Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Decrypt WEP in Realtime

  1. #1
    Member Vagabond's Avatar
    Join Date
    Feb 2010
    Posts
    50

    Default Decrypt WEP in Realtime

    Hi folks !

    After looking through a lot of sniffing Forums, there remains still one question for me-
    Which Tool let me decrypt traffic in Realtime, once I know the WEP-Key. Given, I´m physically located between the AP and the Client.

    I know, that ARP Poisoning is the way to go, but I´m looking for something more direct. Like a technique that shows me realtime the Websites the person in navigating, filtering PW´s like Cain, but "on the fly".

    Can DSNIFF, URLSNARFER, WEBSPY etc. be used for this ? If so, how ?
    Since they only process capture files.

    Looking forward to any suggestion ::....Peace.

  2. #2
    Junior Member
    Join Date
    Feb 2007
    Posts
    86

    Default

    Wireshark.

  3. #3
    Member Vagabond's Avatar
    Join Date
    Feb 2010
    Posts
    50

    Default

    Just checked it out in win and BT, I requires me being part of the LAN, which I tried to avoid. I meant something like a receiver really, that just shows and caputers what flies by...like doing a realtime decryption.

    Same Idea like a RadioScanner does with audiosignals.

    I´d be cool, if someone had any ideas.

    Peace.

  4. #4
    Member Vagabond's Avatar
    Join Date
    Feb 2010
    Posts
    50

    Default

    I think it would work if I´d capture packets in monitor mode (Kismet, Airodump), decrypt ´em right away (aircap-ng) and pass ´em on to an analyzer like wireshark, right ?..
    Any ideas how to chainlink those ?

  5. #5
    Junior Member
    Join Date
    Feb 2007
    Posts
    86

    Default

    Spend more time with wireshark, not the Win wersion.
    check capture options and preferences/IEE 802.11
    you can read from the card or the file not as a part of LAN.

  6. #6
    Member Vagabond's Avatar
    Join Date
    Feb 2010
    Posts
    50

    Default

    thanx rumburak
    Yeah, you´re right...I can put my card in monitor mode, and it will show everything that comes by in wireshark!..But the data packets still remain crypted, and so far I haven´t found an option that decrypts packets IN wireshark.

    The ideal would be a tool which decrypts traffic in the background while my card is in monitor mode, and let me acess the decrypted stream over my WLAN0 Interface. This way, i could fire up driftnet, Dsniff & Co and could capture all the fun stuff. In REALTIME.

  7. #7
    Moderator theprez98's Avatar
    Join Date
    Jan 2010
    Location
    Maryland
    Posts
    2,533

    Default

    Quote Originally Posted by Vagabound View Post
    thanx rumburak
    Yeah, you´re right...I can put my card in monitor mode, and it will show everything that comes by in wireshark!..But the data packets still remain crypted, and so far I haven´t found an option that decrypts packets IN wireshark.

    The ideal would be a tool which decrypts traffic in the background while my card is in monitor mode, and let me acess the decrypted stream over my WLAN0 Interface. This way, i could fire up driftnet, Dsniff & Co and could capture all the fun stuff. In REALTIME.
    Driftnet, et al, are designed to work when you're associated with the AP, so why not use the key to connect and then just run the program. I think you are overcomplicating the problem.
    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

  8. #8
    Member
    Join Date
    Jan 2007
    Posts
    242

    Default

    I think you are overcomplicating the problem.
    LOL

    Associate with the ap and run ettercap. Figure out what ettercap does and how it does it. Read the manual(s) for the dsniff tools. Understand what the tools are doing and how they do it.

    Since they only process capture files.
    Really? I wonder what the interface (-i) option is for? Ask intelligent, informed questions.

    wireshark>Edit>preferences>protocols>IEEE 802.11>wep key(s)

    It's amazing what wireshark will show in a live capture if you've already associated with the ap, btw.

    If you choose not to associate, you can decrypt pcap files with wireshark, ettercap, or airdecap-ng. You could possibly pipe the output of tshark, tcpdump, etc into airdecap-ng then pipe the decrpyted output into one of the dsniff tools, but why bother? If you choose not to associate for stealth reasons, work with capture files.

    http://www.brendangregg.com/chaosreader.html

    Have Fun

  9. #9
    Moderator theprez98's Avatar
    Join Date
    Jan 2010
    Location
    Maryland
    Posts
    2,533

    Default

    Quote Originally Posted by ghaze View Post
    LOL

    Associate with the ap and run ettercap. Figure out what ettercap does and how it does it. Read the manual(s) for the dsniff tools. Understand what the tools are doing and how they do it.



    Really? I wonder what the interface (-i) option is for? Ask intelligent, informed questions.

    wireshark>Edit>preferences>protocols>IEEE 802.11>wep key(s)

    It's amazing what wireshark will show in a live capture if you've already associated with the ap, btw.

    If you choose not to associate, you can decrypt pcap files with wireshark, ettercap, or airdecap-ng. You could possibly pipe the output of tshark, tcpdump, etc into airdecap-ng then pipe the decrpyted output into one of the dsniff tools, but why bother? If you choose not to associate for stealth reasons, work with capture files.

    http://www.brendangregg.com/chaosreader.html

    Have Fun
    Much better than I could have said.
    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

  10. #10
    Junior Member
    Join Date
    Feb 2007
    Posts
    86

    Default

    By the way I've mentioned preferences/IEE...
    If you have to connect to AP to be able to decrypt traffic it is the problem of the card hardware that blocks some of the frames (it is rather not the driver ). In this case the solution is any card with atheros chipset that capture all the frames later selected by software (madwifi ). I have one and can see the traffic without being connected.
    Wireshark again
    and theprez98

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •