Ask Your Question
0

tshark: How to decode 802.11 capture with temporal key

asked 2022-09-30 08:50:12 +0000

Oposum gravatar image

updated 2022-10-01 21:05:54 +0000

I am used to the "802.11 wireless toolbar" in Wireshark adding a proper "tk" (temporal key, aquired from the AP). But how do you do this with tshark? I adapted the following command, similar according to [0] and [1]:

/usr/bin/tshark -r testcase.pcap -w testcase_decrypted.pcap -o wlan.enable_decryption:TRUE -o "uat:80211_keys:\"tk\",\"2b59161a0555ab87bd58338df107e5c2\""

The decrypted PCAP itself seems to be bigger regarding it's filesize, but is still not decrypted using the mentioned command. Decryption is working, when applying the TK in Wireshark though.

TShark (Wireshark) 3.6.2 (Git v3.6.2 packaged as 3.6.2-2)

Copyright 1998-2022 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) using GCC 11.2.0, with libpcap, with POSIX capabilities
(Linux), with libnl 3, with GLib 2.71.2, with zlib 1.2.11, with Lua 5.2.4, with
GnuTLS 3.7.3 and PKCS #11 support, with Gcrypt 1.9.4, with MIT Kerberos, with
MaxMind DB resolver, with nghttp2 1.43.0, with brotli, with LZ4, with Zstandard,
with Snappy, with libxml2 2.9.12, with libsmi 0.4.8.

Running on Linux 5.14.0-1045-oem, with Intel(R) Core(TM) i5-10400 CPU @ 2.90GHz
(with SSE4.2), with 7661 MB of physical memory, with GLib 2.72.1, with zlib
1.2.11, with libpcap 1.10.1 (with TPACKET_V3), with c-ares 1.18.1, with GnuTLS
3.7.3, with Gcrypt 1.9.4, with nghttp2 1.43.0, with brotli 1.0.9, with LZ4
1.9.3, with Zstandard 1.4.8, with libsmi 0.4.8, with LC_TYPE=en_US.UTF-8, binary
plugins supported (0 loaded).

[0] https://tshark.dev/packetcraft/add_co... [1] https://osqa-ask.wireshark.org/questi...

edit retag flag offensive close merge delete

Comments

Omnipeek will decrypt 802.11 traffic and export the decrypted packets to a file. I don't think it will accept a tk, though, only WPA2 ssid/passphrase or the WPA2 psk, generated from ssid/passphrase.

The aircrack-ng suite of tools has something to decrypt and save packets to a file, too, but IIRC, it only does dot11 unicast traffic. I don't think this will take a tk, either.

Bob Jones gravatar imageBob Jones ( 2022-09-30 17:53:26 +0000 )edit

Thanks. But Omnipeek won't help me.

I am working on a self written CLI test automation, which relies on tshark already heavly. I've focused on the tk, because it's the easiest for me: you do not need to capture the 4-way handshake for decryption. I haven't thought about aircrack-ng yet, however I need all wireless packets and not only unicast ones ....

I mean, Wireshark itself is capable of decryption with a tk - but how? :D

Oposum gravatar imageOposum ( 2022-09-30 18:32:27 +0000 )edit

Is the problem that you can't get tshark to decrypt with a tk or you can't get the decrypted packets saved to a file?

Bob Jones gravatar imageBob Jones ( 2022-10-01 17:53:56 +0000 )edit

Both. First I need tshark to decrypt all the according packets using the temporal key and store the whole packet flow incl. the decrypted ones (no need for the unencrypted ones) in a new PCAP file. This file will then then be parsed via tshark again to search for certain wireless frames (e.g. I am looking for a certain protected management frame, like an 802.11 Action frame, which includes a "SA Query"). Without decryption this SA Query can not be "seen".

Oposum gravatar imageOposum ( 2022-10-01 18:35:43 +0000 )edit

Decryption works with tshark so I see your issue is capturing the decrypted/decoded output as pcap format for subsequent analysis. Does it have to be pcap format for follow-on analysis? It is convenient to use same tool again, but as a work around, maybe consider json output? The -T json format saves decrypted/decoded values and then use another cli tool such as jq, python, etc., to filter or otherwise manage. Using your example for SA Query, I export some packets:

cat saquery.json | jq '.[]._source.layers | {pkt: .frame."frame.number", dot11type: .wlan."wlan.fc.type_subtype", tk: .wlan."CCMP parameters"."wlan.analysis.tk",mgmt:  ."wlan.mgt"}'
{
  "pkt": "1",
  "dot11type": "13",
  "tk": "1cd10b8f713e85a155c822b518369190",
  "mgmt": {
    "Fixed parameters": {
      "wlan.fixed.category_code": "8",
      "wlan.fixed.action_code": "0",
      "wlan.fixed.transaction_id": "0x0000d43e"
    }
  }
}
{
  "pkt": "2",
  "dot11type": "13",
  "tk": "1cd10b8f713e85a155c822b518369190",
  "mgmt": {
    "Fixed parameters": {
      "wlan.fixed.category_code": "8",
      "wlan.fixed.action_code": "1",
      "wlan.fixed.transaction_id": "0x0000d43e"
    }
  }
}
Bob Jones gravatar imageBob Jones ( 2022-10-02 13:37:03 +0000 )edit

1 Answer

Sort by » oldest newest most voted
0

answered 2022-09-30 14:28:29 +0000

Chuckc gravatar image

-w testcase_decrypted.pcap

Wireshark does not save decrypted capture files:
TLS\SSL pcap with key - save decrypted output to pcap file without the attach key

Notes:

tshark -r your.pcap '-ouat:rsa_keys:"/path/to/key.file",""'
edit flag offensive delete link more

Comments

"Wireshark does not save decrypted capture files:" Thanks, but, hm - I am talking about tshark not Wireshark :) And what's the "-w" option then for? Have you had a look at (https://tshark.dev/packetcraft/add_co...) - there it is also used exactly like this?!

According to (https://www.wireshark.org/docs/man-pa...):

If the -w option is specified when capturing packets or reading from a capture file, TShark does not display packets on the standard output. Instead, it writes the packets to a capture file with the name specified by the -w option.

If you want to write the decoded form of packets to a file, run TShark without the -w option, and redirect its standard output to the file (do not use the -w option).

The single quotes are not helping either - but you've got me to drop the "-w" option at least, which gives me an error ...(more)

Oposum gravatar imageOposum ( 2022-09-30 18:10:57 +0000 )edit

Can you update the questions without output of tshark -v.

Here is output for TShark (Wireshark) 4.0.0rc2 (v4.0.0rc2-0-g0d976e7a44e9):
WSL(ubuntu):

$ tshark.exe -r ./amsdu-tc.pcapng  -o wlan.enable_decryption:TRUE -o "uat:80211_keys:\"tk\",\"9c28786e24b34b22bbfffa6a7966723e\""
    1 0.000000000 192.168.8.126 192.168.8.128 TCP 3207 Not set,Not set,Not set 0xaa94 (43668),0x2a81 (
10881),0x2a82 (10882) 0,0,0   targus-getdata1(5201) → 50169 [PSH, ACK] Seq=1449 Ack=1 Win=509 Len=1448
 TSval=52356315 TSecr=174531

Windows 10:

C:\ tshark.exe -r ./amsdu-tc.pcapng  -o wlan.enable_decryption:TRUE -o "uat:80211_keys:\"tk\",\"9c28786e24b34b22bbfffa6a7966723e\""
    1 0.000000000 192.168.8.126 192.168.8.128 TCP 3207 Not set,Not set,Not set 0xaa94 (43668),0x2a81 (10881),0x2a82 (10882) 0,0,0   targus-getdata1(5201) → 50169 [PSH, ACK] Seq=1449 Ack=1 Win=509 Len=1448 TSval=52356315 TSecr=174531
Chuckc gravatar imageChuckc ( 2022-09-30 18:23:52 +0000 )edit

The comments below the article you linked indicate that tshark does not write a decrypted capture file.

tshark does provide -U and --export-objects options for Exporting PDUs.

Chuckc gravatar imageChuckc ( 2022-09-30 18:31:14 +0000 )edit

Hey Chuckc, thanks! Probably I only read what I wanted to read... But you're right about the comments.

Since it's the weekend here now and I don't have access to the PC right now, I won't be able to post the tshark version (as well as give the -U option a try) until early next week. But it seems like I need to update my tshark version, according to your previous posted output.

Oposum gravatar imageOposum ( 2022-09-30 19:06:19 +0000 )edit

4.0.0rc2 is pre-release 4.0 so no need to go that new. The upgrade options will depend on the system OS.
https://www.wireshark.org/#download

Chuckc gravatar imageChuckc ( 2022-09-30 19:11:18 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2022-09-30 08:50:12 +0000

Seen: 1,050 times

Last updated: Oct 01 '22