Ask Your Question
0

Can't decrypt WPA-PSK (WPA/WPA2) even with passphrase and EAPOL Handshake

asked 2018-02-12 02:01:21 +0000

mgojohn gravatar image

updated 2018-02-12 02:01:58 +0000

Using the same method, I've been able to decrypt monitor mode captures from some networks, but not others. What can cause this and is it possible to work around these cause(s)?

I have successfully decrypted multiple captures from network A. I've decrypted them by providing the PSK (either in the 256-bit variety, generated here or the raw password).

However, when I try the same thing using captures from network B, I'm unable to see anything higher level than 802.11. In this later case I have captured the EAPOL handshake and definitely provided the correct passcode

What else can I do to decrypt (or to debug?).

I am using Wireshark 2.4.4 on OS X High Sierra.

edit retag flag offensive close merge delete

Comments

I have similar problem, although I didn't manage to decrypt any wpa/wpa2 traffic so far in wireshark. Same as above it don't let me go beyond 802.11 level and I'm 100% sure in key and its format. All FCSs are good or workable states.

To crack cap file I use airdecap-ng from aircrack-ng suite and then re-upload them back in wireshark. But this is very annoyingly slow and I want to decrypt on the fly.

Anyone can help to fix this issue?

tutti-fruity gravatar imagetutti-fruity ( 2018-04-04 07:30:41 +0000 )edit

This isn't an answer, but I can't move it to a comment. You might try providing a sample trace with appropriate SSID/passphrase so we could attempt to figure out what might be the problem.

Bob Jones gravatar imageBob Jones ( 2018-04-04 10:24:35 +0000 )edit

Bob, my bad, I moved it. Don't think it is great idea to post live traffic for open use.

tutti-fruity gravatar imagetutti-fruity ( 2018-04-04 12:03:49 +0000 )edit

It seems it solved itself out after I updated Wireshark to newest stable version.

tutti-fruity gravatar imagetutti-fruity ( 2018-04-04 14:37:59 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-02-12 10:43:46 +0000

Bob Jones gravatar image

updated 2018-02-12 10:45:02 +0000

Some other tools for decryption of wireless traffic:

Make sure all your frames are valid, i.e. just because you see that you have all four EAPOL frames, does not mean that the FCS is good for each of them.

You could also post a sample trace that is showing the issue and others could attempt the process.

edit flag offensive delete link more

Comments

Near as I can tell, all 4 have a good FCS (at least, it says FCS Status: Good under IEE 802.11 QoS Data, Flags.

I'll post a capture (editing the question), but don't have it handy at the moment.

mgojohn gravatar imagemgojohn ( 2018-02-13 04:40:53 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-02-12 02:01:21 +0000

Seen: 442 times

Last updated: Apr 04