Tuesday, October 29, 2013

Sniffing WPA2-PSK encrypted wireless networks

Sniffing WPA2 encrypted wireless networks is actually a pretty straightforward task, which is reasonably well-documented elsewhere, except for one major hurdle I had to overcome which I did not find documented anywhere else. Read on!

For sniffing network traffic, the most well-known tool aside from the venerable tcpdump is Wireshark. It's an extremely powerful tool which has the capability to transparently decrypt WPA2 encrypted traffic on-the-fly, provided that you know the credentials to get access to the network in the first place. In my previous blog post, I described how you can break into a WPA2-PSK network by performing a dictionary attack against a captured hash. Assuming that you have recovered the key by this technique (or some other approach), you're now in a position to start sniffing.

Almost all of the documents I found on the web detailed what should be a pretty trivial task, namely, putting your plaintext key into Wireshark. I will recap the steps here for Wireshark 1.8.2 (other versions of Wireshark will look a bit differently):
  • Start Wireshark
  • Then "Edit" -> "Preferences"
  • Expand the "Protocols" field in the menu
  • Scroll all the way down to "IEEE 802.11"
  • Tick the "Enable decryption" checkbox
  • Then hit the "Edit" button by "Decryption Keys"
  • In the new window that popped up, hit "New"
  • Yet another window will pop up, select "wpa-pwd" if you're putting in a plaintext password or "wpa-psk" if you have the actual hex key
    • Don't forget that the password is case-sensitive!
  • Put in your key, and hit "OK"
Usually this works just fine, but I found sometimes that even if I did this correctly, the traffic would not decrypt! I would see some low-level 802.11 traffic (EAPOL, etc.) but I would not see the decrypted traffic (HTTP, etc.) which Wireshark was supposed to show. After much searching and cursing, I found out that the problem was associated with the actual wireless card I was using! Bizarrely enough, some TP-Link USB dongle that I was using did not work, but the built-in Atheros AR9462 wireless card of the Acer Revo I was testing with worked flawlessly. So, changing the actual hardware "magically" let the decrypt start working correctly. If you have this problem, I hope that this helps you as it was an extremely frustrating experience to try to solve this issue!

I tested this on both Kali Linux and Ubuntu 13.04.

Obviously: only use these tools against a network that you are authorized to assess!