Hi, can someone please help me as i think im losing the will. I've installed and got everything working. packets are being recorded and ive used the links found on this forum to make a psk and entered this. made sure my handshake is done (all 4) and im still not seeing decrypted data. If anyone can help id be so grateful. Ill post anything thats needed as this is now driving me up the wall trying to get this to work for a week. asked 14 Oct '16, 12:39 msriptide showing 5 of 16 show 11 more comments |
if you can advise me whats needed as i've never had so much computer knowledge forced on me in a week! lol
I've added a capture so you can see what ive got https://drive.google.com/file/d/0B8i7MiaDMhavVHZvaUxYeUxGUmM/view?usp=sharing
Im working on a vmware ubuntu, and my wireless adapter is a tl-wn722n
Well, without publishing the psk as well it is hard to check whether the problem is between the keyboard and the chair or in the software. If the cature is taken while your regular psk was in use, consider changing the psk temporarily to one you wouldn't mind to publish, taking a new capture with that psk in use and publish that capture instead, together with that temporary psk.
if your able to help i don't mind sending it to you privately
the psk to that file is below, ill change it from now on 41c777bdb4a03d49a77f1e09459b11bfa6dfd569ce6ab5e7095c835e4f537775
For me it works just fine... right-click the
IEEE 802.11
part of the dissection tree in the dissection pane, chooseProtocol preferences
, double-check that there is a checkmark next toEnable decryption
, and add the key as a row in the table which opens when you clickDecryption Keys
in the context menu, choosingwpa-psk
as the row type from the drop-down menu in the first column.If you use a display filter like
ip or arp
afterwards, you'll see some of the frames decrypted; the rest are either management frames or frames to/from other devices whose EAPOL negotiation you haven't captured. There is also a couple of frames which were not WPA-encrypted so that display filter shows them even if WPA decryption is disabled or the key is not added to the table.If this is what you did and nevertheless you cannot see any decrypted frames, please list all the settings from the context menu for
IEEE 802.11 wireless LAN preferences
.The data, such as it is, in your capture decrypts for me with that psk. Ensure the key type is set to wpa-psk in the encryption keys dialog.
The first frame with decrypted data is 362.
I was trying to view the HTTP data, and it doesn't show, ive attached some screen shots of my settings, i really wanted to get the http to show all the information as it was a project for class to show it could be seen very easily... or not as the case may be! https://drive.google.com/file/d/0B8i7MiaDMhavc3gtV0JSYnlkU1k/view?usp=sharing
The EAPOL you've caught is for a Samsung device with MAC address
ec:1f:72:fe:87:f1
. This allows you to decrypt unicast frames from the AP to that device, broadcast frames from the AP to all devices, and all frames from that device to the AP. In the capture there is no TCP nor DNS packet to/from that device, and not even unicast frames to/from that device.That leads me to a conclusion that the problem is not the decryption but the capture. Most likely, the communication between the device and the AP was using coding schemes (modulations) which the monitoring wireless adaptor could not understand. If you can, reduce the feature set of the AP to the possible minimum (no
ac
, non
, maybe even nog
, justb
) and try again. The capture showsb
,g
and evenn
frames to be present but the drivers in mirroring mode sometimes behave weird.Many thanks for your help Sindy, is there any easy way to change this without having to use the terminal too much, not really an linux wizard here, I was going to meantion that i did actually manage to get one HTTP frame a while back but it was really garble up
Hard to say as I know nothing about how your AP is configured, but they are usually configured using a web interface, so no command line typing should be necessary (or even possible).
The first thing to be sure of is that you've really caught the EAPOL of the right device.
Its the right device as its my phone which ive been sitting with. i've checked on my router homepage (skyhub) and its the same name
http://setuprouter.com/router/bskyb/sky-hub/wifi.htm shows that there should be a "Mode" choice next to SSID, Region and Channel, what are the available options?
auto, 54g auto, 54g performance, 54g LRS, 802.11b only should i go for the last one? just hoping it doesn't ruin my wifi but i suppose it can be changed back
Yes, 802.11b should do the trick. You are likely to lose connection for a while after the change but it should come back again.
well, after a week of hard work it looks like i have a bingo! sindy your awsum and this has helped so much! can't believe it was just too much info into the adapter. thanks a million