decoding EAPOL Message 3 WPA Key Data

eapol

asked 2024-05-28 13:38:16 +0000

updated 2024-05-28 13:47:42 +0000

Hello,

I have 802.11 EAPOL 4 way handshake capture and am trying to decode M3 message WPA Key Data. But Wireshark only shows it as raw data(hex dump) as truncated instead of decoding it as for example vendor specific tagged field like KDE field.

Example image can be found in below link https://www.dropbox.com/scl/fi/rufk6p...

My question is how can I decode this M3 WPA Key data correctly like for example as various KDE fields( Mac Address KDE, MLO GTK KDE, MLO Link KDE etc.)

Much appreciate help

edit retag flag offensive close merge delete

add a comment

1 Answer

Sort by » oldest newest most voted

answered 2024-05-28 15:25:36 +0000

Bob Jones
1496 ●2 ●179 ●22 Boston, MA

Key Data in message 3 is encrypted. From your screenshot, you only show Message 3, where as you would need all four EAPOL messages to decrypt in Wireshark. If you collect all four EAPOL messages, and enter the WPA2-Personal key (or enter the keying material as needed to decrypt otherwise), do you see the key data available?

edit flag offensive delete link

Comments

Thanks a lot and that was it. Always know it gets encrypted but didn't think of it and trying to decrypt it with PMK. Just record for others, I did EAPOL 4 way handshake and captured PMK fron hostapd log. Then in Wireshark > Preference > Protocol > IEEE 802.11, added PMK from hostapd log and was able to decode EAPOL M3 WPA Key Data.

iinzoolee ( 2024-05-28 17:30:24 +0000 )edit

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2024-05-28 13:38:16 +0000

Seen: 366 times

Last updated: May 28

decoding EAPOL Message 3 WPA Key Data edit