decrypt
is a command line tool that takes 3 pieces of input, a pcap format
input file, a WEP key, and a bssid (access point MAC address). If the provided
WEP key is found to be the key for the indicated bssid, associated packets are
decrypted and copied to the output file. If the key is not a valid key, all
input packets are written unchanged to the output file. The output is a pcap
compatible dump file and can be examined with tools such as tcpdump or ethereal
to view the decrypted data.
This tool understands two link types, LINKTYPE_IEEE802_11 and
LINKTYPE_PRISM_HEADER. Other 802.11b capture formats can be decrypted by
specifying an optional offset command line argument with the -o switch to
indicate the number of header bytes that precede the actual 802.11b packet.
That is, the number of bytes that precede the first frame control byte of
each 802.11b packet.
An alternate dictionary mode utilizes an input word list of potential WEP keys
to attempt to find a valid key for the specified bssid. If a valid key is found
packets are decrypted and copied to the specified output file.
OPTIONS
-p key
password whose length must be 5 or 13 bytes of ascii data or 5 or 13 2 digit,
colon separated hex values.
-f dictfile
the name of a file containing one password per line in the format specified
above. All passwords in the file will be tried against the specified bssid.
-b
Discard beacon packets. Beacon packets will not be written in the output file.
-o offset
Optional integer number of bytes of header that precede the first frame control
byte in the 802.11b packet.
decrypt
can recognized packets captured with no prefix bytes (pcap type DLT_IEEE802_11)
as well as packets prefixed with prism2 style headers (pcap type DLT_PRISM_HEADER).
In these two cases, no offest argument is required.
-m bssid
6 byte mac address of the AP for which traffic is to be decrypted in the form
xx:xx:xx:xx:xx:xx
-e infile
The name of the file containing encrypted packets. This file is expected to be
in pcap dump file format.
-d outfile
The output file produced by decrypting all data packets associated with the
named AP using the specified key. All other packets are copied from infile
unchanged. This file will be in pcap dump file format. If the provided key is
not a valid key for the specified bssid, all packets are copied unchanged to
the output file.
EXAMPLES
Decrypt all trafic to/from the access point with bssid 01:02:34:56:78:9a using
ascii key "MyKey", reading from input file "capture", writing the results to a file
named "decrypted"
Attempt to find a key for traffic to/from the access point with bssid
01:02:34:56:78:9a by trying all keys contained in the dictionary file "words".
Packets are read from the input file "packets" and contain 50 bytes of prefix data
Results are written to file "decrypted"
