Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2019-10-30 09:02:57 +0000

Bob Jones gravatar image

There is no entry format for ID/Password when trying to decrypt using WPA2-Enterprise. Use the type:

wpa-psk

and then paste in the PMK to Wireshark. This would not be derived from the user/password, but rather is the keying material that is generated after authentication takes place. You will most likely have to get this from one of several places:

  1. RADIUS server, perhaps in debug mode (e.g. can try freeradius -X and see if keys are shown)
  2. Capture wired RADIUS traffic between WiFI system and RADIUS server, then decrypt and extract (need RADIUS shared secret)
  3. From the WiFi system (would depend on what system you have, and in many cases would not be possible)
  4. From some type of client debug where you can dump the PMK (wpa_supplicant can do this in debug mode with -K)
  5. Capture the EAPOL TLS tunnel traffic (assuming, for instance, the user/password is used with an EAP method that uses TLS, such as PEAP or TTLS) and try to decrypt the TLS tunnel traffic which contains the PMK. Hope (or force) that DHE is not used for key exchange and need access to server private key.

With the PMK (which will likely be different for each client, each time the client does a full re-authentication) and the 4-way EAPOL handshake, you could then decrypt 802.11 traffic. Watch, though, session timeouts on certain platforms - the subsequent EAPOL exchange after the first may be encrypted; so its a daisy-chain type effect: need to decrypt the first, then with that can decrypt the second, and with that key set can decrypt the third, etc. Lose any critical information along the way and the chain breaks and decryption ceases to be possible until a full, unencrypted authentication takes place.

This is difficult work, but not impossible with the right access.