This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can’t decrypt even with handshake and wap-psk entered

0

Hi, can someone please help me as i think im losing the will. I've installed and got everything working. packets are being recorded and ive used the links found on this forum to make a psk and entered this. made sure my handshake is done (all 4) and im still not seeing decrypted data. If anyone can help id be so grateful. Ill post anything thats needed as this is now driving me up the wall trying to get this to work for a week.

asked 14 Oct '16, 12:39

msriptide's gravatar image

msriptide
16447
accept rate: 0%

if you can advise me whats needed as i've never had so much computer knowledge forced on me in a week! lol

(14 Oct '16, 12:41) msriptide

I've added a capture so you can see what ive got https://drive.google.com/file/d/0B8i7MiaDMhavVHZvaUxYeUxGUmM/view?usp=sharing

Im working on a vmware ubuntu, and my wireless adapter is a tl-wn722n

(14 Oct '16, 13:02) msriptide

Well, without publishing the psk as well it is hard to check whether the problem is between the keyboard and the chair or in the software. If the cature is taken while your regular psk was in use, consider changing the psk temporarily to one you wouldn't mind to publish, taking a new capture with that psk in use and publish that capture instead, together with that temporary psk.

(14 Oct '16, 13:17) sindy

if your able to help i don't mind sending it to you privately

(14 Oct '16, 13:19) msriptide

the psk to that file is below, ill change it from now on 41c777bdb4a03d49a77f1e09459b11bfa6dfd569ce6ab5e7095c835e4f537775

(14 Oct '16, 13:23) msriptide

For me it works just fine... right-click the IEEE 802.11 part of the dissection tree in the dissection pane, choose Protocol preferences, double-check that there is a checkmark next to Enable decryption, and add the key as a row in the table which opens when you click Decryption Keys in the context menu, choosing wpa-psk as the row type from the drop-down menu in the first column.

If you use a display filter like ip or arp afterwards, you'll see some of the frames decrypted; the rest are either management frames or frames to/from other devices whose EAPOL negotiation you haven't captured. There is also a couple of frames which were not WPA-encrypted so that display filter shows them even if WPA decryption is disabled or the key is not added to the table.

If this is what you did and nevertheless you cannot see any decrypted frames, please list all the settings from the context menu for IEEE 802.11 wireless LAN preferences.

(14 Oct '16, 13:40) sindy

The data, such as it is, in your capture decrypts for me with that psk. Ensure the key type is set to wpa-psk in the encryption keys dialog.

The first frame with decrypted data is 362.

(14 Oct '16, 13:46) grahamb ♦

I was trying to view the HTTP data, and it doesn't show, ive attached some screen shots of my settings, i really wanted to get the http to show all the information as it was a project for class to show it could be seen very easily... or not as the case may be! https://drive.google.com/file/d/0B8i7MiaDMhavc3gtV0JSYnlkU1k/view?usp=sharing

(14 Oct '16, 13:54) msriptide

The EAPOL you've caught is for a Samsung device with MAC address ec:1f:72:fe:87:f1. This allows you to decrypt unicast frames from the AP to that device, broadcast frames from the AP to all devices, and all frames from that device to the AP. In the capture there is no TCP nor DNS packet to/from that device, and not even unicast frames to/from that device.

That leads me to a conclusion that the problem is not the decryption but the capture. Most likely, the communication between the device and the AP was using coding schemes (modulations) which the monitoring wireless adaptor could not understand. If you can, reduce the feature set of the AP to the possible minimum (no ac, no n, maybe even no g, just b) and try again. The capture shows b,g and even n frames to be present but the drivers in mirroring mode sometimes behave weird.

(14 Oct '16, 14:09) sindy

Many thanks for your help Sindy, is there any easy way to change this without having to use the terminal too much, not really an linux wizard here, I was going to meantion that i did actually manage to get one HTTP frame a while back but it was really garble up

(14 Oct '16, 14:13) msriptide

Hard to say as I know nothing about how your AP is configured, but they are usually configured using a web interface, so no command line typing should be necessary (or even possible).

The first thing to be sure of is that you've really caught the EAPOL of the right device.

(14 Oct '16, 14:21) sindy

Its the right device as its my phone which ive been sitting with. i've checked on my router homepage (skyhub) and its the same name

(14 Oct '16, 14:23) msriptide

http://setuprouter.com/router/bskyb/sky-hub/wifi.htm shows that there should be a "Mode" choice next to SSID, Region and Channel, what are the available options?

(14 Oct '16, 14:26) sindy

auto, 54g auto, 54g performance, 54g LRS, 802.11b only should i go for the last one? just hoping it doesn't ruin my wifi but i suppose it can be changed back

(14 Oct '16, 14:36) msriptide
1

Yes, 802.11b should do the trick. You are likely to lose connection for a while after the change but it should come back again.

(14 Oct '16, 14:39) sindy

well, after a week of hard work it looks like i have a bingo! sindy your awsum and this has helped so much! can't believe it was just too much info into the adapter. thanks a million

(14 Oct '16, 15:00) msriptide
showing 5 of 16 show 11 more comments