LabEx
Log InJoin Free

Decrypt a WPA Capture File using airdecap-ng

Beginner
Practice Now

Introduction

Welcome to this lab on decrypting WPA capture files. airdecap-ng is a powerful tool within the Aircrack-ng suite designed to decrypt wireless traffic. After capturing wireless packets and successfully cracking the WPA/WPA2 passphrase, the next logical step is to decrypt the captured data to analyze its contents. This is where airdecap-ng comes in.

In this lab, you will walk through the process of using airdecap-ng to decrypt a pre-existing capture file (.cap) using a known network SSID and passphrase. This will allow you to understand the workflow of turning encrypted, unreadable network data into a clear, analyzable format.

Obtain the Cracked WPA Passphrase

In this step, we will start with the most critical piece of information needed for decryption: the WPA passphrase. In a real-world scenario, you would obtain this by using a tool like aircrack-ng to perform a dictionary or brute-force attack on a captured WPA 4-way handshake.

For the purpose of this lab, we will assume this process has already been completed successfully. The cracked password has been saved to a file named cracked_password.txt in your current directory, ~/project.

Let's view the contents of this file to get the passphrase. Use the cat command to display the file's content in the terminal.

cat cracked_password.txt

You should see the following output, which is the passphrase we will use for decryption:

password123

Keep this passphrase in mind, as we will need it in a later step to run the airdecap-ng command.

Locate the .cap File Containing the WPA Handshake

In this step, we need to identify the capture file that contains the encrypted wireless traffic. These files typically have a .cap or .pcap extension and are generated by packet sniffing tools like airodump-ng or Wireshark.

For this lab, a sample capture file named wpa_handshake.cap has been placed in your ~/project directory. To confirm that the file is present, you can list the contents of the current directory using the ls -l command. This command provides a detailed list of files and directories.

Execute the following command in your terminal:

ls -l

Your output should look similar to this, confirming the existence of wpa_handshake.cap:

total 12
-rw-r--r-- 1 labex labex   12 Mar 18 10:00 cracked_password.txt
-rw-r--r-- 1 labex labex    9 Mar 18 10:00 ssid.txt
-rw-r--r-- 1 labex labex    0 Mar 18 10:00 wpa_handshake.cap

Now that we have confirmed the location of our passphrase and our capture file, we are ready to prepare the decryption command.

Use airdecap-ng with the -e SSID and -p Passphrase

In this step, we will construct the airdecap-ng command. To decrypt a WPA/WPA2 capture, airdecap-ng requires two essential pieces of information: the network's name (SSID) and its passphrase.

The command uses specific flags (options) to accept this information:

  • -e <essid>: This flag is used to specify the ESSID (Extended Service Set Identifier) of the target network.
  • -p <passphrase>: This flag is used to provide the WPA/WPA2 passphrase.

For our lab, the SSID is stored in the ssid.txt file. Let's view it first:

cat ssid.txt

The output will be:

MyTestAP

Combining this with the passphrase "password123" from Step 1, the first part of our command will look like this: airdecap-ng -e MyTestAP -p password123.

This command structure tells airdecap-ng which network's traffic to look for and what key to use for decryption. In the next step, we will complete the command by adding the input capture file.

Specify the Input Capture File to be Decrypted

In this step, we will finalize and execute the airdecap-ng command. We have the SSID (MyTestAP), the passphrase (password123), and the input file (wpa_handshake.cap). Now, we just need to put them all together in a single command.

The final argument for the airdecap-ng command is the path to the capture file you want to decrypt.

Run the following complete command in your terminal. This will instruct airdecap-ng to read wpa_handshake.cap, find packets matching the "MyTestAP" SSID, and attempt to decrypt them using "password123".

airdecap-ng -e MyTestAP -p password123 wpa_handshake.cap

After running the command, you will see output similar to the following. Note that since our sample .cap file is empty, the packet counts will be zero. The most important line is the last one, which confirms the creation of a new, decrypted file.

Total number of packets read         1
Total number of WPA packets          0
Total number of WPA handshakes       0
Number of plaintext data packets     0
Number of decrypted WPA packets      0
Number of decrypted WEP packets      0
File wpa_handshake-dec.cap created.

The message "File wpa_handshake-dec.cap created." indicates that the operation was successful. airdecap-ng has generated a new file containing the decrypted version of the traffic.

Examine the Newly Created Decrypted Capture File

In this final step, we will verify that the decrypted file has been created and learn how to inspect it. airdecap-ng does not modify the original capture file. Instead, it creates a new file with the decrypted packets, typically by appending -dec.cap to the original filename.

First, use the ls -l command again to see the new file in your directory.

ls -l

You will now see the decrypted file, wpa_handshake-dec.cap, listed alongside the original files:

total 16
-rw-r--r-- 1 labex labex   12 Mar 18 10:00 cracked_password.txt
-rw-r--r-- 1 labex labex    9 Mar 18 10:00 ssid.txt
-rw-r--r-- 1 labex labex    0 Mar 18 10:00 wpa_handshake-dec.cap
-rw-r--r-- 1 labex labex    0 Mar 18 10:00 wpa_handshake.cap

This new file, wpa_handshake-dec.cap, contains the plaintext version of the captured data. You can now analyze it with network analysis tools like Wireshark or tcpdump. To demonstrate, let's use tcpdump with the -r flag to read from our new file.

tcpdump -r wpa_handshake-dec.cap

Because our source file was empty, tcpdump will not show any packets. However, it will confirm that it can read the file, which is the goal of this step.

reading from file wpa_handshake-dec.cap, link-type EN10MB (Ethernet)

In a real-world situation with a populated capture file, this command would display the decrypted packet contents, such as HTTP requests, DNS queries, and other plaintext traffic.

Summary

In this lab, you have successfully learned how to use airdecap-ng to decrypt a WPA-encrypted capture file.

You practiced the complete workflow:

  1. Identifying the required passphrase and SSID.
  2. Locating the target .cap file.
  3. Constructing the airdecap-ng command using the -e (SSID) and -p (passphrase) flags.
  4. Executing the command to generate a new, decrypted capture file (-dec.cap).
  5. Verifying the creation of the decrypted file and learning how it can be analyzed with tools like tcpdump.

This skill is fundamental in network security analysis, as it bridges the gap between cracking a network's password and actually understanding the traffic flowing within it.