7

I want to decrypt my own network traffic.

I have Linux Mint on Samsung Laptop with a AR542x Wireless Network Adapter.

Open Wireshark, start capture in promiscuous mode & monitor mode and I receive all the packages around me.

The problem is that I cant decrypt it.

I added in Preferences -> Protocols -> IEEE 802.11 Decryption keys :

  • pwd in format pass:ESSID
  • PSK generated from pass + salt from Wireshark website

I found a lot of comments on this subject, tried everything out there :

  • play with "ignore protection bit" and "assume packets have FCS"
  • restarted Wireshark
  • connect a device to LAN after the capture has peen started so the handshake can be captured.

What can I do ?

EDIT :

I updated Wireshark to last stable version for Linux and still doesn't work.

  • Have you verified that the handshake was captured? – multithr3at3d Apr 19 '17 at 23:06
  • Yes, there are 4 or 5 packages with EAPOL protocol that are caught as soon as I connect a device to the LAN. Do I need to do anything with them or are they automatically processed by Wireshark ? –  Apr 20 '17 at 06:16
  • Decryption of WPA2 is not as trivial as it looks like, you need to have a VERY good reception of the packets, if you miss packets it can be an issue. – Ricardo Reimao Apr 20 '17 at 09:15
  • What is the `salt from Wireshark website` you're talking about? – Azteca Apr 20 '17 at 16:28
  • You can also try decrypting with [airdecap-ng](http://www.aircrack-ng.org/doku.php?id=airdecap-ng) and open the output file with Wireshark. – Azteca Apr 20 '17 at 16:29
  • Salt is the ESSID of the Access Point. Thank you for the idea with airdecap-ng, didn't think of that. –  Apr 26 '17 at 08:56

1 Answers1

5

OK, let's start with the basics, to decrypt the traffic you need the PTK (Pairwise transient key) which is dynamically generated every connection (hence you need to capture the 4-way handshake) and is derived from the PMK (or PSK) which is generated by the PBKDF2 and has two inputs (It has more but are hardcoded) that you already have.

For Wireshark to decrypt the traffic it needs the capture the four way handshake (From here it takes the ANounce, SNounce and MIC to verify if the PTK matches the conversation) and provide the PMK.

To provide the PMK just add the passphase to the 802.11 key list in Edit->Preferences->IEEE 802.11 with the right syntax

wpa-pwd:passphrase:SSID
OR
wpa-pwd:passphrase

The SSID is optional, Wireshark can get it from the handshake when it sees it.

IF YOU USE wpa-psk: you need to manually compute the PMK (PSK) with the PBKDF2 function and write the output (256-bit key) after it, like this:

wpa-psk:47389...30413

Here's the guide from the wiki. Maybe you're just missing the wpa-pwd: in the key field.

  • pwd in format pass:ESSID

FINAL SOLUTION

In Wireshark select the channel in which the AP in on. (Provided by doremifasolasido)

Azteca
  • 1,116
  • 7
  • 16
  • 2
    Did work in the end. I realized after that in Wireshark I need to select the channel the AP is on. –  Apr 26 '17 at 09:38