Ask Your Question
0

Need help with 802.11 decryption and monitor mode!

asked 2019-05-04 10:04:38 +0000

Hi there,

i'm very new in this topic. I have a WLan with WPA2-PSK decryption. My idea was to switch my TP-Link TL-WN722N into monitor mode and sniff the packets. My problem is that I put in the pre-shared-key (created with www.wireshark.org/tools/wpa-psk.html) in the preferences, but it did not decrypt the traffic. Also when I want to change the mode into monitor mode, I have to kill the network-manager, which is bad, because I lose the connection to my WLan. Knows anybody a solution for this? I'm using Kali Linux and Wireshark version 2.6.8. I hope that you guys can help me!

Best wishes!

PS: If i had 60 points, i would upload pictures...

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-05-04 11:58:07 +0000

Bob Jones gravatar image

but it did not decrypt the traffic

There is a sample file here that is known to work - suggest to try this one before attempting your specific test case. There are also specific requirements that you will need to fulfill to obtain a capture that is decryptable, such as obtaining all four EAPOL frames from device authentication; this is all in the link.

I want to change the mode into monitor mode ... I lose the connection to my WLan

Yes, this is best practice. I would not recommend capturing on monitor mode and using the WLAN adapter in managed mode at the same time. There is unusual behavior here that you will have to chase; you can search this site and you will find others who try to do it. Use monitor mode on the Linux host to capture a DIFFERENT device communicating to the AP, and practice on this traffic.

If you feel you must capture and use the adapter at the same time, you want to use the iw command to create a virtual interface. You would create a monitor mode interface in this case.

The prototype from my version:

iw phy <phyname> interface add <name> type <type> [mesh_id <meshid>] [4addr on|off] [flags <flag>*] [addr <mac-addr>]
                Add a new virtual interface with the given configuration.
                Valid interface types are: managed, ibss, monitor, mesh, wds.

                The flags are only used for monitor interfaces, valid flags are:
                none:     no special flags
                fcsfail:  show frames with FCS errors
                control:  show control frames
                otherbss: show frames from other BSSes
                cook:     use cooked mode
                active:   use active mode (ACK incoming unicast packets)
                mumimo-groupid <GROUP_ID>: use MUMIMO according to a group id
                mumimo-follow-mac <MAC_ADDRESS>: use MUMIMO according to a MAC address
edit flag offensive delete link more

Comments

OK, thank you, it all works now!

der_Schokomuffin gravatar imageder_Schokomuffin ( 2019-05-04 14:12:16 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-05-04 10:04:38 +0000

Seen: 62 times

Last updated: May 04