This is our old Q&A Site. Please post any new questions and answers at

Objective: Capture packets with info containing sites visited, usernames & passwords if any on WPA2-PSK (AES)wifi network. Monitor capable Alfa card used.

Steps followed:

airmon-ng check kill

airmon-ng start wlan1

(window 1)airodump-ng -c [number] --bssid [bssidnumber] --shockack -w [filepath] wlan1(mon)

(window 2) aireplay-ng -0 5 -a [bssidnumber] -c [targetMAC] wlan1(mon)

Target device looses connection to wifi and rejoins, I can see a handshake is captured in window 1

Browse HTTP sites on the target device (tried iPhone, laptop), fill out and submit login forms

Ctrl + C to stop capture

Open .cap with Wireshark

Preferences > IE802.11 > enable decryption > enter generated key

At this stage I have to fiddle with settings such as ignore protection bit, and then I get some decrypted (coloured) results displayed in the grid...great :)

You'd think at this stage I'd be home and dry....only problem is I have no HTTP, HTTPS, DNS requests nor do I get any results when I search for the password I entered in the login form as a string.

Any ideas what I'm doing wrong?

This question is marked "community wiki".

asked 25 Oct '16, 13:57

rootb33r's gravatar image

accept rate: 0%

edited 25 Oct '16, 13:58

With no other detail, such as a trace, we can't be sure. However, this might give you some ideas to try:

I'd guess if you see some frames decrypted it is a likely a modulation issue and you can't decode regular data frames that are at high data rates. You might see multicast/broadcast as they are sent at lower rates.

permanent link

answered 25 Oct '16, 14:50

Bob%20Jones's gravatar image

Bob Jones
accept rate: 21%

edited 25 Oct '16, 14:55

Thanks for your reply. I'll go through the links tomorrow. It does sound like what you said about the data rates may be right as I definitely am seeing some information....just not what I really want to see.

The capture card specifically is the awus036h. 'Promiscuous' mode has never been explicitly turned on, but I understand that is a Wireshark setting(?) and I'm simply viewing the .cap with Wireshark rather than capturing with it.

(25 Oct '16, 16:15) rootb33r
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 25 Oct '16, 13:57

question was seen: 1,658 times

last updated: 25 Oct '16, 16:15

p​o​w​e​r​e​d by O​S​Q​A