided so it scans for nearby access points. As mentioned above, not all access points will show up in a single scan. wepwn may not be able to extract the information for a target that the user knows is a valid target in a single scan. Trying again may be necessary.

: Screenshot

If all goes well, wepwn will proceed on to aircrack-ng and run until the key is recovered. The “IV” count in aircrack-ng should be increasing by at least a few hundred every few minutes. If it increases more slowly then range or the stability of the hardware may be a factor. If it doesn't increase at all, one of the commands wepwn launched may have failed.

If aircrack-ng succeeds in recovering the key it will be displayed on the screen by aircrack-ng, printed on the screen by wepwn, and saved to a text file named key.<BSSID>.

• Does it do WPA? - No. Just WEP.
• How long does it take to recover a key? - This depends on signal strength, processing speed, range, and quality of hardware. Under optimal conditions on a 1.6Ghz Atom netbook with an ALFA AWUS036H adapter, 64/40 bit would usually take about five minutes and 128/104 bit would take about 10-20 minutes. The process is statistical in nature and will give different results every time. There are adjustments that could be made to the commands to speed things up but I found settings that worked reliably for me and stuck with them.
• Why do I have to specify my wireless driver? - I haven't figured out how to properly reset the wireless device after scanning, before starting the attack. My workaround is to unload the driver then reload it to reset the device. This is suboptimal and I've been told that rmmod is or is going to be deprecated. I haven't figured out a way of detecting the driver in use that works on all platforms. Hence, “Intended for Backtrack 4”.
• Why does this look like it was written by a perl programmer? - Because it was. This was my first python project.

• When wepwn completes successfully, command line keystrokes are not echoed. This can be remedied by the user running the reset shell command.

• 20100515 - wepwn-0.9b.tgz - First release (beta)