In this post we will see how to decrypt WPA2-PSK traffic using wireshark. This is useful when you study (my case for CWSP studies) different security protocols used in wireless.Here is the basic topology for this post.
Before start capturing you should know which channel your AP is operating. Since my AP is managed by WLC 4400, I can simply get that info from CLI. Otherwise you can simply use application like InSSIDer to see which channel given SSID is operating. I am using 5GHz & therefore get 802.11a summary here (If you want sniff 2.4GHz, then you can issue command with 802.11b)
(4402-3) >show ap config 802.11a summary AP Name SubBand RadioMAC Status Channel PwLvl SlotId -------------------- ------- ------------------ -------- ------- ------ ------ LAP1 - 64:a0:e7:af:47:40 ENABLED 36 1 1
Simply what you have to do is take a “wireless packet capture” on CH 36 as my AP operate in that channel. I have used BackTrack with USB adapter to take this packet capture (Refer this youtube video for how to do it). It is just simple 2-3 line configuration required to set up a USB adapter as monitor interface for wireshark.
root@bt:~# ifconfig eth0 Link encap:Ethernet HWaddr 00:21:9b:62:d0:4a UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) Interrupt:21 Memory:fe9e0000-fea00000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:66 errors:0 dropped:0 overruns:0 frame:0 TX packets:66 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:4665 (4.6 KB) TX bytes:4665 (4.6 KB) root@bt:~# ifconfig wlan2 up root@bt:~# ifconfig eth0 Link encap:Ethernet HWaddr 00:21:9b:62:d0:4a UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) Interrupt:21 Memory:fe9e0000-fea00000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:66 errors:0 dropped:0 overruns:0 frame:0 TX packets:66 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:4665 (4.6 KB) TX bytes:4665 (4.6 KB) wlan2 Link encap:Ethernet HWaddr 00:20:a6:ca:6b:b4 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) root@bt:~# iwconfig wlan2 channel 36 root@bt:~# iwconfig wlan2 IEEE 802.11abgn ESSID:off/any Mode:Managed Frequency:5.18 GHz Access Point: Not-Associated Tx-Power=20 dBm Retry long limit:7 RTS thr:off Fragment thr:off Encryption key:off Power Management:off lo no wireless extensions. eth0 no wireless extensions. root@bt:~# airmon-ng start wlan2 Found 1 processes that could cause trouble. If airodump-ng, aireplay-ng or airtun-ng stops working after a short period of time, you may want to kill (some of) them! PID Name 1158 dhclient3 Interface Chipset Driver wlan2 Atheros AR9170 carl9170 - [phy2] (monitor mode enabled on mon0)
Once you do this you can open wireshark application & select the interface named “mon0” for wireless packet capturing.
Here is my packet capture (WPA2-PSK-Final) You can open this in wireshark to test this out by yourself. Now if you analyze this you would see “4-way handshake (EAPOL-Messages 1 to 4)” messages exchanged after Open Authentication phase finished (Auth Request, Auth Response, Association Request, Association Response). Once 4 way handshake is completed, both client & AP having required key for data encryption. So that point onwards all your data frames (not management frames, null frames) are encrypted using CCMP/AES.
As you can see below, data frames are encrypted & you cannot see what traffic it is. I have taken frame 103 for example.
Before we go & decrypt these messages, it is very important to understand that you have to properly capture “4-way handshake messages” in your sniffer in order to decrypt using wireshark. If you are not capture M1-M4 messages successfully, wireshark will not be able to derive all the keys to decrypt rest of that data. Here is one example where all the frames has not been captured properly in 4-way handshake process (This happened when I was using same USB adapter with Fluke WiFi Analyzer)
Now you have to go to “Edit -> Preferences -> Protocol -> IEEE 802.11” & need to “Enable Decryption” checkbox. Then click on Edit “Decryption Keys” section & add your PSK by click “New“. You have to select Key-type as “wpa-pwd” when you enter the PSK in plaintext.
If you enter the 256bit encrypted key then you have to select Key-type as “wpa-psk“.If you want to get the 256bit key (PSK) from your passphrase, you can use this page. It use the following formula to do this conversion
PSK=PBKDF2(PassPhrase, SSID,SSIDLength,4096,256)
Here is 256bit PSK derived from above
I have used simple plaintext password (ie wpa-pwd key type) in below. You can simply enter the plaintext password only (without SSID name).In this case wireshark try to use last seen SSID, It is always good practice to use <password:SSID>.
I have used my configured PSK “Cisco123Cisco123” & specify my SSID as “TEST1“. Refer this document for more details of this settings.
Then you need to hit “Apply”
As you can see below, now you will able to see the traffic inside these data frames. Here is the same frame (103) which you saw earlier in encrypted format, but now wireshark able to decrypt it.
Now if you look further you will see the client is getting IP through DHCP (DORA–Discover, Offer, Request, ACK) & then register to a CME (SKINNY protocol) & then establish a voice call (RTP) details. Now you can analyses these packets in detail
This trick may be useful to you when you do wireless troubleshooting on your PSK networks.
References
1. 802.11 Sniffer Capture Analysis – WPA/WPA2 with PSK or EAP
2. 802.11 Sniffer Capture Analysis -Wireshark filtering
3. 802.11 Sniffer Capture Analysis – Management Frames and Open Auth
4. 802.11 Sniffer Capture Analysis – Physical Layer
5. 802.11 WLAN Roaming and Fast-Secure Roaming on CUWN (DOC116493)
Related Posts
1. Free Wireless Packets Capture
2. Wireshark captures in 3850
mrn-cciew 
Hi Rasika;
Thanks again for this useful post. I find this post really helpful for studying towards a CWSP exam. I like the inSSIDer tool but I’ve been having a problem to download and backtrack to a USB drive. I find the installation instruction very confusing, I have a Windows 7 machine but I have not been successful at downloading backtrack.
Thanks anyway and look forward to your other posts.
Juan
Is it possible to decode PEAP-MSCHAPv2 or another authentication method ?
Wireshark does not seem to support it. Do you know a tool for dot it ?
Thanks for your posts
No, I do not think 802.1X/EAP can be decrypt at the moment.
HTH
Rasika
Rasika;
Your method will only work for wpa/wpa2 personal not Enterprise mode, correct?
Also I was wondering if you have a post that list the hardware/software to set up for a home Lab to practice.
Thanks;
Juan
Yes, this will decrypt WPA/WPA2-Personal (also known as WPA/WPA2-PSK)
My home lab set up explained in here, but this is targeted for CCIE preparation.
https://mrncciew.com/2012/10/20/my-home-lab-i-am-getting-there/
Even if you have single switch, single WLD & couple of AP that should be more than enough to CCNP-W or CWNP studies.
HTH
Rasika
Thank you Rasika.
Hello, firstly congratulation for this post.
I am trying to study the 802.11i.
I would like to capture and see encrypted frames, specially DHCP request frames.
Unfortunately I just can capture beacon, CTS, RTS and QoS. This post taught me that QoS is an encrypted frame.
But how can I do for capture and see others encrypted frames?
Thank you very much!
All data frames go as “QoS Data” & if you decrypt those you will see them as different type of data frame.
See this post for different type of data frame types.
https://mrncciew.com/2014/10/13/cwap-802-11-data-frame-types/
HTH
Rasika
Hello, Rasika Nayanajith!
After your answer about the QoS data, I suspected a packet was a DHCP discover. After following your post, using Wireshark and decrypted the QoS frames and can see the DHCP discover. “Edit -> Preferences -> Protocols -> IEEE 802.11 -> Ignore the Protection bit: (*) yes – with IV -> (*)Enable decryption -> Decryption keys: Edit -> New -> key type: wpa-pwd -> key = 12345678:myssid -> ok -> Apply -> Apply.”
I’m happy for can to identify the encrypted DHCP discover and to decrypt it. I’m trying to use a known-plaintext attack.
Thank you very much!
Thanks a great deal for the clear description…It has really helped me…But I was given a task by my boss to do this same thing on our wlan network because we are implementing secondary authentication….
just to verify if the implementation works as it should……
but we use WPA2 enterprise and it seems impossible…..any suggestions….
I do not think WPA2-Enterprise traffic can be decrypted like this, it is the most secure method as of today.
Rasika
Pingback: Kali linux to sniff over the air traffic | mannvishal
Hello is this method work on other AP ‘s or others wifi?
Yes, this should work any where it use WPA2/PSK (it is standard based & not proprietary).
HTH
Rasika
Hello, Rasika Nayanajith!
your blog is useful thanks for sharing information. I want to know basic information about wpa2 -authentication method,protocol.
WPA2 is the WiFi alliance accreditation
http://www.wi-fi.org/discover-wi-fi/security
HTH
Rasika
I find it difficult to understand this. Can you give me an advice where to start? I’m planning to take a career on cisco security.
If you are working on Cisco security products, that is a good starting point.
If not, try to find some opportunity (even volunteer work) to get some hands on experience.
Then with that try to enhance your knowledge about different security domains.
Along the way, think about doing some certs as well (CCNA-Sec, CCNP-Sec,ect), make these learning should give you the confidence, rather passing these exam without such confidence.
HTH
Rasika
The most useful article ever!
Wireshark 2.2.0
Edit > Preferences > Protocol > IEEE 802.11 > Enable Decryption > edit > select WPA-PSK
Then there is no way to enter or select the 256bit PSK value
Hello my psk has a : inside so i cant use them plaintext. but if i generate an wpa-psk it doesn’t decrypt the packages 😦
I captured all 4 eapol packages but it didn’t work.
You have any idea i use kali linux and wireshark 2.2.5
Rasika,
Thanks so much for all of your work on support and this blog. I have put your efforts to use on countless occasions!
After applying all of the above techniques, i find that I have unlocked layer 3 but layer 4 seems to still be encrypted.
I’ve done a capture of a a cisco 7925 starting up and placing a phone call. All 4 of the eopol keys are captured.
but i still have the udp section of a call as such…
Data: 800000dfa3f163f62c406ba07d7d7d7d7d7f7f7e7f7e7d7c…
my purpose is to completely decode a call and be able to play it back and find the problems in random cut outs and one way audio.
thanks for any further pointers…
Hi,
Thank you very much for this great article.
Can you pls help in understanding, in case of WPA2, if user entered wrong password, at which step/frame it will fail.
Like in case of WPA3 SAE, it will fail at Authentication Commit/Confirm state.
Regards.
If wrong password entered (in WPA2 with PSK), it should failed in 2nd frame of the 4 way handshake (as MIC failures)
In WPA2 with 802.1X, then it should failed in EAP exchange state
HTH
Rasika
Thank you very much for your so quick response.
Best Regards.