LabEx
Log InJoin Free

Decrypt a WEP Capture File using airdecap-ng

Beginner
Practice Now

Introduction

airdecap-ng is a powerful tool within the Aircrack-ng suite designed to decrypt wireless traffic capture files. Once you have successfully cracked the password for a WEP, WPA, or WPA2 network, you can use airdecap-ng to convert the encrypted traffic capture (.cap file) into a decrypted version. This new file allows you to analyze the contents of the network communication in plaintext using tools like Wireshark or tshark.

In this lab, you will simulate the final stage of a wireless penetration test. We will assume that you have already captured encrypted WEP traffic and successfully cracked the key. Your task is to use airdecap-ng with the known key to decrypt the capture file and verify the result.

Obtain the Cracked WEP Key in Hexadecimal

In this step, you will locate the WEP key that was previously "cracked". In a real-world scenario, this key would be the output of a tool like aircrack-ng. For this lab, we have simulated this output and saved it to a text file.

First, let's examine the file containing the key. It is located at ~/project/wep_scenario/crack_result.txt. Use the cat command to display its contents:

cat ~/project/wep_scenario/crack_result.txt

You will see the following output, which mimics the successful result from aircrack-ng:

                        KEY FOUND! [ 1A:2B:3C:4D:5E ]

The tool airdecap-ng requires the WEP key to be in a pure hexadecimal format, without any colons or other separators. Based on the output above, the key is 1A:2B:3C:4D:5E. You will need to use this key as 1A2B3C4D5E in the upcoming steps.

Locate the Original .cap File with Encrypted Traffic

In this step, you will locate the capture file that contains the encrypted WEP traffic. This is the file we will feed into airdecap-ng for decryption.

The setup script for this lab has placed the necessary file in the ~/project/wep_scenario directory. Use the ls -l command to list the files in this directory and identify the capture file.

ls -l ~/project/wep_scenario

The output will show the files in the directory:

total 68
-rw-r--r-- 1 labex labex    44 Dec 01 12:00 crack_result.txt
-rw-r--r-- 1 labex labex 65879 Dec 01 12:00 wep_traffic.cap

As you can see, the capture file is named wep_traffic.cap. This is the input file for our decryption process.

Use airdecap-ng with the -w WEP Key Parameter

In this step, you will learn about the basic syntax of airdecap-ng and its most important parameter for WEP decryption. The general syntax is airdecap-ng [options] <capture file>.

For decrypting WEP-encrypted traffic, the crucial option is -w, which stands for "WEP key". This parameter is used to provide the hexadecimal key you identified in the first step.

To make the commands easier to type, first navigate into the working directory:

cd ~/project/wep_scenario

Now, let's look at the help menu for airdecap-ng to see the official description of the -w parameter.

airdecap-ng --help

You will see a list of all available options. Look for the -w option in the output:

...
Common options:
      -l         : don't remove 802.11 header
      -b <bssid> : access point MAC address
      -e <essid> : target network ESSID

WEP specific options:
      -w <key>   : target network WEP key in hex
...

This confirms that -w is the correct parameter for our WEP key. In the next step, we will combine this parameter with our key and the input file to perform the decryption.

Specify the Input Capture File to be Decrypted

In this step, you will combine all the pieces: the airdecap-ng command, the WEP key with the -w parameter, and the input capture file. This will execute the decryption process.

Make sure you are in the ~/project/wep_scenario directory. Now, run the airdecap-ng command with the key 1A2B3C4D5E and the input file wep_traffic.cap.

airdecap-ng -w 1A2B3C4D5E wep_traffic.cap

The tool will process the file and display a summary of its actions. The output will look similar to this:

Total number of packets read          1236
Total number of WEP data packets       254
Total number of WPA data packets         0
Number of plaintext data packets         0
Number of decrypted WEP  packets       254
Number of decrypted WPA  packets         0
Number of packets written to file      254

The most important outcome is that airdecap-ng has created a new file. By default, it appends -dec.cap to the original filename. So, a new file named wep_traffic-dec.cap should now exist.

Verify this by listing the files in the current directory again:

ls

You should now see the newly created decrypted file in the listing:

crack_result.txt  wep_traffic.cap  wep_traffic-dec.cap

This new file contains the same packets as the original, but their data payload is now in plaintext.

Analyze the New Decrypted .cap File in Wireshark

In this step, you will inspect the contents of the new decrypted file to confirm that the traffic is now readable. While a graphical tool like Wireshark is ideal, we can use its command-line equivalent, tshark, to quickly check the file in the terminal.

First, let's use tshark to view the first 10 packets of the original encrypted file. The -r option tells tshark to read from a file.

tshark -r wep_traffic.cap | head -n 10

Notice that the protocol for most data packets is listed as 802.11 and the info column indicates they are protected.

    1   0.000000 00:09:5b:89:a5:e9 -> ff:ff:ff:ff:ff:ff 802.11 60 Beacon frame, SN=3296, FN=0, Flags=........, BI=100, SSID=linksys
    2   0.000013 00:14:a5:8d:fb:c8 -> 00:09:5b:89:a5:e9 802.11 114 Data, SN=2083, FN=0, Flags=...P...., WEP
    3   0.000539 00:09:5b:89:a5:e9 -> 00:14:a5:8d:fb:c8 802.11 60 ACK, SN=2083, FN=0, Flags=........
    4   0.102399 00:09:5b:89:a5:e9 -> ff:ff:ff:ff:ff:ff 802.11 60 Beacon frame, SN=3297, FN=0, Flags=........, BI=100, SSID=linksys
...

Now, let's do the same for our new decrypted file, wep_traffic-dec.cap.

tshark -r wep_traffic-dec.cap | head -n 10

Observe the output carefully. You can now see higher-level protocols like ARP and DHCP. This means the WEP encryption layer has been successfully removed, and the underlying data is visible.

    1   0.000013 00:14:a5:8d:fb:c8 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.1? Tell 192.168.1.100
    2   0.102938 00:14:a5:8d:fb:c8 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.1? Tell 192.168.1.100
    3   0.205337 00:14:a5:8d:fb:c8 -> ff:ff:ff:ff:ff:ff DHCP 342 DHCP Request
    4   0.307736 00:14:a5:8d:fb:c8 -> ff:ff:ff:ff:ff:ff DHCP 342 DHCP Request
...

By comparing the two outputs, you have confirmed that the decryption was successful. The file wep_traffic-dec.cap can now be used for detailed packet analysis.

Summary

Congratulations on completing the lab! You have successfully decrypted a WEP-encrypted capture file using airdecap-ng.

In this lab, you learned how to:

  • Locate a pre-cracked WEP key and format it for use with airdecap-ng.
  • Identify the target encrypted capture file.
  • Use the airdecap-ng -w <key> <file> command to perform the decryption.
  • Verify the creation of the new decrypted .cap file.
  • Use tshark to inspect and compare the encrypted and decrypted files, confirming the success of the operation.

This skill is a fundamental part of wireless network analysis and security auditing, allowing you to turn a captured stream of encrypted data into meaningful, readable information.