NAME
decrypt - 802.11b packet decryption tool
SYNOPSIS
decrypt (-p key | -f
dictfile ) -m bssid -e infile
-d outfile [-b ] [-o offset ]
DESCRIPTION
decrypt is a command line tool that
takes 3 pieces of input, a pcap format input file, a WEP key, and a
bssid (access point MAC address). If the provided WEP key is found
to be the key for the indicated bssid, associated packets are
decrypted and copied to the output file. If the key is not a valid
key, all input packets are written unchanged to the output file.
The output is a pcap compatible dump file and can be examined with
tools such as tcpdump or ethereal to view the decrypted data.
This tool understands two link types, LINKTYPE_IEEE802_11 and
LINKTYPE_PRISM_HEADER. Other 802.11b capture formats can be
decrypted by specifying an optional offset command line argument
with the -o switch to indicate the number of header bytes that
precede the actual 802.11b packet. That is, the number of bytes
that precede the first frame control byte of each 802.11b packet.
An alternate dictionary mode utilizes an input word list of
potential WEP keys to attempt to find a valid key for the specified
bssid. If a valid key is found packets are decrypted and copied to
the specified output file.
OPTIONS
- -p key
- password whose length must be 5 or 13 bytes of ascii data or 5
or 13 2 digit, colon separated hex values.
- -f dictfile
- the name of a file containing one password per line in the
format specified above. All passwords in the file will be tried
against the specified bssid.
- -b
- Discard beacon packets. Beacon packets will not be written in
the output file.
- -o offset
- Optional integer number of bytes of header that precede the
first frame control byte in the 802.11b packet. decrypt can
recognized packets captured with no prefix bytes (pcap type
DLT_IEEE802_11) as well as packets prefixed with prism2 style
headers (pcap type DLT_PRISM_HEADER). In these two cases, no offest
argument is required.
- -m bssid
- 6 byte mac address of the AP for which traffic is to be
decrypted in the form xx:xx:xx:xx:xx:xx
- -e infile
- The name of the file containing encrypted packets. This file is
expected to be in pcap dump file format.
- -d outfile
- The output file produced by decrypting all data packets
associated with the named AP using the specified key. All other
packets are copied from infile unchanged. This file will be in pcap
dump file format. If the provided key is not a valid key for the
specified bssid, all packets are copied unchanged to the output
file.
EXAMPLES
Decrypt all trafic to/from the access point with
bssid 01:02:34:56:78:9a using ascii key "MyKey", reading from input
file "capture", writing the results to a file named "decrypted"
decrypt -p MyKey -m 01:02:34:56:78:9a -e capture -d decrypted
Attempt to find a key for traffic to/from the access point with
bssid 01:02:34:56:78:9a by trying all keys contained in the
dictionary file "words". Packets are read from the input file
"packets" and contain 50 bytes of prefix data Results are written
to file "decrypted"
decrypt -f words -o 50 -m 01:02:34:56:78:9a -e packets -d decrypted
SEE ALSO
airsnort(1)
gencases(1)
AUTHORS
An Jeremy Bruestle <melvin@melvin.net> An Blake
Hegerle <blake@melvin.net> An Snax
<snax@shmoo.com>