airdecap-ng + wpa problems

[Morlock]

Hey there.
Seems like nobody reads "Help" topics, so i past my problem here... I've got a strange problem here with decrypting wpa.cap file with airdecap-ng.. So the thing is: when i'm trying to decrypt wep packets, it works ok and all packets are decrypted. But when wpa, nothing happens, airdecap returns just:

[root@localhost]# airdecap-ng -p titannnn -e wlan wpa-04.cap
Total number of packets read           793
Total number of WEP data packets         0
Total number of WPA data packets       331
Number of plaintext data packets         0
Number of decrypted WEP  packets         0
Number of decrypted WPA  packets         0

The passphrase is really "titannnn", so i just dont realize why no packets are decrypted. Both wep and wpa packets are saving with airodump-ng, on the same wifi cards (dlink g-520), and the same AP.
Please help me solve this little problems.

[Mister_X]

Can you send me that file. See AUTHORS file for email address. Next time, don't double post.

[Morlock]

I sent it to you today. Sorry for double post

[akf]

Hi,

I've been having the same problem. I catch as many handshakes as you like but airdecap-ng (0.6.2) won't decrypt them. It generates an unreadable file of 24 bytes but nothing more. I've tried with captures from airodump-ng & kismet, in vain. aircrack-ng find the passwd though and mentions the found handshake. Google isn't any help...

card: atheros, madwifi-ng driver, injection works perfect.

any suggestions?

[akf]

Downloaded aircrack 2.4 (old version, pre-aircrack-ng) from following site.
http://www.tuto-fr.com/tutoriaux/crack-wep/fichiers/wlan/aircrack/archives/

ran the old airdecap on my cap file. Behold! It worked.
Conclusion: Something must be broken in the airdecap-ng.
Note: No need to install the whole old package. Just compile
and replace airdecap.

Anyway, thanks to the developers for the great tool!

afk

[reverend carlos]

Hello,

I have exactly the same problem with airdecap-ng.
It will not decrypt dump files from airodump-ng or kismet.
I tried both because I found a post that said the problem is kismet.
But it does not work with airodump-ng either.
I found a post that said the problem is in the code for airdecap-ng.

http://www.netstumbler.org/showthread.php?t=17045

The problem is I am not quite up to compiling a new version and building it into my backtrack live cd that I am playing with.
Since akf had success with the v2.4 and I assume that the bug only applies to -ng I tried an old slax live cd with airdecap v2.3 but again no luck.
I am sniffing my own network so I am sure I have the right essid and WPA passphrase.
I'm out of ideas can someone help or suggest a solution?

Thanks in advance,

R. carlos

[darkAudax]

Try the svn development version.  It decrypted files which v0.6.2 would not.

d.

[lostinux]

I had this problem too.  The following change to crc.c fixed it:

Change:

unsigned long crc;

crc = calc_crc(buf, len);

To:

unsigned long crc = 0xFFFFFFFF;

for ( ; len > 0; len--, buf++)
     crc = crc_tbl[(crc ^ *buf) & 0xFF] ^ ( crc >> 8 );

crc = ~crc;

[reverend carlos]

Thanks for the quick replies.

Just got up and got to leave the country for a couple of days.
I'll try these things when I get back.

I assume that crc.c is a source file?
Looks like I need to learn how to compile a new version.
Nothing worthwhile is easy I guess.

Thanks gentlemen.

[reverend carlos]

Hello again,

I'm back but unfortunately not much wiser.
I found what appears to be a modified version of the crc.c source file at this location:

http://trac.aircrack-ng.org/svn/trunk/src/crc.c

I have very little experience in compiling source code (actually only once, apache server) and am not sure where to begin
with the source in the svn directory.
I don't know which files I need to create a complete version of the latest version of aircrack-ng.
Any help to start me off would be appreciated.

Then my next problem is how to create a module for my backtrack security cd.
I have been able to load a module with slax but the module was for a program that was not on the cd. When I try to load a different version
of aircrack I still get the original version. I get the idea that I need to remove the other one before the new module can be loaded.
The problem is that the original is not a module but is in the installation itself.
I'm going to post this question on the backtrack and slax sites also but maybe those guys hang out here too.

The last question is can this problem have something to do with the pcap files made with madwifi-ng drivers. I found a post where someone solved this by using madwifi-old. This is not an option for me as I need madwifi-ng for my card.

Sorry for all the questions but I'm willing to listen and learn.

r.carlos

[S.Shiota]

Hi.

I have a question for IEEE802.11 header in capture.
I tried to airdecap-ng but it do not work, using:
1) Atheros chip wireless MiniPCI card
2) madwifi-ng driver from svn with patch
3) aircrack-0.7 or svn version

results:
# (captured wireless packet from STA association using airodump-ng)
# airdecap-ng -p passphrase -b 00:03:2f:77:73:14 -e 'E02SA-WPA' tkip_micerr-03.cap
Total number of packets read          2512
Total number of WEP data packets         0
Total number of WPA data packets        20
Number of plaintext data packets         0
Number of decrypted WEP  packets         0
Number of decrypted WPA  packets        16
 I checked output file, only group key exchange has decrypted successfull,
and 'Total number of WPA data packets        20' tells airdecap does not
detect WPA packets from capture file.

 So I modified IEEE802.11 header offset to airdecap getting bssid from each frame.
It worked well, is that something wrong for capture or decrypt?

diff -cr aircrack-ng-0.7/src/airdecap-ng.c aircrack-ng-0.7-00/src/airdecap-ng.c
*** aircrack-ng-0.7/src/airdecap-ng.c   2007-01-04 06:50:40.000000000 +0900
--- aircrack-ng-0.7-00/src/airdecap-ng.c        2007-04-02 01:19:04.000000000 +0900
***************
*** 941,947 ****

          /* check the BSSID */

!         switch( h80211[0] & 3 )
          {
              case  0: memcpy( bssid, h80211 + 16, 6 ); break;
              case  1: memcpy( bssid, h80211 +  4, 6 ); break;
--- 941,947 ----

          /* check the BSSID */

!         switch( h80211[1] & 3 )
          {
              case  0: memcpy( bssid, h80211 + 16, 6 ); break;
              case  1: memcpy( bssid, h80211 +  4, 6 ); break;
results:
# airdecap-ng -p passphrase -b 00:03:2f:77:73:14 -e 'E02SA-WPA' tkip_micerr-03.cap
Total number of packets read          2512
Total number of WEP data packets         0
Total number of WPA data packets       799
Number of plaintext data packets         0
Number of decrypted WEP  packets         0
Number of decrypted WPA  packets       494

[darkAudax]

S.Shiota,

I have opened a trac ticket to investigate this:

http://trac.aircrack-ng.org/ticket/158

Assuming the data is not sensitive or too large, could you post the file and pre-shared key?

Thanks.

d.

[S.Shiota]

I have opened a trac ticket to investigate this:

http://trac.aircrack-ng.org/ticket/158

Assuming the data is not sensitive or too large, could you post the file and pre-shared key?

Thanks.

I posted file and pre-shared key. Thanks.