Ethical HOME

hacking and
KALI WI-FI ADAPTERS

penetration
SITE TREE

KALI TOOLS

testing DONATE VDS

How to decrypt WPA tra0c in Wireshark

SPONSORED SEARCHES

Security Monitoring Wireless Switch

Network Passwords Home Security Wireless

Let's start with the theory in order to understand why the process of decrypting Wi-Fi traffic in
Wireshark requires some effort and why one cannot just decrypt any captured Wi-Fi traffic even if one
has a password from the Access Point.

When transmitting via Wi-Fi, the traffic is encrypted using PTK (the Pairwise transient key). At the same
time, PTK is dynamic, that is, it is created anew for each new connection. Thus, it turns out that Wi-Fi
traffic for each connection in the same Access Point is encrypted with different PTKs, and even for the
same Client after reconnecting PTK changes. To calculate PTK, you need data from a four-way
handshake, as well as a password of a Wi-Fi network (in fact, you also need other information, such as
the network name (SSID), but obtaining this data is not a problem).

The main thing you need to understand: to decrypt Wi-Fi traffic, you need a four-way handshake. And
not any, but exactly the one that happened to transmit the traffic that needs to be decrypted. But to ALSO RECOMM
use the captured handshake you need a password of the Wi-Fi network.

So, to decrypt Wi-Fi traffic is needed:

1) a handshake that occurred between the Client and the Access Point immediately prior to the
exchange of decrypted information

2) password to connect to the Access Point

Next will be shown two examples of capturing Wi-Fi traffic and its decryption. The first data capture is
done using Airodump-ng, and then the wireless traffic will be decrypted in Wireshark. In the second
example, the data will be captured and decrypted using only Wireshark.

Capturing Wi-Fi tra.c in Airodump-ng

In order for the data to be suitable for decryption, it is necessary that the Wi-Fi card does not switch
channels, but capture information on one channel on which the target Access Point operates.
Therefore, we start by collecting information about the target access point.

We look at the names of wireless interfaces:

1 iw dev

We set the INTERFACE into monitor mode with commands like this:
 1 sudo ip link set INTERFACE down
2 sudo iw INTERFACE set monitor control Pro
3 sudo ip link set INTERFACE up ha

Run airodump-ng with a command like:

Ho
1 sudo airodump-ng INTERFACE ha
cap
For example, I want to capture and decrypt traffic for the Paangoon_2G Access Point, which operates
on channel 9. Th
fas
ha

Then I need to restart airodump-ng with a command like this: Ha

wit
1 sudo airodump-ng INTERFACE --channel CHANNEL --write FILE_NAME

Ha
wit
The WPA handshake string says that a four-way handshake was captured. It means that:
Air
now we can decrypt the Wi-Fi data (if we have the key of the Wi-Fi network)
Flu
we can decrypt only data for a specific client (with which a handshake was made)
Gu
we will be able to decrypt the data that was sent only after this captured handshake

Wi-Fi tra.c decryption in Wireshark Ho

Open the capture file in Wireshark. In its original form, the traffic looks like this:
Wi

That is, without decryption, we see only the MAC addresses of the data transfer participants, some
types of packets, as well as data packets — in which the payload is encrypted.
Bo
Before decoding, make sure that there is a handshake, otherwise there is no point in continuing: alt
Air
SPONSORED SEARCHES

Security Monitoring Home Security Wireless Ho

exa
Address for Security 3 Network Security Key rou

1 eapol Ha
pa
Air

Before decoding, we need to make some changes in the IEEE 802.11 protocol settings. Wi
scr
Go to Edit → Preferences, expand the protocol section and select IEEE 802.11. The settings should sea
be:
Eff
att
kn
When you have the same settings as in the previous screenshot, click on the Edit button next to
Decryption Keys (to add a WEP/WPA key):

CATEGOR
Anonymity, data en
anti-forensics

Exploitation

Hardware

Information Gatherin

IT Forensics

Kali Linux

Maintaining Access

Password Attacks

Sniffing & Spoofing

Web Applications

Website news

Wireless Attacks
 Work Environment

RECENT PO
Looking for a job!

How to manage c
backdoor

Pupy manual: how

backdoor

How to install Pupy

How to install Soci

Kali Linux

Click the Create button. In the window that opens, in the Key type field, select wpa-pwd, enter the
password for the Wi-Fi network, and after the colon enter the name (SSID) of the network and click
OK.

For example, in my case, the password is 00001777, and the network name is Paangoon_2G, then I
enter:

1 00001777:Paangoon_2G

Click Apply:

RECENT COM
toto on Fast and si
to bypass Captive P
with authorization
interface)

Byter on USB Wi-Fi

monitor mode a
injection (100% co
Kali Linux) 2019

Alex on How to i
Firefox in Kali Linux

Vladislav on How to
Firefox in Kali Linux

Alex on Online
programs (FREE)
Traffic will be decrypted:

Now there are visible DNS, HTTP requests and responses, as well as other network packets. ARCHIVE
If traffic is captured not only for this network, but also for other networks operating on the same May 2019
channel, or for this network but other clients for which no handshakes are taken, then this traffic will
April 2019
not be decrypted.
March 2019
Capture Wi-Fi in Wireshark February 2019

Wi-Fi traffic can be captured directly in Wireshark. But we first need to switch the Wi-Fi card to the January 2019
same channel as the target Access Point. This is done by commands like: December 2018
1 sudo ip link set INTERFACE down November 2018
2 sudo iw INTERFACE set monitor control
3 sudo ip link set INTERFACE up October 2018
4 sudo iw dev INTERFACE set channel CHANNEL
September 2018
In these commands, the words INTERFACE and CHANNEL must be replaced with actual data.
August 2018
When the interface is switched to the desired channel, in Wireshark, find this interface, in its
July 2018
properties, check the Capture packets in monitor mode box. Then start capturing data:
June 2018

April 2018
The subsequent decryption is performed in exactly the same way as shown above.
March 2018
Conclusion February 2018

To decrypt WEP Wi-Fi traffic, you only need to know the password. But APs with WEP almost never January 2018
occur nowadays.
December 2017

November 2017

September 2017

August 2017

July 2017

March 2017

January 2017

December 2016
 NEW PENETR
TESTING TO
Pupy
Source: New Penetratio
| Published on 2019-05

mdk4
Source: New Penetratio
| Published on 2018-10

Smart Recurring Billing hcxtools

Source: New Penetratio
| Published on 2018-10
Plug & play recurring billing solution with automated features; Get :rst $50K for
free! hcxdumptool
Source: New Penetratio
SPONSORED SEARCHES | Published on 2018-10
security monitoring home security wireless
WiFi-autopwner
address for security 3 network security key
Source: New Penetratio
| Published on 2018-08

Related articles: hack-captive-portals

How to intercept and analyze traffic in open Wi-Fi (74.6%) Source: New Penetratio
BoopSuite is an alternative to Airodump-ng, Airmon-ng and Aireplay-ng (74.3%) | Published on 2018-04
How to hack Wi-Fi (72%)
Hacking Wi-Fi without users in Aircrack-ng (72%)
Three ways to set wireless interface to Monitor mode and Managed mode (67.3%)
Effective WPS PINs attack based on known PIN and PIN generation algorithms (RANDOM - 51.8%)

Recommended for you:

Get The #1 VPN for Programs for hacking Wi- Pass CCNA Security How to extract all
Malaysia Fi Exam Easy handshakes from a
capture file with several...
Ad expressvpn.com miloserdov.org Ad prepaway.com miloserdov.org

Free Diagram Software The easiest and fastest Hacking Wi-Fi without Hacking Wi-Fi without
ways to hack Wi-Fi (using users users in Aircrack-ng
airgeddon)
Ad NCH Software miloserdov.org miloserdov.org miloserdov.org

# Alex $ January 2, 2019 % Airodump-ng, handshake, monitor mode, passwords, wireless,

Wireshark & Wireless Attacks ' 4 Comments »

! How to intercept and analyze traffic in New Kismet version "

open Wi-Fi
' 4 Comments to How to decrypt WPA tra.c in Wireshark
S n i ffe r says:
April 23, 2019 at 2:01 pm

Hello,
Thanks for the great step-by-step instructions. I followed them to the letter but I can't
seem to make the 4-way handshake appear.
I have not been able to find any of the reported "monitor mode" settings (described on
the wireshark wiki). I have a whole slew of packets captured that are encrypted that I'd like
to see the contents of.
I'm running macOS Mojave 10.14.3 on an intel iMac circa 2014. My wireless router (en0) is
an Airport Extreme circa about 2010.
For the sake of argument, my WiFi password is "password" and the network name is "My
Home Network" with spaces (not sure if spaces are allowed in the wpa-pwd key settings). I
entered "password:My Home Network" and clicked ok, but I can't see any decrypted http
packets or anything noticeably different – only 802.11. I definitely don't see the 4-way
handshake happening in the capture.
Furthermore I'm wanting to capture packets sent to and from a specific Mac device with
the address 36:56:9C:4D:4C:5C across the span of an entire day. Is there a way to limit
captures to only that device to prevent very large file sizes from 24 hours of captures?
Any ideas what settings I may be missing or have screwed up that are preventing the 4-
way handshake from occuring?
Thanks!
Reply

A l e x says:
April 24, 2019 at 1:20 am

Hello! I guess the reason — you did not capture 4-way handshake.
Start off with Wireshark filter:
1 eapol

If you will see no captured packages, it means you did not capture the
handshake.
Before trying to decrypt WPA traffic, try to perform less complex tasks like
capturing 4-way handshake.
Reply

A n o n y m o u s says:

Meet Muslim Singles

Premium Service Designed Specifically for Muslims. Over 4.5 Million
Members. Join Now.

Ad Muslima.com Visit Site

April 26, 2019 at 8:47 pm

Thanks! I do not see any packets when using that filter, so I

believe you're right. I'm not able to see the 4-way
handshake happen tho. I've left (forget network) the wifi
and re-joined it during a capture, but maybe my settings
are wrong. I have the network password and SSID entered
in the IEEE 802.11 settings, but I think something else is
missing. I have a sample capture here:
https://waterloooil.com/test/capture.pcap.
Reply

S n i ffe r says:
April 26, 2019 at 8:48 pm

I don't see the 4-way handshake using that filter. I've set up
the network password and SSID in wireshark so something
else must be missing. Here's an example
capture: https://waterloooil.com/test/capture.pcap.
Reply
Leave a Reply
Your email address will not be published.

Source

Format Font Size

Source

Format Font Size

Name

Email

Website

Notify me of followup comments via e-mail. You can also subscribe without
commenting.

POST COMMENT

Select an image for your comment (GIF, PNG, JPG, JPEG):

Choose Files no files selected

Meet Muslim Premium Service Designed

Speci:cally for Muslims. Over 4.5
Singles Million Members. Join Now.
 Search...

(
© 2019: Ethical hacking and penetration testing | SnowFall Theme by: D5 Creation | Powered by: WordPress