Hirte is a type of attack that aims to crack the WEP key of wireless networks that are not reachable but the client device (laptop, mobile, etc.) is in the area of the attacker. This can be achieved because the WEP key and the configuration details are still stored in the wireless device.

The only requirement for this attack is to setup a fake access point with the same SSID of the WEP network. When the client device will try to connect automatically then ARP packets will be sent from the fake access point (attacker machine) to the device and the other way around which they will contain part of the keystream.

Breakdown of the Hirte Attack

  1. Setup a fake WEP AP and waits for a client to connect
  2. Upon connection of a client waits for auto-configuration IP address
  3. Client sends an ARP packet
  4. Obtain the ARP packet and converts it into an ARP request for the same client
  5. Client replies
  6. Collect these packets
  7. Crack the WEP key

Deployment of Hirte Attack

The first step is to create the WEP access point with the use of the tool airbase-ng. The -c variable defines the channel, the -W sets the encryption bit, mon0 is the interface and the -N enables the Hirte attack mode.

Creation of Fake Access Point
Creation of Fake Access Point

The next step is to configure airodump-ng to capture packets and to write those in a file called Hirte.

Initiate Packet Capturing
Initiate Packet Capturing

As we can see the fake access point appears on the list of the available wireless networks.

Rogue Wireless Network
Rogue Wireless Network

The same network will appear and on the victim device.

Victim - Fake Wireless Network Available
Victim – Fake Wireless Network Available

The victim device will connect automatically on the Wireless Pentest Lab as it is a network that it was connected previously when the genuine Wireless Pentest Lab was in range. The Hirte attack will start and ARP packets will be sent as the device will try to obtain an IP address. However this will not be possible as there is no DHCP server running but the collection of IVs will start.

Hirte Attack Running
Hirte Attack Running

The final step is to start the aircrack-ng in order to crack the WEP key from the packets that have been captured on the file called Hirte.

Read the packets
Read the packets

As we can see from the image below the WEP key has been cracked for a wireless network that it was not even in the range of the attacker.

WEP Key Found
WEP Key Found


As we saw with the Hirte attack someone is able to crack the WEP wireless key from a network just by exploiting a roaming client and without attacking the access point at all. This happened because the wireless configuration including the WEP key was stored on the device and client had the option to connect automatically to this wireless network when it was found in range. In a summary this attack uses the following principles:

  • It is a fragmentation attack
  • Targets isolated clients
  • Collects ARP packets that contain the WEP key


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s