Objective: Capture packets with info containing sites visited, usernames & passwords if any on WPA2-PSK (AES)wifi network. Monitor capable Alfa card used. Steps followed: airmon-ng check kill airmon-ng start wlan1 (window 1)airodump-ng -c [number] --bssid [bssidnumber] --shockack -w [filepath] wlan1(mon) (window 2) aireplay-ng -0 5 -a [bssidnumber] -c [targetMAC] wlan1(mon) Target device looses connection to wifi and rejoins, I can see a handshake is captured in window 1 Browse HTTP sites on the target device (tried iPhone, laptop), fill out and submit login forms Ctrl + C to stop capture Open .cap with Wireshark Preferences > IE802.11 > enable decryption > enter generated key At this stage I have to fiddle with settings such as ignore protection bit, and then I get some decrypted (coloured) results displayed in the grid...great :) You'd think at this stage I'd be home and dry....only problem is I have no HTTP, HTTPS, DNS requests nor do I get any results when I search for the password I entered in the login form as a string. Any ideas what I'm doing wrong? This question is marked "community wiki". asked 25 Oct '16, 13:57  rootb33r edited 25 Oct '16, 13:58 |
One Answer:
With no other detail, such as a trace, we can't be sure. However, this might give you some ideas to try: https://ask.wireshark.org/questions/14684/no-data-packets-when-turning-on-monitor-mode https://ask.wireshark.org/questions/54835/having-issues-capturing-http-traffic-on-my-network I'd guess if you see some frames decrypted it is a likely a modulation issue and you can't decode regular data frames that are at high data rates. You might see multicast/broadcast as they are sent at lower rates. answered 25 Oct '16, 14:50  Bob Jones edited 25 Oct '16, 14:55 |
Thanks for your reply. I'll go through the links tomorrow. It does sound like what you said about the data rates may be right as I definitely am seeing some information....just not what I really want to see.
The capture card specifically is the awus036h. 'Promiscuous' mode has never been explicitly turned on, but I understand that is a Wireshark setting(?) and I'm simply viewing the .cap with Wireshark rather than capturing with it.