Ask Your Question
0

How to turn on 'monitor mode' and decrypt 802.11?

asked 2019-04-22 14:06:54 +0000

Sniffer gravatar image

updated 2019-04-22 18:23:31 +0000

Hello,

I'm a total packet sniffing newbie. I've read most of the relevant wiki pages on setting up the 4-way handshake that's required (password:SSID in IEEE 802.11 settings) to decrypt 802.11 packets but I can't see any such handshake taking place. I have not been able to find any of the reported "monitor mode" settings. I have a whole slew of packets captured that are encrypted that I'd like to see the contents of.

I'm running macOS Mojave 10.14.3 on an intel iMac circa 2014. My wireless router (en0) is an Airport Extreme circa about 2010.

For the sake of argument, my WiFi password is "password" and the network name is "My Home Network" with spaces and all (not sure if spaces are allowed in the wpa-pwd key settings). I entered "password:My Home Network" and clicked ok, but I can't see any decrypted http packets or anything noticeably different. I definitely don't see the 4-way handshake happening in the capture.

Furthermore I'm wanting to capture packets sent to and from a specific Mac device with the address 36:56:9C:4D:4C:5C across the span of an entire day. Any way to limit captures to only that device would be helpful as I'd like to keep the file size down.

Any ideas what settings I may be missing or have screwed up?

What info am I leaving out? Sorry for my novice-ness, and thanks in advance!

edit retag flag offensive close merge delete

Comments

Sorry. Is this a dumb question or is there not enough info to warrant a response? I'm hoping for someone to help me troubleshoot the reason I can't get monitor mode running to see unencrypted packet data on my own network.

Sniffer gravatar imageSniffer ( 2019-04-22 20:22:18 +0000 )edit

Can I suggest this tool for a mac:

https://www.adriangranados.com/apps/airtool

You say that you have packets captured but don't know how to set monitor mode... so without seeing what they are, we don't know what the problem is. You may have 802.11 frames already; you may not. If not, you likely won't see the EAPOL frames and decryption is not useful anyway.

So start from the basics - try that tool; post a capture so we know what you are getting and can then guide you. There are techniques to force devices to generate EAPOL key frames: remove it from the AP either at the AP or just reboot the device (or AP). But no point in doing this until you are in position to capture them.

Suggestion: Don't worry about long term capture until you get the short term capture sorted ...(more)

Bob Jones gravatar imageBob Jones ( 2019-04-23 22:00:18 +0000 )edit

I've read most of the relevant wiki pages on setting up the 4-way handshake that's required (password:SSID in IEEE 802.11 settings) to decrypt 802.11 packets but I can't see any such handshake taking place.

You'll only see the handshake if it takes place while you're capturing. As the Wireshark Wiki page on decrypting 802.11 says, "In order to capture the handshake for a machine, you will need to force the machine to (re-)join the network while the capture is in progress." "The machine" here refers to the machine whose traffic you're trying to capture (not to the machine running Wireshark). Did you try that?

Guy Harris gravatar imageGuy Harris ( 2019-04-23 22:41:47 +0000 )edit

Thanks for the replies! I captured a bunch of packets via wireshark and have posted the .pcap file here. I ran this capture on my iMac, and I re-joined the en0 network on my iphone to try and see the 4-way handshake during the capture but I don't see it. Maybe I'm misunderstanding how I'm supposed to re-join the network.

Sniffer gravatar imageSniffer ( 2019-04-26 20:42:48 +0000 )edit

With the trace we can tell that you are capturing traffic in monitor + promiscuous mode; this is a good start. I see eapol frames - try this display filter:

eapol

Frames 549,555, 557, and 559 are for an apple device with an apple BSSID; both are consistent with your comments that it's an iphone and the AP is an apple airport. If you want to try decryption, now that you have the eapol frames, it should work. Note that the SSID contains spaces, so not sure how they will work if you just enter that into the passphrase/SSID field; you may need to precompute the PMK via a site such as

https://www.wireshark.org/tools/wpa-psk.html

Bob Jones gravatar imageBob Jones ( 2019-04-26 22:27:59 +0000 )edit

1 Answer

Sort by » oldest newest most voted
1

answered 2019-04-27 14:34:17 +0000

Bob Jones gravatar image

The sample file works - decrypts right away. Here are my settings that work (picture at the end); perhaps you changed some settings? Some minor issues I have run across trying to decrypt:

  1. Sometimes you have to reload the capture file after entering all the passphrase information
  2. On rare occasion, entering the passphrase and SSID does not work- have to enter the PMK directly (not the case with sample trace here)
  3. If there are multiple eapol handshakes in the trace from several devices, all streams might not be decrypted. Not the case with the sample or your trace, but easy workaround by filtering on specific hosts and then it works.

There are other tools that can decrypt too (Omnipeek, Aircrack-ng suite, etc), but you need to get the sample file to work as it is known good. Here are my setting that work for the sample file: (/upfiles/15563753908236957.png)image description

Decrypted data sample: image description

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-04-22 14:06:54 +0000

Seen: 15,140 times

Last updated: Apr 27 '19