airdecap-ng

Decrypt WEP/WPA encrypted wireless capture files

TLDR

Remove wireless headers from an open network capture file and use the access point's MAC address to filter

$ airdecap-ng -b [ap_mac] [path/to/capture.cap]

Decrypt a [w]EP encrypted capture file using the key in hex format

$ airdecap-ng -w [hex_key] [path/to/capture.cap]

Decrypt a WPA/WPA2 encrypted capture file using the access point's [e]ssid and [p]assword

$ airdecap-ng -e [essid] -p [password] [path/to/capture.cap]

Decrypt a WPA/WPA2 encrypted capture file preserving the headers using the access point's [e]ssid and [p]assword

$ airdecap-ng -l -e [essid] -p [password] [path/to/capture.cap]

Decrypt a WPA/WPA2 encrypted capture file using the access point's [e]ssid and [p]assword and use its MAC address to filter

$ airdecap-ng -b [ap_mac] -e [essid] -p [password] [path/to/capture.cap]

-w
    WEP key in hexadecimal or ASCII format.

-p
    WPA passphrase (ASCII format).

-l
    Decrypt all WPA handshakes found in the capture file.

-e
    ESSID of the network. If not specified, the tool tries to detect it.

-b
    BSSID of the access point. If not specified, the tool tries to detect it.

    The input capture file (.cap, .pcap, .ivs) containing the encrypted traffic.

DESCRIPTION

airdecap-ng is a tool used to decrypt WEP or WPA encrypted wireless traffic.
It requires a captured .cap file containing the encrypted traffic, and either the WEP key or the WPA passphrase. The tool analyzes the capture file, decrypts the packets, and creates a new capture file containing only the decrypted traffic.
airdecap-ng can automatically detect the encryption type used in the capture file but it is best to provide this with command line parameter.

CAVEATS

Without the correct key or passphrase, decryption is impossible. The accuracy of the decryption depends on the completeness and quality of the captured traffic. WPA decryption requires a valid 4-way handshake.

OUTPUT FILE

airdecap-ng creates a new capture file with the same name as the input file but with the suffix '-dec.cap'. This file contains the decrypted traffic.

WEP KEY FORMAT

WEP keys can be specified in either hexadecimal or ASCII format. Hexadecimal keys must be prefixed with '0x' and must be the correct length (40 bits, 104 bits, or 128 bits) corresponding to the type of WEP used.

WPA HANDSHAKE IMPORTANCE

For WPA decryption, capturing a complete 4-way handshake is crucial. If a complete handshake is not available, the passphrase cannot be used to decrypt the traffic. Airodump-ng can be used to specifically target and capture the handshake.

HISTORY

airdecap-ng is part of the Aircrack-ng suite, which has been under active development since 2006. Its main goal is to provide a complete set of tools for auditing and cracking wireless networks. airdecap-ng's original purpose was focused on WEP decryption, but it later expanded to support WPA decryption as well.