derive WPA session key from PSK and 4way handshake

Hello again! I took me some time to get back to this interesting case. Sorry for that delay!

My friend told me "even if you are watching all this videos on Youtube you wont be able to decrypt my personal communication. Did you know by the way, how much i spent for this new equipment" and "you can stay as long as you want beside my AP and try, as long you are not cheating by connecting my LAN directly via the Ethernet"

Ok.. I do know the AP-password(the PSK which is the same for all users connecting to that AP), the SSID and did successfully capture the 4way-handshake. As i understand, with the help of the PMK each unique PTK can be derived.

I dont have the impression that https://wiki.wireshark.org/HowToDecrypt802.11 does address this task.

Question: What are the next steps to get to know the PMK each unique PTK in order to be able to decrypt the traffic?

Any feedback is appreciated very much! Thank's.

Joe

I do know the AP-password(the PSK which is the same for all users connecting to that AP), the SSID and did successfully capture the 4way-handshake.

Therefore you should be able to decrypt the traffic regardless of what your friend says. Are you sure you have wireless traffic to decrypt?

Question: What are the next steps to get to know the PMK each unique PTK in order to be able to decrypt the traffic?

The PMK is derived from the Passphrase (Wireshark calls WPA-PWD) and the SSID that is entered. If you want the details, see 802.11-2012 and it indicates the method to convert the (Passphrase,SSID) --> PMK. Wireshark does it for you, and there are websites around that will do it too. If you have the information as claimed and it is correct, follow the Wireshark directions and you should start to see decrypted traffic. A couple of tips:

1. Make sure you have all four eapol messages. They are labeled 1 of 4, 2 of 4, etc. You can have RETRIES, but one of each type must be present. As soon as the next set comes around, the previous PTK would be invalid and you need another full set or your decryption capability will suddenly cease.

2. Reload the trace after you enter the key if they are not decrypted. There are some other points in the Wireshark document to check if it is not working. Also test the process with the sample provided at that link. Until you successfully decrypt the sample, you likely won't be able to do a real trace.

3. Make sure you have data frames to decrypt from the devices in question. You should be able to identify type QoS-Data (likely) or Data frames from the devices/BSSID under review in the trace. It's somewhat common to not have data frames as these are unicast and you need proper capture equipment/methods to be able to get them. Sometimes, we see the complaint 'I can't decrypt' but root cause is really improper capture technique as there are no data frames to decrypt.
   

4. The other option for entering key information into Wireshark (ignoring WEP as that is basically no security) is WPA-PSK. To use this, we need to generate the PMK outside of Wireshark (through something like this https://www.wireshark.org/tools/wpa-psk.html). Note that Wireshark does this step for you, so you do not need to use this unless you want to when using WPA2-Personal.
   

5. To gain proficiency, setup your own wifi infrastrucuture for test with WPA2 and generate traffic to be sure you can decrypt.