Decrypt Realcapture WPA2 Traffic

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
  • (Edited)
Hi Guys, today I captured Trafffic from Accesspoint#A with Realcapture feature from the radios of two neighbouring APs on the same channel. My plan is to decrypt the traffic of a specific client that used a WPA2-PSK. 

Until yet I have not been able to decrypt the traffic. I tried it with WPA-PWD and WPA-PSK option in Wireshark and different options related to Protection Bit and FCS. 

I'm not sure if I missed a specific option or if this problem is related to wireshark. The first packet of the EAPOL handshake was retransmitted, maybe this is a problem for wireshark. 

Any advice would be appreciated.

Thanks in advance
Photo of Tony

Tony

  • 550 Points 500 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Taykin Izzet

Taykin Izzet , Employee

  • 2,994 Points 2k badge 2x thumb
Tony, to decrypt WPA2 traffic in Wireshark, the 'enable decryption' option needs to be checked and the 'Ignore the Protection bit' should be set to to No. Please try with these settings. Also edit the 'Decryption Keys' section and add your PSK by clicking 'New'. You have to also select Key-type as 'wpa-pwd' when you enter the PSK in plaintext.

Though all 4 handshake messages are essential in the capture for decryption to work, it might be worth recapturing prior to placing the device to sleep and having it re-join as it awakes, avoiding the retransmit for message 1.
Photo of Tony

Tony

  • 550 Points 500 badge 2x thumb
Hi  and thank you for the feedback!
I've tried these options but the decryption was not successful. I will try to capture another 4-way handshake. 
Photo of Taykin Izzet

Taykin Izzet , Employee

  • 2,994 Points 2k badge 2x thumb
Tony, you may already be aware but Wireshark do have a good HowToDecrypt802.11 page showing the steps, settings, and sample WPA/WPA2 induction capture.
Photo of Gareth Mitchell

Gareth Mitchell, Extreme Escalation Support Engineer

  • 5,588 Points 5k badge 2x thumb
Tony

If you took the trace on the AP concerned, rather than another AP then the decrypt has already happened, but wireshark cannot decode it so you'll need to look at the hex output yourself.  Sometimes having a wired trace of the same traffic can help you find some key to look for on the wireless side.

Alternatively use another AP to take the capture which would be a native wireless trace and the decrypt should work as you previously discussed.

I hope this helps.

Regards




-Gareth
Photo of James A

James A, Embassador

  • 6,962 Points 5k badge 2x thumb
Wireshark can be told to de-encapsulate the traffic so you don't have to dig through the hex manually, but you need to set "Ignore the Protection bit" to "Yes - with IV" so it knows it's already decrypted.
Photo of Gareth Mitchell

Gareth Mitchell, Extreme Escalation Support Engineer

  • 5,588 Points 5k badge 2x thumb
Nice, thanks!