Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2021-05-11 10:19:26 +0000

Bob Jones gravatar image

Assuming this is the 802.11 WPA2 handshake for wireless data protection, then yes, previously captured crypto materials can be used in Wireshark. What you can do is export those four frames and then merge them into the new capture file that you want to decrypt. Under File --> Merge is one way to do it and there are command line options like mergecap.

Note that you can always export frames and merge into other files but whether they will continue to work to decrypt depends on the state of the session. There are a number of cases that could force this not to work; the closer in time you are from when the EAPOL frame are actually captured to when you want to use them, the more success you are likely to have. Some reasons why they might not work:

  1. Using WPA2-Enteprise or WPA3, in which case the 4-way is not sufficient to recover the keying material
  2. The STA roams to a new AP - this will trigger a new 4-way handshake so the previous one is no longer valid
  3. Session timeout occurs from either STA or AP so re-keying is initiated. The rekey operation could be unprotected (usually see disassociation and/or deauth frame(s) first), or could be done using protected (i.e. encrypted) frames.
  4. Group traffic is handled by a separate key from the unicast key, and can be rotated independent of unicast key. So the 4-way you captured could enable continued unicast decryption but if a group rekey occurs, and you miss it, group traffic will not decrypt. This may or may not be important to your problem.

There are likely other scenarios that can lead to problems but to summarize: exporting then merging the 4-way EAPOL handshake can, and often is, effective under the right conditions.