Ask Your Question
0

WiFi7/WPA3 pkts cannot be decrypted with PMK

asked 2024-08-26 02:37:04 +0000

Hello, I have WiFi7 AP and STA. I've captured single 6Ghz link full association packets including EAPOL and PMK from hostapd/wpa_supplicant logs. But when I tried to decrypt pkts with PMK, I'm not able to decrypt them. EAPOL M3 message is still encrypted and cannot see DHCP and Ping pkts which I triggered after 6Ghz association.(note I'm able to decrypt 5Ghz WPA2 encrypted pkts OK for example)

I'm using Wireshark 4.2.6 (Git commit fca52ffc018f) which I downloaded/compiled manually. I've posted full pkt captures along with PMK from hostapd/wpa_supplicant.(there is only one EAPOL 4 way handdhake in pkt capture and STA Mac address has de:ac)

https://www.dropbox.com/scl/fo/hhmfpg...

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted
0

answered 2024-08-26 11:48:59 +0000

Bob Jones gravatar image

updated 2024-08-26 11:52:33 +0000

Seems Wireshark does not know about the AKM (display filter: frame.number == 3389):

** (wireshark:24764) 07:36:48.903972 [(none) WARNING] C:\bld\workspace\ATT_Git_wireshark_master\binaries_1\wireshark_src\epan\crypt\dot11decrypt.c:2376 -- Dot11DecryptGetKckLen(): Unknown akm

The AKM in use here is 24 (see RSN Information):

Auth Key Management (AKM) List 00:0f:ac (Ieee 802.11) SAE (GROUP-DEPEND)
    Auth Key Management (AKM) Suite: 00:0f:ac (Ieee 802.11) SAE (GROUP-DEPEND)
        Auth Key Management (AKM) OUI: 00:0f:ac (Ieee 802.11)
        Auth Key Management (AKM) type: SAE (GROUP-DEPEND) (24)

Per 802.11-2020 Table 9-151—AKM suite selectors, values 21-255 are Reserved. But AKM:24 is defined in the WPA3 document from WiFi-Alliance (https://www.wi-fi.org/system/files/WP...). Per latest source code in gitlab, Wireshark only interprets up to AKM:18.

I didn't see an open enhancement request for this in gitlab, so maybe file one? https://gitlab.com/wireshark/wireshark/-/issues

edit flag offensive delete link more

Comments

Thank you very much. Really appreciate and will open enhancement request.

inzoolee gravatar imageinzoolee ( 2024-08-26 14:01:58 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2024-08-26 02:37:04 +0000

Seen: 128 times

Last updated: Aug 26