Bruteforce WPA and decrypt pcap’s with aircrack

Pau Muñoz

Bruteforce WPA and decrypt pcap’s with aircrack


In this small and simple tutorial we are going to review the process of using aircrack for cracking and decrypting  a PCAP containing 802.11g traffic. In most of the cases, the aircrack suite is used to crack WEP/WPA passwords with accessing the network as a main goal however let’s explore another scenario: maybe you are monitoring a special network in a particular time-lapse, and your main goal isn’t getting permanent access to the network, let’s suppose that your goal is just obtaining relevant information about the traffic, so you don’t have time to crack the network and perform a man in the middle, or maybe you just want to stay under the radar, so you just move near to the wireless access point and start capturing all the traffic in 802.11g format, then you arrive at the office and have plenty of time to crack the keys and decrypt the traffic. In this post I want to explore this case of study.

You start a mon interface with: airmon-ng start  and start capturing traffic with airodump-ng –channel channel –write file.pcap mon0

Now let’s suppose we start with a pcap file containing encrypted wireless traffic:

As we know, if we try to guess what’s inside, we cannot see anything as it is encapsulated and crypted:

In some cases we can find some authentication data (the 4 way handshake) in the capture. In our example case, if we look closer we can see some deauth packets..

We can also use wireshark in the wireless tab to gather more information about the capture. Here we can see the BSSID and SSID… and we see that we have some deauths and a couple of auths! So we should be able to at least try to crack this pcap file to look for the password, and if we have the password, then we can de-encapsulate all the traffic and decrypt it.

We can use aircrack-ng to gather more data about the context of the pcap file.

In this case we see that the encryption is WPA and we have a handshake, also we can see the BSSID/SSID.

So now we can use aircrack-ng to launch a dict attack againts the file for finding the password (other tools such as reaver may provide more optimal cracking)

In this case after a a few minutes we found the pasword.

Now that we have the password, we can use airdecap to run the decryption and de-encapsulation of the capture file, so we can decrypt the whole capture.

Now we can see the LAYER7 content, including http, icmp, ftp data for example.

So if we have captured any plain text data related to authentication (ex: ftp or http logins) now we are able to see the passwords in plain..

In a brief, this was a different form to use the aircrack suite. In that case our main goal wasn’t to be able to find the WPA KEY and access the network, our main goal was to find some relevant data hidden inside a WPA crypted 802.11g capture file!