Cracking WEP with AirPcap and Cain and Abel

This video tutorial demonstrates how to crack WEP in Windows using AirPcap and Cain and Abel.


You’ll need:

Note: It is possible to get this working by using the cheaper “Classic” AirPcap, in conjunction with the old 2.0 Beta Tx Drivers for AirPcap, to enable packet injection capability, but this is entirely unsupported, and is not guaranteed to work. YMMV.


  • To begin ARP injections, AirPcap must capture at least 1 ARP request from a system on the target AP. You can usually force this by sending a Deauth to a connected client.
  • Make sure you have over 250,000 IVs before attempting to crack the WEP key.
  • In my tests, the old AirPcap (silver-grey) appears to perform significantly faster than the new AirPcap (dark-grey). I think it’s about 10x faster.

The Video

Get the Flash Player to see the wordTube Media Player.

Click Play to get things started.


Download the full resolution video (Thanks to TAz00 from the forums for the hosting!)

View the video on Youtube

By Phil Wiffen

Phil is an IT Professional working in Cambridge, England. He generally blogs about useful solutions that he comes across in his work/play.

42 replies on “Cracking WEP with AirPcap and Cain and Abel”

Any chance the new version of the AirPcap is one-tenth as fast because one-tenth of the IVs are occurring in response to something other than arp request injection? (ie. the attempted injection with the new AirPcap just isn’t resulting in any additional IVs?)

Hello Phil, i have been watching your work, very impressive stuff. i am in scotland. i am just finishing up my networking degree and am going onto my masters in “Ethical hacking and penetration testing”. Have bin mucking about with the aircrack stuff, very fun and enjoyable. Have to admit i dont have an airpcap adapter which is a bit of a bum, is there any way to set up a cisco aironet a/b/g to do the same thing do you think?

I suppose its all about the arps, and requests…hmm, wonder if i could generate the traffic needed for dump another way apart from airpcap….

anyway, would love any thoughts or insights, and chat in general is muchly welcomed, we network security guys need to hang together, lol



Hey phil i have a quik question for u, when i start up my program caine i noticed in ur video demo Cracking WEP with AirPcap and Cain and Abel that the caine program has a AirPcap driver info on the left hand side of the screen now is that supposed to be there when u start up the program, or do u have to buy the adapter and then u will get the screen to pop up, any help at all would be greatly appreciated.


there is two different versions of getting a wep key , in one u say that one needs over 250,000 IVs if someone just uses cain and able alone. to me this way is less confusing but then i guess the othe way were you use aircrack, is faster. how long does it take to get the requred packets. both in the easyer way and in the more complicated version.

the other question relates to the type of adapter, i believe u talk about some different versions the adapter came in. i believe one is (silver-grey), a (dark-grey), but i also believe there is one which is (black-orange) do you know anything about these. i think it came out pretty recently, but how faster or slower is it compared to there other ones.
esau munoz

Esau: Usually between 5 and 10 minutes, but sometimes longer. It can take me that long to explain to my clients what I’m performing!

There are 3 adapter “releases” so far. In my experience (I tested all three thoroughly whilst at Crownhill), the latest Black-Orange adapter was faster than the previous two.

I bought an aircap adapter but I made a mistake and I choose the simple one instead of the aircap tx.
Can I still use it to do what you did in the video or I need to buy the Tx version?

Thanks for you help!


Dominik: I just replied to you without realising you’d also sent this comment! You can try using the Beta 2.0 drivers and see if it works, but you’re probably better off exchanging your Classic for a Tx.

hi man,well a have a laptap, easy note mz350, whit windows xp and i need know if a can use the cain and abel to crack de wep password, to this program i need a special adaptor ????????????????????????

Anyone can tell me how to modify/convert packets captured by Wireshark possibly could be cracked using aircrack-ng? I’m using Windows XP as platform. Thanks in advance.

Sunda, I’m pretty certain that Wireshark and aircrack-ng packet capture formats are inter-operable. You just need to point aircrack-ng at the Wireshark capture file. Have you tried it?

Hey Phil, awesome site. My question is about Monitor Mode. Is there any way to bypass the SSID filter and passively scan an entire channel that’s in range on the Windows platform? I’ve read that WinPcap doesn’t support it, but I wasn’t sure that if that was the end. This question partially arises from my decision on whether to buy an AirPcap and run Windows, or get a Atheros chipset and run Linux.


are there any drivers for the airpcaptx to make it usable in backtrack linux
or do you know of anyway i could write my own

Alex: AirPcap allows you to passively scan the Wi-Fi channels. To do so you’ll need the Kismet release for AirPcap, or Cain (I prefer Kismet).

Anthony: Yes, AirPcap works in Vista. I’ve not yet tested Cain in Vista, but I’m sure if you asked at Cain’s forums they’d be able to tell you.

Lee: Not that I know of no, but seeing as most Linux-compatible Wi-Fi cards are cheaper than AirPcap, I’m not sure why you’d want to buy it for Linux (besides for the hell of it!). Might be worth contacting CACE to discuss a Linux driver 🙂

When I try to run 2.0 Beta Tx Drivers for AirPcap, I am informed that no AirPcap Adapters found in the system. Yet I have an AirPcap-Ex plugged in.

hello im max , my problem is i nead to get a wep code . i just downloaded cain ; what els do i nead to hack a wep and how becous i dont now how to use this program atol

Phil, you are doing some realy good work here. It’s nice to see someone dedicating some to time and effort to helping others understand a subject. Also the way you answer questions, to some the answer may seem simple, but you still answer in a very unpatronising way.

Thanks for support and advice.


After putting a comment in i realised that i do actualy have a question.

I was looking at the Airpcap Classic and TX, from what i have read i understand that you can only realy crack WEP and WPA through the ‘TX’ adapter.

What are the main differences between the TX and Classic?

I’ve also been struggling a little from reading various bits on the net. Can you crack WPA aswell as WEP with one TX adapter. From what i can gather cain will reveal the WEP code but you have to brute force for the WPA – is this correct?


hey phil, i’ve been using the AirPcap Tx USB(black and orange) for a while now with cain, but injecting packets doesnt work for me like it does for you in your video: that is, even when injecting, i dont get nearly as much traffic. this happens even when ARP requests have been sniffed on the target(if they havent, deauth doesnt usually do the trick for me either). any ideas?

Sorry for the above comment, after a search on the forums it appears that this is a bug, possibly(but hopefully not) with the black/oj Tx adapter. hopefully its just the software and i didnt waste my $300.

notharry: As you have an AirPcap-Ex, you should be able to use the latest (non-beta) driver to use the transmit capabilities. I just checked, and the support matrix confirms this. FYI: the Beta driver was only intended for use with the USB AirPcap Classic.

Max: You need everything I listed in this post, particularly the AirPcap Tx adapter!

Hey Jon,

Thanks for your kind words! 🙂

Yeah, CACE neutered the original AirPcap by renaming it the Classic, and launching the Tx separately (…which is exactly the same, apart from a small change in firmware which enables injection!).

Regarding cracking… Both Cain and aircrack-ng will passively sniff WEP traffic and crack any WEP key after collecting x number of packets. They will both also passively sniff WPA EAPOL handshakes which can then be cracked, via brute force, “offline” – away from the Audit site. This takes way longer than the offset methods used in WEP cracking, and becomes pretty much unfeasible if the password isn’t in a dictionary, or is longer than 8 characters. I always recommend that WPA-PSK is deployed with at least a 20-character passphrase, and includes things like spaces and other non-alphanumeric characters.

Hi Phil,

1st, thanx for your great site and videos… it’s nice for tutorials and learning..
I have buy a AirPcapTX recently and try it with last drivers from Cace.
Packet Injection is really slow, with Cain but with aircrack-ng 0.9.2 for TX too…
from both method, i only Inject around 10 packets by seconds and capture only 1 IVs every 2 seconds… 🙁
So it seems the problem don’t come only from Cain but from the TX (or the driver) too…
I will try Kismet for Windows later see it’s working better…

hi phil i was wondering if there was any other program that will allow me to do this without the airpcap adapter and i was wondering also if there was any special place i have to go to get this adapter

hi Phil,
i can not run the cain & abel properly, i installed the airpcap, but if i scan for the “wireless”. The AirPcap column, staing that driver version: not installed. and the lock on channel is inactive, as so as the other like the “analyze” button, it is not scanning for any WEP IV’s. i’m running under vista home premium. pls help me make the program works. thanks a lot.

hey phil whats up?? i have air p cap ex the one with the attachable external antenna i was wondering if i can also use it as a wireless network card???? because it has lots of range…. is there any way to make it a wireless network card??? thanks

airpcap tx and packet injection

i have used airpcap and cain to successfully crack my network in wep and wpa modes

what baffles me is how to generate traffic on the network to produce more wep ivs faster

i assume that packet injection is just the feature ive been looking for but im not sure how it works… i can deauth a client on a wpa network and collect wpa 4 way handshake but if its a wep clientless network then i cant generate traffic

with linux and aireplay you simply use packetforge to increase the traffic rate but packet injection in cain with airpcap doesnt seem to work..

what am i not doing or what am i doing wrong????

“but if its a wep clientless network then i cant generate traffic”

Hey Slayer, unless Cain has changed in the last few months (possible), you can’t generate traffic against a clientless AP.