Seth Woolley's Man Viewer

decrypt(1) - decrypt - 802.11b packet decryption tool - man 1 decrypt

([section] manual, -k keyword, -K [section] search, -f whatis)
man plain no title

DECRYPT(1)                BSD General Commands Manual               DECRYPT(1)

NAME
     decrypt -- 802.11b packet decryption tool

SYNOPSIS
     decrypt (-p key | -f dictfile) -m bssid -e infile -d outfile [-b]
             [-o offset]

DESCRIPTION
     decrypt is a command line tool that takes 3 pieces of input, a pcap for-
     mat input file(1,n), a WEP key, and a bssid (access(2,5) point MAC address).  If
     the provided WEP key is found to be the key for the indicated bssid,
     associated packets are decrypted and copied to the output file.  If the
     key is not a valid key, all input packets are written unchanged to the
     output file.  The output is a pcap compatible dump file(1,n) and can be exam-
     ined with tools such as tcpdump or ethereal to view the decrypted data.

     This tool understands two link(1,2) types, LINKTYPE_IEEE802_11 and LINK-
     TYPE_PRISM_HEADER.  Other 802.11b capture formats can be decrypted by
     specifying an optional offset command line argument with the -o switch(1,n) to
     indicate the number of header bytes that precede the actual 802.11b
     packet.  That is, the number of bytes that precede the first frame con-
     trol byte of each 802.11b packet.

     An alternate dictionary mode utilizes an input word list of potential WEP
     keys to attempt to find a valid key for the specified bssid. If a valid
     key is found packets are decrypted and copied to the specified output
     file.

OPTIONS
     -p key        password whose length must be 5 or 13 bytes of ascii(1,7) data
                   or 5 or 13 2 digit, colon separated hex values.

     -f dictfile   the name of a file(1,n) containing one password per line in(1,8) the
                   format specified above. All passwords in(1,8) the file(1,n) will be
                   tried against the specified bssid.

     -b            Discard beacon packets. Beacon packets will not be written
                   in(1,8) the output file.

     -o offset     Optional integer number of bytes of header that precede the
                   first frame control byte in(1,8) the 802.11b packet.  decrypt
                   can recognized packets captured with no prefix bytes (pcap
                   type DLT_IEEE802_11) as well as packets prefixed with
                   prism2 style headers (pcap type DLT_PRISM_HEADER).  In
                   these two cases, no offest argument is required.

     -m bssid      6 byte mac address of the AP for which traffic is to be
                   decrypted in(1,8) the form xx:xx:xx:xx:xx:xx

     -e infile     The name of the file(1,n) containing encrypted packets. This
                   file(1,n) is expected to be in(1,8) pcap dump file(1,n) format.

     -d outfile    The output file(1,n) produced by decrypting all data packets
                   associated with the named(5,8) AP using the specified key.  All
                   other packets are copied from infile unchanged.  This file(1,n)
                   will be in(1,8) pcap dump file(1,n) format. If the provided key is
                   not a valid key for the specified bssid, all packets are
                   copied unchanged to the output file.

EXAMPLES
     Decrypt all trafic to/from the access(2,5) point with bssid 01:02:34:56:78:9a
     using ascii(1,7) key "MyKey", reading from input file(1,n) "capture", writing the
     results to a file(1,n) named(5,8) "decrypted"

           decrypt -p MyKey -m 01:02:34:56:78:9a -e capture -d decrypted

     Attempt to find a key for traffic to/from the access(2,5) point with bssid
     01:02:34:56:78:9a by trying all keys contained in(1,8) the dictionary file(1,n)
     "words".  Packets are read(2,n,1 builtins) from the input file(1,n) "packets" and contain 50
     bytes of prefix data Results are written to file(1,n) "decrypted"

           decrypt -f words -o 50 -m 01:02:34:56:78:9a -e packets -d decrypted

SEE ALSO
     airsnort(1) gencases(1)

AUTHORS
     Jeremy Bruestle <melvin@melvin.net>
     Blake Hegerle <blake@melvin.net>
     Snax <snax@shmoo.com>

Linux                           August 18, 2002                          Linux

References for this manual (incoming links)