Project 22: WPA/WPA2 Decryption (10 pts. + 10 extra)

What you need

Purpose

To understand the way WPA-PSK networks isolate users from one another, and defeat that protection. This is the same for WPA2-PSK.

If you go to a wireless network and capture frames in Monitor mode, you see traffic from other users, but you can't decrypt it because each user has a different encryption key.

However, the process of assigning that key uses a four-way EAPOL handshake, which can be captured. If you capture the EAPOL packets, Wireshark can determine that user's key and decrypt the traffic.

Installing Wireshark

If you don't already have Wireshark, get it here:

https://www.wireshark.org/

Task 1: Analyzing an Existing Packet Capture File (10 pts.)

Downloading the PCAP File

Right-click the link below and save the file somewhere you can find it, such as your desktop:

https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=wpa-Induction.pcap

Troubleshooting

If that link doesn't work, use this alternate download link:

https://samsclass.info/123/proj14/wpa-Induction.pcap

Viewing the EAPOL Handshake

Double-click the wpa-Induction.pcap file. It opens in Wireshark.

Scroll down to find the four frames with a Protocol of "EAPOL", as shown below. Here an Apple device is joining a Cisco wireless network, and the four EAPOL packets are used to negotiate a private key for that user.

Viewing Encrypted Traffic

Scroll down to frame 99. Wireshark is unable to decrypt the contents of this frame--all it can say is that it contains "Data", as shown below.

Entering the WPA Key

The precise steps vary, depending on which version of Wireshark you are using.

For Wireshark 2.0.0 on Mac OS X:

From the menu bar, click Wireshark, Preferences. In the left pane, expand Protocols. Scroll down and click "IEEE 802.11", as shown below.

In the "Decryption Keys" line, click the Edit... button.

Enter a key of type wpa-pwd, with the value Induction:Coherer, as shown below.

The key is "Induction" and the SSID of the network is "Coherer".

In the "WEP and WPA Decryption Keys" box, click the OK button.

In the "Wireshark Preferences" box, check the "Enable decryption" box. Click the OK button.

Frame 99 is now decrypted, revealing that it contains a DHCP packet, as shown below.

Saving the Screen Image

Make sure you can see the frame number of 99 and the Protocol of DHCP, as shown above.

Save a FULL DESKTOP image with the filename Proj 22a from Your Name.

Task 2: Capturing Live Frames (10 pts. extra credit)

Using Monitor Mode

This part of the project is optional, because it may require special equipment.

Here's how I did it on my 2015 MacBook Pro.

Join the Target Network

Join a WPA-2 wireless network, such as CCSF Wireless, as shown below.

Configuring Wireshark to Show Per-Packet Information

Start Wireshark.

From the Wireshark menu bar, click Capture, Options.

In the "en0" line, change "Link-Layer Header" to "Per-Packet Information", as shown below. You can leave "Monitor Mode" disabled.

Start Capturing Packets

Start Wireshark sniffing. At the top of the Wireshark window, enter this display filter, as shown below, and then press the Enter key:
eapol.version == 2

Join a Target Device to the Network

Get another wireless device to use as the target. I used an iPad. Join it to the same wireless network.

Observing EAPOL Frames

In Wireshark, you should see the four EAPOL frames, with Info messages as shown below:
Key (Message 1 of 4)
Key (Message 2 of 4)
Key (Message 3 of 4)
Key (Message 4 of 4)

Troubleshooting

If you see some of the EAPOL frames, but not all four, move to an area with less wireless traffic. I had that problem when I tried this at a mall, but when I moved to a nearly empty classroom on campus it worked perfectly.

Saving the Screen Image

Make sure you can see the four EAPOL frames.

Save a FULL DESKTOP image with the filename Proj 22b from Your Name.

Turning in Your Project

Email the images to cnit.123@gmail.com with a Subject line of Proj 22 from Your Name.

Source

How to Decrypt 802.11

WPA 4-way handshake

Posted 11:19 am 12-9-15 by Sam Bowne
Revised 5-13-16