tag:blogger.com,1999:blog-6806868022885060269.post3517316616069324778..comments2023-11-02T11:15:48.651-03:00Comments on Average coder: Decrypting WEP/WPA2 traffic on the flyAverage Coderhttp://www.blogger.com/profile/11661490046382270751noreply@blogger.comBlogger43125tag:blogger.com,1999:blog-6806868022885060269.post-18160356087030037862023-04-09T13:16:50.983-03:002023-04-09T13:16:50.983-03:00Hi, im new, just want to ask you at the picture of...Hi, im new, just want to ask you at the picture of wpa2, can you explain for me your output and how to get it (3 last packets)philashttps://www.blogger.com/profile/08942586546222652357noreply@blogger.comtag:blogger.com,1999:blog-6806868022885060269.post-5906044049106066152021-01-09T04:43:10.241-03:002021-01-09T04:43:10.241-03:00Hello Matias, hello guys,
Happy New Year to all to...Hello Matias, hello guys,<br />Happy New Year to all to begin :)<br /><br />Thanks a lot for the job you did here, really nice !<br />I am getting a last problem using it (only have some icmpv6 traffic) and could not solve it even searching deep into the all internet (and this thread) :'(<br />I will appreciate any help because I spent hours on that ! <br /><br />My steps :<br />Setting monitor mode : all good<br /> > sudo airmon-ng check kill<br /> > sudo airmon-ng start wlxe84e06340e4e 11 [My Wifi is on chanel 11]<br /><br />PHY Interface Driver Chipset<br />phy2 wlxe84e06340e4e rt2800usb Ralink Technology, Corp. RT5370<br />Interface wlxe84e06340e4emon is too long for linux so it will be renamed to the old style (wlan#) name.<br /> (mac80211 monitor mode vif enabled on [phy2]wlan0mon<br /> (mac80211 station mode vif disabled for [phy2]wlxe84e06340e4e)<br /><br /> > sudo ./dot11decrypt wlan0mon wpa:MyWifi:MyWPAPassPhrase<br />Using device: tap0<br />Device is up.<br />AP found: MyWifi: xx:xx:xx:xx:xx:xx<br />Captured handshake for VirtualGate (xx:xx:xx:xx:xx:xx): yy:yy:yy:yy:yy:yy<br /><br />My iPhone is "yy:yy:yy:yy:yy:yy" and connected to the wifi.<br />All seems good !<br /><br />But a tcpdump on tap 0 shows only some ICMPv6 traffic like this ; nothing about my iPhone traffic :<br /> > sudo tcpdump -i tap0 -c 5 -n<br />listening on tap0, link-type EN10MB (Ethernet), capture size 262144 bytes<br />08:21:53.564804 IP6 fe80::3447:a9ff:fe39:4fbf > ff04::2: ICMP6, router solicitation, length 16<br /><br />While I have a lot of traffic shown on wlan0mon (here an extract) :<br /> > sudo tcpdump -i wlan0mon -c 50 -n<br />08:26:19.820176 1.0 Mb/s 2462 MHz 11b -61dBm signal antenna 1 Beacon (MyWifi) [1.0* 2.0* 5.5* 11.0* 18.0 24.0 36.0 54.0 Mbit] ESS CH: 11, PRIVACY<br />08:26:19.841203 1.0 Mb/s 2462 MHz 11b -83dBm signal antenna 1 Beacon (AnyName1) [1.0* 2.0* 5.5* 11.0* 9.0 18.0 36.0 54.0 Mbit] ESS CH: 11, PRIVACY<br />08:26:20.128360 1.0 Mb/s 2462 MHz 11b -63dBm signal antenna 1 Data IV:1e88 Pad 20 KeyID 1<br />008:26:20.768044 6.0 Mb/s 2462 MHz 11g -81dBm signal antenna 1 BAR RA:28:9f:fd:a5:5e:b0 TA:63:53:c4:c1:ab:0f CTL(4) SEQ(23104) <br />08:26:21.497037 24.0 Mb/s 2462 MHz 11g -75dBm signal antenna 1 Acknowledgment RA:3b:5a:f0:0d:dc:81 <br />08:26:21.500892 1.0 Mb/s 2462 MHz 11b -79dBm signal antenna 1 Probe Response (AnyName1) [1.0* 2.0* 5.5* 11.0* 18.0 24.0 36.0 54.0 Mbit] CH: 11, PRIVACY<br /><br />How could I get correctly decrypted traffic on tap0 ?<br /><br />I open an idea (not sure this is linked)<br />Trying to use a capture file and airdecap-ng fails aswell <br /> > sudo airodump-ng wlan0mon --essid MyWifi -c 11 -w ./wifi_capture<br /> CH 11 ][ Elapsed: 24 s ][ 2021-01-09 23:38 ][ WPA handshake: xx:xx:xx:xx:xx:xx<br /> BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID <br /><br /> xx:xx:xx:xx:xx:xx -58 89 239 68 1 11 195 WPA2 CCMP PSK MyWifi <br /><br /> BSSID STATION PWR Rate Lost Frames Notes Probes <br /> <br /> (not associated) zz:zz:zz:zz:zz:zz -86 0 - 1 0 6 AnyName <br />xx:xx:xx:xx:xx:xx yy:yy:yy:yy:yy:yy -46 1e-24 0 71 EAPOL MyWifi<br /><br /> > sudo airdecap-ng -e MyWifi -p MyWPAPassPhrase ./wifi_capture-01.cap<br />Total number of stations seen 10<br />Total number of packets read 15920<br />Total number of WPA data packets 65<br />Number of decrypted WPA packets 0<br />Number of bad TKIP (WPA) packets 0<br />Number of bad CCMP (WPA) packets 0<br /><br />My main goal is to make dot11decrypt work.<br />I will appreciate any help ! <br />Thannnnkkss :)Azohttps://www.blogger.com/profile/10610407996978821821noreply@blogger.comtag:blogger.com,1999:blog-6806868022885060269.post-84223998497192320562019-10-07T21:25:09.309-03:002019-10-07T21:25:09.309-03:00Honestly for what little it does the install is to...Honestly for what little it does the install is too much of a pain in the assData Design Systemshttps://www.blogger.com/profile/01654786955176873301noreply@blogger.comtag:blogger.com,1999:blog-6806868022885060269.post-78221183434330734542019-10-07T21:22:18.225-03:002019-10-07T21:22:18.225-03:00Try using target-"" in your links PLEASE...Try using target-"" in your links PLEASE!!!!! FFSData Design Systemshttps://www.blogger.com/profile/01654786955176873301noreply@blogger.comtag:blogger.com,1999:blog-6806868022885060269.post-44095960131564964162017-07-04T09:53:44.159-03:002017-07-04T09:53:44.159-03:00I'm having the same issue here. I'm gettin...I'm having the same issue here. I'm getting only (decrypted) outbound traffic.Anonymoushttps://www.blogger.com/profile/02284592078362230096noreply@blogger.comtag:blogger.com,1999:blog-6806868022885060269.post-31736531386387617392017-05-24T00:13:02.757-03:002017-05-24T00:13:02.757-03:00Hi,it works very well,but i don't get the HTTP...Hi,it works very well,but i don't get the HTTP response data? what can I do for get it?<br />Thx a lot.Younghttps://www.blogger.com/profile/03797000686214938920noreply@blogger.comtag:blogger.com,1999:blog-6806868022885060269.post-33348813009886062622017-05-09T11:40:39.879-03:002017-05-09T11:40:39.879-03:00Hi, it works very well, but from time to time prog...Hi, it works very well, but from time to time program breaks with this error:<br />terminate called after throwing an instance of 'Tins::malformed_packet'<br /> what(): Malformed packet<br /><br />and captured handshakes are lost :(<br />Any idea?? <br />Thx a lot. Anonymoushttps://www.blogger.com/profile/07205231010320919642noreply@blogger.comtag:blogger.com,1999:blog-6806868022885060269.post-12327998327926294342017-03-15T22:34:24.852-03:002017-03-15T22:34:24.852-03:00guys, i have a problem kali for rassberypy shutdow...guys, i have a problem kali for rassberypy shutdown this program. temp resolve modify source. malco95https://www.blogger.com/profile/16051659846148636570noreply@blogger.comtag:blogger.com,1999:blog-6806868022885060269.post-17009127680974208852016-11-09T07:27:42.887-03:002016-11-09T07:27:42.887-03:00thanks! your great programmer!thanks! your great programmer!malco95https://www.blogger.com/profile/16051659846148636570noreply@blogger.comtag:blogger.com,1999:blog-6806868022885060269.post-4762596245192056662015-07-07T16:07:57.628-03:002015-07-07T16:07:57.628-03:00Neil and Matias, I am looking to do the same thing...Neil and Matias, I am looking to do the same thing with an rPi2b I just purchased and kismet running. I'd like to monitor specific MAC's and decrypt the websites being visited. I recognize this is an older post (1year+) but if either of you are interested, I'd like to know how this project turned out and Neil, if you were able to get it up and running and was it successful?Gator42https://www.blogger.com/profile/07975322671690092112noreply@blogger.comtag:blogger.com,1999:blog-6806868022885060269.post-38293770546813331272015-07-07T15:54:32.507-03:002015-07-07T15:54:32.507-03:00Neil and Matias, I am looking to do the same thing...Neil and Matias, I am looking to do the same thing with an rPi2b I just purchased and kismet running. I'd like to monitor specific MAC's and decrypt the websites being visited. I recognize this is an older post (1year+) but if either of you are interested, I'd like to know how this project turned out and Neil, if you were able to get it up and running and was it successful?Gator42https://www.blogger.com/profile/07975322671690092112noreply@blogger.comtag:blogger.com,1999:blog-6806868022885060269.post-51150758737986191882015-06-05T15:08:57.202-03:002015-06-05T15:08:57.202-03:00I have the same issue as Jerry and Joe. Running Ka...I have the same issue as Jerry and Joe. Running KaliLinux on Raspbery.Anonymoushttps://www.blogger.com/profile/00789812444212891604noreply@blogger.comtag:blogger.com,1999:blog-6806868022885060269.post-82544695143273138062015-02-04T15:26:16.255-03:002015-02-04T15:26:16.255-03:00I have the same problem.I have the same problem.Anonymoushttps://www.blogger.com/profile/08548364942176262379noreply@blogger.comtag:blogger.com,1999:blog-6806868022885060269.post-37462225369429574722015-01-17T02:37:03.223-03:002015-01-17T02:37:03.223-03:00Everytime a handshake occurs tap0 shuts down and t...Everytime a handshake occurs tap0 shuts down and the message "segmentation fault" appears. Any suggestions on how to fix this would be very much appreciated.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-6806868022885060269.post-91219111652523142982014-07-06T18:54:44.327-03:002014-07-06T18:54:44.327-03:00Thanks for the response. I forgot to mention that ...Thanks for the response. I forgot to mention that effectively the adapter is in the same channel that the ap. In fact, otherwise I cannot capture obsolutely anything. I've reading the link. I've to do some tests, but the most feasible option is that the adaptor is too close to the AP. I also would like to ask to you if it's possible to tell to dot11decrypt to read the handshake from a pcap (tcpdump) file (I can do it with the laptop) and start the capture immediately. Is it possible to modify the program to allow this? Is it a good idea? lagranvacahttps://www.blogger.com/profile/17677517559886955086noreply@blogger.comtag:blogger.com,1999:blog-6806868022885060269.post-86046372913515289842014-07-05T17:16:33.323-03:002014-07-05T17:16:33.323-03:00Hi,
I've tried this software in my laptop, an...Hi,<br /><br />I've tried this software in my laptop, and works perfectly. However, I've tried exactly the same steps (installation and usage) in my server, and does not work. I can compile, install and use it, but only captures a few ipv6 packets. There is no difference regarding libtins version between the laptop and server. It is almost the same linux distro (mint). I'm also using the same wifi adaptor (usb) in both computers. I'm running out of ideas. Any help please?<br /><br />Thanks!lagranvacahttps://www.blogger.com/profile/17677517559886955086noreply@blogger.comtag:blogger.com,1999:blog-6806868022885060269.post-42850250530852314862014-05-16T16:07:00.501-03:002014-05-16T16:07:00.501-03:00I also seem to have reproduced the same behavior w...I also seem to have reproduced the same behavior with Centos 6.4. Mikehttps://www.blogger.com/profile/03654543895171143694noreply@blogger.comtag:blogger.com,1999:blog-6806868022885060269.post-35931525542536269302014-05-16T02:19:55.407-03:002014-05-16T02:19:55.407-03:00I've got a similar problem on the Raspberry Pi...I've got a similar problem on the Raspberry Pi. I've got tap0 setup, but it never receives any packets, even though wlan0 can be monitored with Wireshark, and the packets can be decrypted. I've simultaneously been capturing from my Macbook wifi in monitor mode with Wireshark and can decrypt the traffic and see everything as well. I'm happy to provide whatever you need to get it fixed.Mikehttps://www.blogger.com/profile/03654543895171143694noreply@blogger.comtag:blogger.com,1999:blog-6806868022885060269.post-12367249461614770772014-04-04T12:13:29.479-03:002014-04-04T12:13:29.479-03:00You're right I'm using 4.4.5. I'll see...You're right I'm using 4.4.5. I'll see if I can get gcc updated and give it another try<br /><br />Thanks for your helpAnonymoushttps://www.blogger.com/profile/03241541360429018758noreply@blogger.comtag:blogger.com,1999:blog-6806868022885060269.post-58813071255985142702014-04-04T09:45:22.197-03:002014-04-04T09:45:22.197-03:00I forgot that dot11decrypt uses C++11 features. In...I forgot that dot11decrypt uses C++11 features. In fact, the requirements(https://github.com/mfontanini/dot11decrypt#requirements) state that you need at least gcc 4.6. So that's actually the problem.Average Coderhttps://www.blogger.com/profile/11661490046382270751noreply@blogger.comtag:blogger.com,1999:blog-6806868022885060269.post-55621608468997136332014-04-04T09:42:37.285-03:002014-04-04T09:42:37.285-03:00Which gcc version are you using? It seems like it ...Which gcc version are you using? It seems like it doesn't have support for C++11's noexcept keyword, which was added in gcc 4.6, so the compilation errors on the examples are caused by that. I don't know if it's the cause for the other problem though.Average Coderhttps://www.blogger.com/profile/11661490046382270751noreply@blogger.comtag:blogger.com,1999:blog-6806868022885060269.post-82704405201785886682014-04-04T06:20:01.395-03:002014-04-04T06:20:01.395-03:00That compiles OK using g++ -c capturetest.cpp -o c...That compiles OK using g++ -c capturetest.cpp -o capturetest -ltins. Then I run ldconfig and ./capturetest. It returns without any errors.<br /><br />Running make against the libtins examples I'm getting: <br /><br />[root@localhost examples]# make<br />g++ arpspoofing.cpp -o arpspoofing -Wall -g -O2 -ltins<br />g++ arpmonitor.cpp -o arpmonitor -std=c++0x -Wall -g -O2 -ltins<br />In file included from /usr/local/include/tins/dns.h:40,<br /> from /usr/local/include/tins/tins.h:33,<br /> from arpmonitor.cpp:1:<br />/usr/local/include/tins/pdu.h:152: error: expected â;â before ânoexceptâ<br />/usr/local/include/tins/pdu.h:163: error: expected â;â before âPDUâ<br />/usr/local/include/tins/pdu.h:163: error: expected â;â before ânoexceptâ<br />/usr/local/include/tins/pdu.h:175: error: expected â;â before âvirtualâ<br />In file included from /usr/local/include/tins/tins.h:48,<br /> from arpmonitor.cpp:1:<br />/usr/local/include/tins/packet_sender.h:90: error: expected â;â before ânoexceptâ<br />/usr/local/include/tins/packet_sender.h:98: error: expected â;â before âPacketSenderâ<br />/usr/local/include/tins/packet_sender.h:98: error: expected â;â before ânoexceptâ<br />/usr/local/include/tins/packet_sender.h:122: error: expected â;â before â~â token<br />In file included from /usr/local/include/tins/tins.h:49,<br /> from arpmonitor.cpp:1:<br />/usr/local/include/tins/packet_writer.h:79: error: expected â;â before ânoexceptâ<br />...<br /><br />Not sure if this is relatedAnonymoushttps://www.blogger.com/profile/03241541360429018758noreply@blogger.comtag:blogger.com,1999:blog-6806868022885060269.post-63538800995344394302014-04-03T21:12:22.044-03:002014-04-03T21:12:22.044-03:00Can you try compiling this short snippet?
https:/...Can you try compiling this short snippet?<br /><br />https://gist.github.com/mfontanini/9965429<br /><br />Remeber to link it with libtins using -ltins.<br /><br />The problem you're facing is described here: http://www.gnu.org/software/autoconf/manual/autoconf-2.68/html_node/Present-But-Cannot-Be-Compiled.html. But I don't think that situation is occuring in handshake_capturer.h, so I don't really know what's the problem.Average Coderhttps://www.blogger.com/profile/11661490046382270751noreply@blogger.comtag:blogger.com,1999:blog-6806868022885060269.post-57156361500383058722014-04-03T16:34:47.725-03:002014-04-03T16:34:47.725-03:00The version of libtins I downloaded was 2.0.0. It ...The version of libtins I downloaded was 2.0.0. It installed OK when I ran ./configure make and make install<br /><br />Library is present under /usr/local/lib and headers (including dot11 headers) are all under /usr/local/include/tins.<br /><br />Incidentally I get errors when I try to run make against the tins example apps eg arpmonitor. Getting errors about expecting semi-colons in the header files by the looks of things.<br /><br />This is on RHEL6.1 32bit btw and there were no other versions of libtin installed previously<br /><br />Many thanks Anonymoushttps://www.blogger.com/profile/03241541360429018758noreply@blogger.comtag:blogger.com,1999:blog-6806868022885060269.post-327365216733804002014-04-03T13:43:32.352-03:002014-04-03T13:43:32.352-03:00Have you downloaded the latest libtins source code...Have you downloaded the latest libtins source code and you don't have any other previous version installed in your system?Average Coderhttps://www.blogger.com/profile/11661490046382270751noreply@blogger.com