I have a URL http://imgur.com/a/0RmjL to an album with 6 pics in it. The album is called "myhandshake", and the pics are captioned and listed from top to bottom as:
Eventually, I want to be able to associate each of those steps with what I'm looking at when going over handshake data in Wireshark. My question revolves around the 4th pic, captioned "packet3". Looking in Wireshark's middle pane, at the highlighted line at the bottom of that pane, is that "WPA Key Data: 12bfb55a99d08b44136c7fbf84075cebbec1d67fbf6b1f22..." entry the encrypted password for the wifi network? It appears that it's only partial, because its length is noted to be 56, and the entry also ends in "...", which I take to mean that there's more data that goes on the end of it. If I really need to get the whole thing, I guess I could go into Wireshark's bottom pane and get the entire thing from the Hex dump that's there. If that is not the encrypted password, then which entry should I be looking at to see it? - Thanks in advance! asked 29 May '17, 23:34 Airsniffer edited 30 May '17, 02:41 grahamb ♦ |
One Answer:
The passphrase, encrypted or otherwise, is never sent over the network with WPA2. The PTK (pairwise transient key used to encrypt unicast data between AP and station) is never sent over the link either. There is no field to check for the keys you need as they are derived from the Passphrase and the Nonce values (random data included by each host in the authentication process). If you use Wireshark to decrypt, it will show you the PMK (fixed once the SSID and passphrase are known) and PTK/GTK in use (the 4-way handshake combined with the PMK will provide the actual keys use to encrypt data, the PTK & GTK). For the detail you request, see 802.11-2012 specification (available free), generally section 11 for security, and specifically for section 11.6 for keys and key distribution. This will have the definition of what is in each eapol message. Key 3 of 4 is defined by: 11.6.6.4 4-Way Handshake Message 3 and the field you have a question about:
Basically, this field is the RSN information element that one would see in a Beacon or Probe Response frame and some other items like group key information. Per 802.11, this field is to be checked. Table 11-6—KDE shows the various fields that could be included. Wireshark, in conjunction with wpa_supplicant on Linux in debug mode, can be very useful in digging into the details as the encrypted and unencrypted bytes can be analyzed with a lot of control over what is occurring. answered 30 May '17, 03:16 Bob Jones |