LinuxCommandLibrary

airdecap-ng

Decrypt WEP/WPA encrypted wireless capture files

TLDR

Remove wireless headers from an open network capture file and use the access point's MAC address to filter

$ airdecap-ng -b [ap_mac] [path/to/capture.cap]
copy

Decrypt a [w]EP encrypted capture file using the key in hex format
$ airdecap-ng -w [hex_key] [path/to/capture.cap]
copy

Decrypt a WPA/WPA2 encrypted capture file using the access point's [e]ssid and [p]assword
$ airdecap-ng -e [essid] -p [password] [path/to/capture.cap]
copy

Decrypt a WPA/WPA2 encrypted capture file preserving the headers using the access point's [e]ssid and [p]assword
$ airdecap-ng -l -e [essid] -p [password] [path/to/capture.cap]
copy

Decrypt a WPA/WPA2 encrypted capture file using the access point's [e]ssid and [p]assword and use its MAC address to filter
$ airdecap-ng -b [ap_mac] -e [essid] -p [password] [path/to/capture.cap]
copy

SYNOPSIS

airdecap-ng [options] <capture file>
airdecap-ng [-e <essid>] [-i <bssid>] [-p <passphrase> | -k <wep key> | -w <pmk> | -r <raw key>] [-o <output file>] <input file>

PARAMETERS

<capture file>
    The input .cap or .pcap file containing encrypted wireless traffic.

-l, --learn-key
    Learn WPA/WPA2 key from a key file or PMK file (advanced use).

-e <essid>, --essid <essid>
    Specify the ESSID (network name) to filter and decrypt traffic for. Mandatory for WPA/WPA2 decryption.

-i <bssid>, --bssid <bssid>
    Specify the BSSID (AP MAC address) to filter and decrypt traffic for. Recommended for WPA/WPA2 decryption.

-p <passphrase>, --key <passphrase>
    The WPA/WPA2 passphrase (WPA-PSK) for decryption.

-k <hex key>, --wep-key <hex key>
    The WEP key in hexadecimal format for decryption.

-w <pmk>, --wpa-key <pmk>
    The WPA/WPA2 PMK (Pairwise Master Key) in hexadecimal for decryption.

-r <raw key>, --raw-key <raw key>
    Specify a raw key format (typically for expert or specific scenarios).

-o <file>, --output <file>
    Specify the output file name for the decrypted capture. If not specified, it appends '-dec' to the input filename.

-u, --skip-wpa
    Skip decryption of WPA/WPA2 traffic.

-s, --skip-wep
    Skip decryption of WEP traffic.

-q, --quiet
    Suppress non-essential output during operation.

-v, --verbose
    Enable verbose output, showing more details about the decryption process.

-H, --help
    Display the help message and exit.

DESCRIPTION

airdecap-ng is a utility from the Aircrack-ng suite designed to decrypt wireless capture files (e.g., .cap, .pcap) that contain WEP, WPA, or WPA2 encrypted traffic. Unlike aircrack-ng which focuses on cracking encryption keys, airdecap-ng assumes you already possess the correct key or passphrase. Its primary function is to transform an encrypted capture file into a decrypted one, allowing tools like Wireshark to analyze the underlying network protocols (e.g., HTTP, DNS, FTP) that were previously obscured.

This is particularly useful for analyzing network traffic after successful key recovery or when analyzing your own encrypted wireless network. It requires the original capture file and the corresponding WEP key, WPA/WPA2 passphrase, or the Pairwise Master Key (PMK) to perform the decryption. The output is a standard pcap file, which can then be opened and inspected by any packet analyzer.

CAVEATS

airdecap-ng is not a cracking tool; it requires the correct encryption key or passphrase to function. If the key is incorrect or not present, decryption will fail or result in corrupted data. For WPA/WPA2 decryption, a complete 4-way handshake between the client and AP must be present in the capture file, along with sufficient data packets. The tool decrypts only the wireless (802.11) layer; higher-layer encryption (e.g., VPN, SSL/TLS) will remain encrypted. Some fragmented packets or unusual network conditions might hinder successful decryption of all traffic.

USAGE NOTES

After decryption, the output .pcap file can be opened with network protocol analyzers like Wireshark to inspect the original unencrypted network traffic. This allows for deep packet inspection, debugging network issues, or analyzing application-layer protocols. Ensure the capture file contains the necessary handshake (for WPA/WPA2) and a sufficient amount of data traffic for meaningful analysis.

HISTORY

airdecap-ng is an integral part of the Aircrack-ng suite, a comprehensive set of tools for auditing wireless networks. The suite itself originated from the older Aircrack and Airodump projects, which primarily focused on WEP. As wireless security evolved to WPA and WPA2, the tools were significantly expanded and refactored into the '-ng' (Next Generation) version. airdecap-ng was specifically developed to handle the post-capture decryption needs for these newer standards, complementing the key recovery capabilities of aircrack-ng and providing a crucial step for network analysis.

SEE ALSO

aircrack-ng(1): Wireless WEP/WPA/WPA2 key cracking program., airodump-ng(1): Packet sniffer/data capture tool for wireless networks., aireplay-ng(1): Packet injector/traffic generator for wireless networks., wireshark(1): Network protocol analyzer for viewing decrypted traffic.

Copied to clipboard