0

I wonder how a utility like Wireshark produces the PTK for decrypting packets given the 4 EAPOl packets. The way I understand it is that the PTK is generated by concatenating the PMK, ANonce, SNonce, AP MAC address and STA MAC address. ANonce and SNonce can be extracted from packets 1 and 2. AP MAC and STA MAC are open information. But how is PMK generated? PMK isn't exposed during the handshake. Is the PMK exactly the hash of the passphrase (provided by the user in Wireshark)? Perhaps, several roads of SHA1?

In fact, the PTK is the result of some pseudo-random function of the concatenation of the 5 components - what is this function?

John M.
  • 311
  • 1
  • 2
  • 5
  • does this help: https://security.stackexchange.com/questions/6602/how-do-wpa-wpa2-cracking-programs-know-when-the-pmk-ptk-is-correct?rq=1 – schroeder Jun 20 '17 at 14:48
  • or this? https://security.stackexchange.com/questions/152999/pmk-is-what-prevent-to-generate-the-ptk-and-decrypt-the-traffic?rq=1 – schroeder Jun 20 '17 at 14:50
  • @schroeder Yeah, I've read that answer. But how are PMK and passphrase related? – John M. Jun 20 '17 at 14:53
  • PMK is generated by concatenating your passphrase and SSID. It is the first thing that is generated when you enter your password. Then handshake starts. – defalt Jun 20 '17 at 15:49
  • @defait Just a concatenation of the plaintext? [Wikipedia](http://www.wikiwand.com/en/IEEE_802.11i-2004) suggests a pseudo-random function applied to it. – John M. Jun 20 '17 at 15:50
  • @JohnMunroe You are reading it wrong. Pseudo random function is used in generating PTK. *The PMK is derived from a password that is put through PBKDF2-SHA1 as the cryptographic hash function.* It is a hash of your password and SSID. – defalt Jun 20 '17 at 16:03

0 Answers0