Menu
Here my Problem:
If I am connected to a network (so I know the WPA/WPA2-PSK), I´d like to be able to decrypt the traffic I capture from other devices in the network. (If WEP is used, tcpdump does this automatically).
As far as I know, WPA uses something like a session key for each client in the WiFi - but I know this is possible - so I´m wondering HOW to do this. (If this is not possibile with tcpdump, how to do this "by hand"?)
Thanks for any help!
909
Wireshark can decrypt WEP and WPA/WPA2 in pre-shared (or personal) mode. WPA/WPA2 enterprise mode decryption works also since Wireshark 2.0, with some limitations. You can add decryption keys using Wireshark's 802.11 preferences or by using the wireless toolbar. Up to 64 keys are supported.
WPA2-PSK requires a router with a passphrase, with a length between 8 to 63 characters, to encrypt the data in the network. It uses a technology named TKIP, i.e., Temporal Key Integrity Protocol, that requires network SSID and the passphrase to generate unique encryption keys for each wireless client.
Our main attack is against the 4-way handshake of the WPA2 protocol. This handshake is executed when a client wants to join a protected Wi-Fi network, and is used to confirm that both the client and access point possess the correct credentials (e.g. the pre-shared password of the network).
I've written a small, open source, application that does exactly this.
103
If you capture the traffic with tcpdump and can save it to file you should be able to use Wireshark to decrypt it on a PC/Mac. You need to catch the association traffic and the four-way handshake and configure Wireshark with the PSK.
44
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
