Ask Your Question
0

reuse EAPOL from another capture session

asked 2021-05-11 08:09:27 +0000

I have succesfully intercepted all 4 eapol frames and the traffic from my device is decrypted. Is there a way to use the EAPOL frame in a stored wireshark capture in an new session, so that i do not have to "wait for" new EAPOL traffic to be captured ? or is the first step always to intercept fresh eapol frames before continuing the analysis ?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-05-11 10:19:26 +0000

Bob Jones gravatar image

Assuming this is the 802.11 WPA2 handshake for wireless data protection, then yes, previously captured crypto materials can be used in Wireshark. What you can do is export those four frames and then merge them into the new capture file that you want to decrypt. Under File --> Merge is one way to do it and there are command line options like mergecap.

Note that you can always export frames and merge into other files but whether they will continue to work to decrypt depends on the state of the session. There are a number of cases that could force this not to work; the closer in time you are from when the EAPOL frame are actually captured to when you want to use them, the more success you are likely to have. Some reasons why they might not work:

  1. Using WPA2-Enteprise or WPA3, in which case the 4-way is not sufficient to recover the keying material
  2. The STA roams to a new AP - this will trigger a new 4-way handshake so the previous one is no longer valid
  3. Session timeout occurs from either STA or AP so re-keying is initiated. The rekey operation could be unprotected (usually see disassociation and/or deauth frame(s) first), or could be done using protected (i.e. encrypted) frames.
  4. Group traffic is handled by a separate key from the unicast key, and can be rotated independent of unicast key. So the 4-way you captured could enable continued unicast decryption but if a group rekey occurs, and you miss it, group traffic will not decrypt. This may or may not be important to your problem.

There are likely other scenarios that can lead to problems but to summarize: exporting then merging the 4-way EAPOL handshake can, and often is, effective under the right conditions.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2021-05-11 08:09:27 +0000

Seen: 855 times

Last updated: May 11 '21