Hello Forum a friend(which owns a small business) told me that he replaced his WEP based AP by a new AP with WPA PSK encryption. He believes that from now on, nobody(even between his employees using the same PSK) can intercept/decrypt the traffic of other legitimate users. My idea is that with the PSK and the 4way handshake it's not too difficult to decrypt his traffic and I would like to show him this fact:-) Question: Is Wireshark to tool of choice for deriving the WPA session key from the PSK and the 4way handshake? Thank's a lot for any feedback! Joe |
You are correct, Wireshark can decrypt WPA encrypted communications. I assume you have seen this: https://wiki.wireshark.org/HowToDecrypt802.11 There are some other tools, but Wireshark is straightforward and easy to use, with instructions. It is correct that each user will have a unique encryption key which is called the PTK. This is based off the master key whcih everyone shares - this is derived fro the Passphrase (i.e. PSK) and SSID. But with this PMK, and the handshake, each unique PTK can be derived so traffic can be encrypted. If your friend moves to WPA-Enterprise, then each client gets a separate PMK, making it harder for others to get at unencrypted data. The PMK will likely change on a session timeout, so that is another tool to reduce the ability of others to get at the data. Hello again! I took me some time to get back to this interesting case. Sorry for that delay! My friend told me "even if you are watching all this videos on Youtube you wont be able to decrypt my personal communication. Did you know by the way, how much i spent for this new equipment" and "you can stay as long as you want beside my AP and try, as long you are not cheating by connecting my LAN directly via the Ethernet" Ok.. I do know the AP-password(the PSK which is the same for all users connecting to that AP), the SSID and did successfully capture the 4way-handshake. As i understand, with the help of the PMK each unique PTK can be derived. I dont have the impression that https://wiki.wireshark.org/HowToDecrypt802.11 does address this task. Question: What are the next steps to get to know the PMK each unique PTK in order to be able to decrypt the traffic? Any feedback is appreciated very much! Thank's. Joe
(17 Sep '16, 05:33)
joseph123
Therefore you should be able to decrypt the traffic regardless of what your friend says. Are you sure you have wireless traffic to decrypt?
The PMK is derived from the Passphrase (Wireshark calls WPA-PWD) and the SSID that is entered. If you want the details, see 802.11-2012 and it indicates the method to convert the (Passphrase,SSID) --> PMK. Wireshark does it for you, and there are websites around that will do it too. If you have the information as claimed and it is correct, follow the Wireshark directions and you should start to see decrypted traffic. A couple of tips:
(18 Sep '16, 03:08)
Bob Jones
|