This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is this the WPA2-PSK encrypted password to the network?

0

I have a URL http://imgur.com/a/0RmjL to an album with 6 pics in it. The album is called "myhandshake", and the pics are captioned and listed from top to bottom as:

  1. The screenshot of an initial WPA2-PSK handshake - This is a screenshot of the WPA2-PSK handshake of me authenticating with my network's router to gain access to the wifi network.
  2. packet1 - pretty self explanatory.
  3. packet2 - pretty self explanatory.
  4. packet3 - pretty self explanatory.
  5. packet4 - pretty self explanatory.
  6. Diagram of a WPA2-PSKA handshake - This is the diagram that I used as desktop wallpaper so that I could memorize the basic steps in the WPA2-PSK handshake.

Eventually, I want to be able to associate each of those steps with what I'm looking at when going over handshake data in Wireshark.

My question revolves around the 4th pic, captioned "packet3". Looking in Wireshark's middle pane, at the highlighted line at the bottom of that pane, is that "WPA Key Data: 12bfb55a99d08b44136c7fbf84075cebbec1d67fbf6b1f22..." entry the encrypted password for the wifi network?

It appears that it's only partial, because its length is noted to be 56, and the entry also ends in "...", which I take to mean that there's more data that goes on the end of it. If I really need to get the whole thing, I guess I could go into Wireshark's bottom pane and get the entire thing from the Hex dump that's there.

If that is not the encrypted password, then which entry should I be looking at to see it? - Thanks in advance!

asked 29 May '17, 23:34

Airsniffer's gravatar image

Airsniffer
6224
accept rate: 0%

edited 30 May '17, 02:41

grahamb's gravatar image

grahamb ♦
19.8k330206


One Answer:

1

The passphrase, encrypted or otherwise, is never sent over the network with WPA2. The PTK (pairwise transient key used to encrypt unicast data between AP and station) is never sent over the link either. There is no field to check for the keys you need as they are derived from the Passphrase and the Nonce values (random data included by each host in the authentication process). If you use Wireshark to decrypt, it will show you the PMK (fixed once the SSID and passphrase are known) and PTK/GTK in use (the 4-way handshake combined with the PMK will provide the actual keys use to encrypt data, the PTK & GTK).

For the detail you request, see 802.11-2012 specification (available free), generally section 11 for security, and specifically for section 11.6 for keys and key distribution. This will have the definition of what is in each eapol message.

Key 3 of 4 is defined by: 11.6.6.4 4-Way Handshake Message 3 and the field you have a question about:

Key Data = For PTK generation, the AP’s Beacon/Probe Response frame’s RSNE, and, optionally, a
second RSNE that is the Authenticator’s pairwise cipher suite assignment, and, if a group
cipher has been negotiated, the encapsulated GTK and the GTK’s key identifier (see 11.6.2),
and if management frame protection is negotiated, the IGTK KDE.  <cut for brevity>

Basically, this field is the RSN information element that one would see in a Beacon or Probe Response frame and some other items like group key information. Per 802.11, this field is to be checked. Table 11-6—KDE shows the various fields that could be included.

Wireshark, in conjunction with wpa_supplicant on Linux in debug mode, can be very useful in digging into the details as the encrypted and unencrypted bytes can be analyzed with a lot of control over what is occurring.

answered 30 May '17, 03:16

Bob%20Jones's gravatar image

Bob Jones
1.0k2515
accept rate: 21%