Here are three steps to decrypt 802.11 wireless traffic in Wireshark.
- Go to Edit ->Preferences ->Protocols ->IEEE 802.11.
- Click the Edit… button next to Decrypt Key to add a key.
- Check decrypted wireless traffic
But wait, it’s not that simple. Use these steps after capturing data from the access point and decrypting that specific data. However, to access data from the access point, we need to establish four landmark handshakes between the client and the access point. But, what are customers and access points?
Client and access points
In a network, a client is a device that requests information from a server or access point. An access point (AP) is usually the name of a device that provides WiFi services to a specific area in managed mode. It is called AP and the customer connection is called STA (short form for the site). Note that a network device can run in STA mode or AP mode, depending on whether it is used as the device for the client or it is the device for the wireless network center (allowing other devices to connect to it).
What exactly happens when a customer connects to a WiFi network
Pre-shared key (PSK):
When you connect to a WiFi network, the PSK (your WiFi password) is used as a “seed” to generate a shared secret key between your device and the access point.
Diffie-Hellman key exchange:
Devices and routers use the Diffie-Hellman protocol to establish this shared secret key, which is not transmitted in plain text.
Encryption and decryption:
Once a shared key is established, it will be used to encrypt and decrypt data transmitted between the device and the access point.
Wireshark:
To passively decrypt WiFi traffic, tools like WireShark can be used, but you need to know the PSK and capture the 4-way handshake that occurs during connection to the access point.
WPA3:
In WPA3, each connection uses a different PMK. Capturing the handshake and just knowing the network password is not enough; you need a PMK (from the client or access point) to decrypt the packet.
So, Decrypt WiFi traffic need:
- A handshake occurs between the client and the access point before exchanging decrypted information
- To do this, we need a monitoring mode WiFi adapter
- Connect password to access point
Next, two examples of capturing WiFi traffic and its decryption will be shown. Use Airodump-NG to perform the first data capture and then decrypt wireless traffic in Wireshark. In the second example, only Wireshark will be used to capture and decrypt the data.
Capture WiFi traffic using AiroDump-NG
In order to make the data suitable for decryption, it is necessary to capture information on a channel running at the target access point, but the wifi card does not switch channels. Therefore, we first gather information about the target access point.
Let’s check the name of the wireless interface:
We use commands like this to convert the interface to monitor mode:
| sudo ip link set interface downsudo iw interface setting monitor controlsudo ip link set interface up up |
Change interface Use your WiFi adapter name
Run Airodump-ng with the command:
| sudo airodump-ng wlan0mon |
For example, I want to capture and decrypt traffic from Kali access points running on channel 5.
Then I need to restart Airodump-ng with a command like this:
| sudo airodump-ng wlan0mon – Channel channel – Write file name |
this WPA handshake The inscription says captures four stages of handshake. This means:
- Now we can decrypt WiFi data (If we have the key to the WiFi network)
- We can only decrypt data for specific clients (shake hands)
- We will be able to decrypt data sent only after the handshake captured here
Decrypt WiFi traffic using Wireshark
Open the capture file in Wireshark. In its original form, the traffic looks like this:
That is, without decryption, we only see the MAC address of the data transfer participant, some types of packets, and packets (where the payload is encrypted). Make sure there is a handshake before decoding, otherwise it doesn’t make any sense: Keep going:
Before decoding, we need to make some changes to the IEEE 802.11 protocol settings.
go edit → Preference expand protocol Parts and options IEEE 802.11 . The settings should be:
Make sure you have the same settings as in the previous screenshot, click the Edit button next to “Decrypt Key” (add WEP/WPA key):
Click create button. In the open window Key Type Field, select WPA-PWD enter the password for the WiFi network, then enter the network name (SSID) behind the colon, and click OK.
For example, in my case the password is QIVXY17988 and the network name is Kali, and I type:
Click to apply:
The traffic will be decrypted:
Now there are visible DNS, HTTP requests and responses, and other network packets.
This traffic is not decrypted if it is captured not only for that network, but for other networks running on the same channel, or for other networks on that network, but for other clients without a handshake.
Capture WiFi traffic with Wireshark
WiFi traffic can be captured directly in Wireshark.
But we first need to switch the WiFi card to the same channel as the target access point. This is done by the following command
| sudo ip link set interface downsudo iw interface set monitor controlsudo ip link set interface upsudo iw dev interface set channel |
The subsequent decryption is performed in exactly the same way as shown above.
in conclusion
To decrypt WEP WIFI traffic, you only need to know the password.
You might want to read: Monitoring and Injection Mode in Wireless Adapters, Structures in C Programming, and the Threat of Quantum Computing to Encryption?
source:
