For sniffing network traffic, the most well-known tool aside from the venerable tcpdump is Wireshark. It's an extremely powerful tool which has the capability to transparently decrypt WPA2 encrypted traffic on-the-fly, provided that you know the credentials to get access to the network in the first place. In my previous blog post, I described how you can break into a WPA2-PSK network by performing a dictionary attack against a captured hash. Assuming that you have recovered the key by this technique (or some other approach), you're now in a position to start sniffing.
Almost all of the documents I found on the web detailed what should be a pretty trivial task, namely, putting your plaintext key into Wireshark. I will recap the steps here for Wireshark 1.8.2 (other versions of Wireshark will look a bit differently):
- Start Wireshark
- Then "Edit" -> "Preferences"
- Expand the "Protocols" field in the menu
- Scroll all the way down to "IEEE 802.11"
- Tick the "Enable decryption" checkbox
- Then hit the "Edit" button by "Decryption Keys"
- In the new window that popped up, hit "New"
- Yet another window will pop up, select "wpa-pwd" if you're putting in a plaintext password or "wpa-psk" if you have the actual hex key
- Don't forget that the password is case-sensitive!
- Put in your key, and hit "OK"
I tested this on both Kali Linux and Ubuntu 13.04.
Obviously: only use these tools against a network that you are authorized to assess!
