#!/usr/bin/env python3 from Crypto.Cipher import AES from scapy.all import rdpcap from scapy.compat import raw DATA_FRAME_KEY = bytes.fromhex("0f8278e73cb3d132d33fb84bea24288f") def decrypt_data_frame(raw_frame: bytes, key: bytes) -> bytes: # Data payload starts at 0x45 same as advertisement payload = raw_frame[0x45:] # Same nonce layout: 4-byte nonce at offset 0x24, encrypted data after 0x28 nonce_bytes = payload[0x24:0x28] encrypted = payload[0x28:] ctr_nonce = nonce_bytes + b'\x00' * 8 cipher = AES.new(key, AES.MODE_CTR, nonce=ctr_nonce, initial_value=1) return cipher.decrypt(encrypted) packets = rdpcap("./capture.pcapng") for i, pkt in enumerate(packets): raw_bytes = raw(pkt) # Skip packets that are too short or look like advertisement frames # You may need to adjust this filter for your capture if len(raw_bytes) < 0x45 + 0x28: continue try: decrypted = decrypt_data_frame(raw_bytes, DATA_FRAME_KEY) print(f"[Packet {i}] Decrypted ({len(decrypted)} bytes):") print(f" type: {decrypted[0:2].hex()}") print(f" length: {int.from_bytes(decrypted[2:4], 'little')}") print(f" payload: {decrypted[4:].hex()}") print() except Exception as e: print(f"[Packet {i}] Failed: {e}")