3

I'm attempting to replicate a 'wifi cafe' setup in a home lab environment. I'd like to demonstrate that unencrypted (non-HTTPS) network traffic on a wifi network can be viewed by other wireless devices. I've seen this in action (ala firesheep) on a wired network.

I have wireshark configured properly to capture on the wireless interface. I am also able to see and capture 802.11 packets using monitor mode, but I cannot see their content.

Monitor Mode

Data is seen

What settings am I missing, or do I need to decode the WPA2 passphrase to view the data?

Various settings options

If I need the passphrase, I have it (given that this is my lab network). If this is the case, is there software to decrypt the data after it has been recorded?


Update for context and more information for @Leo:

When I started this process, I used promiscuous mode on the en0 interface (wireless) on a macbook air. I was able to detect network traffic from my local computer to the URL in question, but when viewing the same URL from a different device, I was not able to see that device's traffic.

This made sense, since I was monitoring the local interface, and the traffic from the target device wasn't flowing through my interface on the macbook. (This makes sense, even though I was in promiscuous mode, the traffic was between the AP (access point), and the target wireless client.)
I was also monitoring in 'ethernet' mode.

Then I switched to monitor mode for that interface (see screenshot #3), and all I could see was radio traffic, not the IP within that radio traffic. There was a warning that some network cards would disassociate during monitor mode, which does make sense.

However, if I can see the radio traffic, I would expect to see all of the radio traffic, which would thusly contain all of the IP, even if it were encrypted. So I would consider it possible I might be able to decrypt the radio packets between the target client and the AP, given the correct wireless passphrase (which again, I have). Perhaps I am missing something in my understanding of the data flow here?...

user3.1415927
  • 172
  • 1
  • 1
  • 8
  • What do you mean "if you need the passphrase"? If you are not connected to the WiFi network and it's a WPA2, the wireless traffic is encrypted. You are not going to see anything unless you are inside th encrypted network, and then monitor. – Leo May 22 '18 at 00:15
  • @Leo; I understand that. Let me update my question with a bit more background and steps I took to arrive where I am... – user3.1415927 May 22 '18 at 02:28
  • @Leo, question updated - I think I were thinking if I can see the radio packets, then I should be able to see **all** of the radio-transmitted data, which would - by necessity - contain **all** of the IP traffic. My consideration was that I could then possibly decrypt the radio traffic with the passphrase. It sounds like I might be missing something in my understanding of this architecture... – user3.1415927 May 22 '18 at 02:43

1 Answers1

5

Ok. After your comments and update, I will try to answer, even though I'm still not sure I'm getting the question right.

I guess you have 2 WiFi devices, lets call "host" the legitimate network device connected to the AP/Router and "sniffer" the one trying to capture the traffic.

If the WiFi network was open (as in, no encryption whatsoever), then you could simply "hear" with the sniffer in monitor/promiscuous mode.

Alas, the WiFi network is encrypted, so, you usually would need first to monitor the traffic to crack that encryption (WEP or WPA2, the latter being the de facto standard this days and the former being absolutely useless, both are vulnerable). The sniffer would try to use one of the cracking methods to get the key.

So, once you have the key for the encrypted network, it's just a matter of entering it in the configuration for Wireshark, so it decrypts before processing:

Edit -> Preferences -> Protocols -> IEEE 802.11

Here you should enable the Enable Decryption checkbox for this, and enter your PSK clicking New, selecting wpa-pwd if you wish to enter the PSK in plaintext, and wpa-psk if you want to get the 256bit key passphrase.

You should now be able to see the traffic that was encrypted due to WPA2. If there is any plain-HTTP traffic, you should see it too.

You could read more in this (very nice) tutorial, which also has screenshots.

Leo
  • 1,833
  • 8
  • 17