Dar-fi
Decrypt wireless frames with Wireshark

Decrypt wireless frames with Wireshark

  • #wireless
  • #security
- Last updated on

Components Used

  • A computer running any OS like; Linux, MacOS, or Windows.
  • Packet analyzer Wireshark
  • Previous packets capture collected in monitor mode
  • Know the password of the target SSID

Considerations

  • Up to 64 keys are supported.
  • The packets captured collected must contain the 4-way handshake (EAPOL-Messages 1 to 4), the Wireshark decrypt tool uses WPA/WPA2 keys derived from an EAPOL handshake.

In other words, if your capture doesn’t contain the complete handshake, Wireshark won’t be able to decrypt the frames it won’t work using control frames, management frames, and data frames only.

How to

Wireshark is a powerful tool that can decrypt 802.11 frames using the corresponding password from a specific SSID. It can decrypt WEP, WPA/WPA2, and TKIP.

In this post, we are going to focus only on WPA2-PWD & WPA2-PSK.

  1. Open your .pcap file collected with Wireshark. (I filtered only interesting traffic for this post)

opening the pcap file

From packets 9 – 12 we can see the 4-way handshake required, packets 18, 20, 22, and so on shows encrypted Data.

Let’s take a look at frame 28, see the payload is encrypted.

frame 28

  1. Go to the Wireshark tab > Preferences > Protocols > IEEE 802.11, as shown in the image:

frame 28 flags

  1. Enable decryption and click on Edit, as shown in the image:

enabling decryption in wireshark

  1. Let’s start with wpa-psw, the key is in plaintext, and the password goes first followed by : and the name of the SSID, as shown in the image.

wpa key in plain text

  1. To use wpa-psk you will need to derive your PSK combining your passphrase and your SSID name, you can use this link for simplicity, copy and paste the result in Wireshark, as shown in the images.

wpa key in plain tex v2

wpa key in plain tex v3

In my case, the name of the SSID is “Meraki”

  1. Click OK.

Let’s see packets 18, 20, and 22 again! Now,  we can see L3 information followed by the protocol of the data which is DHCP (before we had 802.11 and L2 information only)

looking at packet 18, 20 and 22

Let’s take a look at frame 28 one more time!

looking at packet 28

You can see the entire payload which includes a DHCP offer.

ignoring the protection bit

In conclusion, decrypting 802.11 frames could be very helpful in a troubleshooting session, instead of seeing only the 802.11 protocols, you can see another picture with L3 information on there. For instance; if your supplicant is sending a Discover, and receiving an offer needed.

I hope you find this post useful! Please be safe and take care of yourself!

Copyright © 2024 Darwin Castro

Darwin Castro