Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2023-02-20 14:58:58 +0000

Bob Jones gravatar image

If you can manage to get access to the PMK, decryption of a WPA3-SAE data file can be done via tshark like this:

/usr/bin/tshark -nr file.pcapng -o wlan.enable_decryption:TRUE -o "uat:80211_keys:\"wpa-psk\",\"3db063d481425de62496bf74243f3c4c72d4a4ed0010006d171a85c811bbe2ea\"" -Y "wlan.fc.type_subtype in {0x20 0x28}"

Where we have the following:

  • file.pcapng : the capture file that contains the 4-way EAPOL handshake and the data to decrypt.
  • wpa-psk: use the connection PMK to decrypt
  • 3db063d...ea : this is the PMK value derived from the SAE operation - this should be difficult to get and will likely have to come from either the wireless client or the AP itself.
  • wlan.fc.type_subtype in {0x20 0x28}: filter to display only data/QOS data frames as these are the ones that would be decrypted (not needed).

Notice that this is not as simple as with the WPA2-Personal, where the SSID and passphrase are all that is needed to derive the PMK for subsequent decryption of the data stream (with the 4-way EAPOL handshake, of course). The PMK is now derived per-connection which significantly improves security. I know of no generalized method to access the PMK for these types of connections. In fact, in most cases, this data will not be available for use in this manner. One such method is use of wpa_supplicant in debug mode which has an option to dump keys; the key material for THIS client, for THIS connection, would be present. Likewise, hostapd has an option to dump key material as well as part of its' debug confguration for associated clients.