This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

The US$ 100 challenge: WPA2 decryption

0

The US$ 100 challenge: WPA2 decryption

The first person who solve successfully and post here the solution of my problem becomes US$ 100. What you have to solve: I have many encrypted WPA2 WiFi sniffed in a pcap file with the 4-way handshake, and I know the SSID and WPA2 Key. I like to convert the WPA2 pcap file to a decrypted pcap file with all protocols decrypted. What's not work: airdecap-ng from aircrack-ng does not decrypt all protocols like for example SMB. I need the decrypted file in the pcap format, so I can use it to analyze it with different software. Preferred is a solution with tshark, like

tshark -r myFile.pcap -o "wlan.enable_decryption:TRUE" -o wlan.wep_key1:wpa-pwd:MyPassword:MySSID -w outputFile.pcap

but this sample result in an error:

tshark: -o flag "wlan.wep_key1:wpa-pwd:MyPassword:MySSID" specifies unknown preference

With Wireshark I can view the decrypted data, if I enter the key under: ->Edit->Preferences->Protocols->IEEE 802.11-> "enable decryption" and "set the Key" (wpa-pwd myPassword:SSID) But I can't save it to a decrypted pcap file. Here is a sample file for tests: http://www.dler.ch/usd100challenge/h2_2.pcap.zip SSID: H2, Password: myAPretos2

To view the decrypted traffic in wireshark: http://www.dler.ch/usd100challenge/wireshark.jpg

Some decrypted SMB protocol traffic: http://www.dler.ch/usd100challenge/Screenshot.png

If you have a solution: Please tell me the command you are using, the OS, the software and the version of it.

asked 19 Mar '13, 17:49

RS2000's gravatar image

RS2000
11112
accept rate: 0%

airdecap-ng from aircrack-ng does not decrypt all protocols like for example SMB

airdecap-ng has no idea what SMB is. Do you mean that it, for some reason, does not decrypt all IEEE 802.11 data frames (and that one type of IEEE 802.11 data frame that it does not decrypt is a data frame containing IP, atop which is carried TCP, atop which is captured either raw SMB or the NetBIOS-over-TCP session service with SMB atop it)?

(20 Mar '13, 17:34) Guy Harris ♦♦

One Answer:

0

Download an old version: ftp://ftp.uni-kl.de/pub/wireshark/win32/all-versions/
I have downloaded: wireshark 1.2.1 (SVN Rev 29141)
Generate the PSK: http://www.wireshark.org/tools/wpa-psk.html
Go to:
Edit
Preferences
Protocols
IEEE 802.11
Key #1:
add:
wpa-psk:b8c787bf968d8503671b4345db9397c4355ba45a9f90a8f79420c3cbf87cb154

Run:
tshark -r q19664_h2_2.pcap -o "wlan.enable_decryption:TRUE" -o wlan.wep_key1:wpa-psk:b8c787bf968d8503671b4345db9397c4355ba45a9f90a8f79420c3cbf87cb154 -R "eapol || smb" -w q19664_eapol_smb_h2_2.pcap
Hope this helps.
BTW: Running on Windows XP

answered 20 Mar '13, 14:19

joke's gravatar image

joke
1.3k4934
accept rate: 9%

After this procedure, you see in Wireshark on the file "q19664_eapol_smb_h2_2.pcap" the decrypted SMB stuff, but as soon as you remove in Wireshark the Key under ->Edit->Preferences->Protocols->IEEE 802.11->Key #1, you can see that the file is still encrypted! If I use the file "q19664_eapol_smb_h2_2.pcap" with other tools, it did not work because it is still encrypted. Please send the decrypted file to my email address [email protected] if you have a working solution. Thank you!

(20 Mar '13, 15:52) RS2000

Neither TShark nor Wireshark have any support whatsoever for writing out packets that are different from the packets that they read, other than Wireshark 1.8.0 and later's ability to add comments to, remove comments from, and edit comments in a pcap-ng file.

(20 Mar '13, 17:35) Guy Harris ♦♦
TShark can export decrypted data to a text file:
tshark -r q19664_h2_2.pcap -o "wlan.enable_decryption:TRUE" -o wlan.wep_key1:wpa-psk:b8c787bf968d8503671b4345db9397c4355ba45a9f90a8f79420c3cbf87cb154 -R "eapol || smb" -q -xV -O smb > q19664_smb_2_h2_2.txt
but it cannot save decrypted data into pcap file, which is still decrypted after removing the key.

See this thread on Wireshark Mailing Lists:
Save Decrypted traffic

(24 Mar '13, 07:26) joke