Tuesday, October 29, 2013

Sniffing WPA2-PSK encrypted wireless networks

Sniffing WPA2 encrypted wireless networks is actually a pretty straightforward task, which is reasonably well-documented elsewhere, except for one major hurdle I had to overcome which I did not find documented anywhere else. Read on!

For sniffing network traffic, the most well-known tool aside from the venerable tcpdump is Wireshark. It's an extremely powerful tool which has the capability to transparently decrypt WPA2 encrypted traffic on-the-fly, provided that you know the credentials to get access to the network in the first place. In my previous blog post, I described how you can break into a WPA2-PSK network by performing a dictionary attack against a captured hash. Assuming that you have recovered the key by this technique (or some other approach), you're now in a position to start sniffing.

Almost all of the documents I found on the web detailed what should be a pretty trivial task, namely, putting your plaintext key into Wireshark. I will recap the steps here for Wireshark 1.8.2 (other versions of Wireshark will look a bit differently):
  • Start Wireshark
  • Then "Edit" -> "Preferences"
  • Expand the "Protocols" field in the menu
  • Scroll all the way down to "IEEE 802.11"
  • Tick the "Enable decryption" checkbox
  • Then hit the "Edit" button by "Decryption Keys"
  • In the new window that popped up, hit "New"
  • Yet another window will pop up, select "wpa-pwd" if you're putting in a plaintext password or "wpa-psk" if you have the actual hex key
    • Don't forget that the password is case-sensitive!
  • Put in your key, and hit "OK"
Usually this works just fine, but I found sometimes that even if I did this correctly, the traffic would not decrypt! I would see some low-level 802.11 traffic (EAPOL, etc.) but I would not see the decrypted traffic (HTTP, etc.) which Wireshark was supposed to show. After much searching and cursing, I found out that the problem was associated with the actual wireless card I was using! Bizarrely enough, some TP-Link USB dongle that I was using did not work, but the built-in Atheros AR9462 wireless card of the Acer Revo I was testing with worked flawlessly. So, changing the actual hardware "magically" let the decrypt start working correctly. If you have this problem, I hope that this helps you as it was an extremely frustrating experience to try to solve this issue!

I tested this on both Kali Linux and Ubuntu 13.04.

Obviously: only use these tools against a network that you are authorized to assess!

2 comments:

  1. Thanks. Was ready to invoke Satan. All I'm getting in wireshark is (even with key entered correctly) is 802.11, llc, etc. I'm using intel 1030 wireless card and in the past I have captured TCP, UDP, http etc just fine... But something happened. I upgraded Kali to 2.0, and bang I couldn't do anything. So went to live USB of Parrot, worked better in configuring airmon... But still not capturing anything but 802.11, llc, etc. Would this be fixed by finding old 1030 drivers?

    ReplyDelete
  2. Thanks. Was ready to invoke Satan. All I'm getting in wireshark is (even with key entered correctly) is 802.11, llc, etc. I'm using intel 1030 wireless card and in the past I have captured TCP, UDP, http etc just fine... But something happened. I upgraded Kali to 2.0, and bang I couldn't do anything. So went to live USB of Parrot, worked better in configuring airmon... But still not capturing anything but 802.11, llc, etc. Would this be fixed by finding old 1030 drivers?

    ReplyDelete