Wireshark.
Decrypt WEP in Realtime
Hi folks !
After looking through a lot of sniffing Forums, there remains still one question for me-
Which Tool let me decrypt traffic in Realtime, once I know the WEP-Key. Given, I´m physically located between the AP and the Client.
I know, that ARP Poisoning is the way to go, but I´m looking for something more direct. Like a technique that shows me realtime the Websites the person in navigating, filtering PW´s like Cain, but "on the fly".
Can DSNIFF, URLSNARFER, WEBSPY etc. be used for this ? If so, how ?
Since they only process capture files.
Looking forward to any suggestion ::....Peace.
Wireshark.
Just checked it out in win and BT, I requires me being part of the LAN, which I tried to avoid. I meant something like a receiver really, that just shows and caputers what flies by...like doing a realtime decryption.
Same Idea like a RadioScanner does with audiosignals.
I´d be cool, if someone had any ideas.
Peace.
I think it would work if I´d capture packets in monitor mode (Kismet, Airodump), decrypt ´em right away (aircap-ng) and pass ´em on to an analyzer like wireshark, right ?..
Any ideas how to chainlink those ?
Spend more time with wireshark, not the Win wersion.
check capture options and preferences/IEE 802.11
you can read from the card or the file not as a part of LAN.
thanx rumburak
Yeah, you´re right...I can put my card in monitor mode, and it will show everything that comes by in wireshark!..But the data packets still remain crypted, and so far I haven´t found an option that decrypts packets IN wireshark.
The ideal would be a tool which decrypts traffic in the background while my card is in monitor mode, and let me acess the decrypted stream over my WLAN0 Interface. This way, i could fire up driftnet, Dsniff & Co and could capture all the fun stuff. In REALTIME.
Driftnet, et al, are designed to work when you're associated with the AP, so why not use the key to connect and then just run the program. I think you are overcomplicating the problem.Originally Posted by Vagabound
"\x74\x68\x65\x70\x72\x65\x7a\x39\x38";
LOLI think you are overcomplicating the problem.
Associate with the ap and run ettercap. Figure out what ettercap does and how it does it. Read the manual(s) for the dsniff tools. Understand what the tools are doing and how they do it.
Really? I wonder what the interface (-i) option is for? Ask intelligent, informed questions.Since they only process capture files.
wireshark>Edit>preferences>protocols>IEEE 802.11>wep key(s)
It's amazing what wireshark will show in a live capture if you've already associated with the ap, btw.
If you choose not to associate, you can decrypt pcap files with wireshark, ettercap, or airdecap-ng. You could possibly pipe the output of tshark, tcpdump, etc into airdecap-ng then pipe the decrpyted output into one of the dsniff tools, but why bother? If you choose not to associate for stealth reasons, work with capture files.
http://www.brendangregg.com/chaosreader.html
Have Fun
Much better than I could have said.
"\x74\x68\x65\x70\x72\x65\x7a\x39\x38";
By the way I've mentioned preferences/IEE...
If you have to connect to AP to be able to decrypt traffic it is the problem of the card hardware that blocks some of the frames (it is rather not the driver ). In this case the solution is any card with atheros chipset that capture all the frames later selected by software (madwifi ). I have one and can see the traffic without being connected.
Wireshark again
and theprez98
Posting Permissions