1DECRYPT(1) BSD General Commands Manual DECRYPT(1)
2
4 decrypt — 802.11b packet decryption tool
5
7 decrypt (-p key | -f dictfile) -m bssid -e infile -d outfile [-b]
8 [-o offset]
9
11 decrypt is a command line tool that takes 3 pieces of input, a pcap for‐
12 mat input file, a WEP key, and a bssid (access point MAC address). If
13 the provided WEP key is found to be the key for the indicated bssid,
14 associated packets are decrypted and copied to the output file. If the
15 key is not a valid key, all input packets are written unchanged to the
16 output file. The output is a pcap compatible dump file and can be exam‐
17 ined with tools such as tcpdump or ethereal to view the decrypted data.
18 This tool understands two link types, LINKTYPE_IEEE802_11 and LINK‐
20 TYPE_PRISM_HEADER. Other 802.11b capture formats can be decrypted by
21 specifying an optional offset command line argument with the -o switch to
22 indicate the number of header bytes that precede the actual 802.11b
23 packet. That is, the number of bytes that precede the first frame con‐
24 trol byte of each 802.11b packet.
25 An alternate dictionary mode utilizes an input word list of potential WEP
27 keys to attempt to find a valid key for the specified bssid. If a valid
28 key is found packets are decrypted and copied to the specified output
29 file.
30
32 -p key password whose length must be 5 or 13 bytes of ascii data
33 or 5 or 13 2 digit, colon separated hex values.
34 -f dictfile the name of a file containing one password per line in the
36 format specified above. All passwords in the file will be
37 tried against the specified bssid.
38 -b Discard beacon packets. Beacon packets will not be written
40 in the output file.
41 -o offset Optional integer number of bytes of header that precede the
43 first frame control byte in the 802.11b packet. decrypt
44 can recognized packets captured with no prefix bytes (pcap
45 type DLT_IEEE802_11) as well as packets prefixed with
46 prism2 style headers (pcap type DLT_PRISM_HEADER). In
47 these two cases, no offest argument is required.
48 -m bssid 6 byte mac address of the AP for which traffic is to be
50 decrypted in the form xx:xx:xx:xx:xx:xx
51 -e infile The name of the file containing encrypted packets. This
53 file is expected to be in pcap dump file format.
54 -d outfile The output file produced by decrypting all data packets
56 associated with the named AP using the specified key. All
57 other packets are copied from infile unchanged. This file
58 will be in pcap dump file format. If the provided key is
59 not a valid key for the specified bssid, all packets are
60 copied unchanged to the output file.
61
63 Decrypt all trafic to/from the access point with bssid 01:02:34:56:78:9a
64 using ascii key "MyKey", reading from input file "capture", writing the
65 results to a file named "decrypted"
66 decrypt -p MyKey -m 01:02:34:56:78:9a -e capture -d decrypted
68 Attempt to find a key for traffic to/from the access point with bssid
70 01:02:34:56:78:9a by trying all keys contained in the dictionary file
71 "words". Packets are read from the input file "packets" and contain 50
72 bytes of prefix data Results are written to file "decrypted"
73 decrypt -f words -o 50 -m 01:02:34:56:78:9a -e packets -d decrypted
75
77 airsnort(1) gencases(1)
78
80 Jeremy Bruestle <melvin@melvin.net>
81 Blake Hegerle <blake@melvin.net>
82 Snax <snax@shmoo.com>
83Linux August 18, 2002 Linux