Being able to decrypt 802.11 frames in a frame capture may be necessary from time to time. I personally have worked on several issues with our vendors TAC where they need frame captures to analyze and resolve a bug. They may need to be able to decrypt the data to do this. This technique is not possible on networks with 802.1X security due to the way the keys are derived but is viable on networks using PSK security. In fact, many protocol analyzers include the ability to decrypt the frames. If you are performing monitor mode frame captures and the frames are encrypted, keep reading to see how to decrypt them.
In 802.11 PSK secured networks it is necessary to capture the 4-way handshake in order to decrypt the frames. Capturing the 4-way handshake, in conjunction with the passphrase used, will allow the frames to be decrypted.
The first step in the process is adding the passphrase or PSK to your analyzing tool. I mostly use Wireshark so I’ve included the details here on how to add the passphrase/PSK to Wireshark on a Macbook.
- Open Wireshark
- Navigate to Wireshark > Preferences which opens the window seen below
- Expand the “Protocols” section and scroll down and select “IEEE 802.11” as seen below
- Next to “Decryption keys” click the “Edit” opens the window seen below.
- Now click on the “+” and you get the screen seen below. Key options include – 1. WEP (Hopefully no one is still using this.) 2. WPA-PWD (This is the associated WPA Passphrase.) 3. WPA-PSK (If you happen use WPA-PSK directly instead of a passphrase or happen to know the PSK as it is derived from the WPA Passphrase.) 4. TK for the Transient Key (If these are known, you may be able to skip capturing the 4-way handshake.) 5. MSK for the Master Session Key (If you happen to know this.) See image below.
Since I’m not actually capturing traffic, and wouldn’t want to post my passphrase on the web, I’ve done a sample WPA-PWD entry to show the process.
- Select “WPA-PWD” and enter the passphrase. I’ve used “Test_123” as it meets the requirement of at least 8 characters. You’ll enter the passphrase used to connect to the specified WLAN. See the image below.
- After entering the key click the “OK” button twice and you will be ready to capture.
In the event that you are using 802.1X authentication, and you are confident the problem you are working on is not related to 802.1X, you may need to create a separate WPA2-PSK WLAN for troubleshooting purposes. The temporary WLAN will still have some security but will allow decryption of the frames to assist in troubleshooting. The WLAN can be enabled during troubleshooting sessions and then disabled when they are complete.
After you have setup the key in Wireshark, you are ready to perform your monitor mode capture. The remaining steps may seem tedious but after you’ve done it a few times it becomes fairly simple.
- Step 1 – Disable the wireless adapter on the client you are collecting data for.
- Step 2 – Start your monitor mode capture on your capture device.
- Step 3 – Enable the wireless adapter on the client you are collecting data for.
- Step 4 – Generate whatever traffic is necessary from the client for troubleshooting purposes.
- Step 5 – After the capture has run for the appropriate amount of time, stop the monitor mode capture.
- Step 6 – You should now be able to view unencrypted data in the frame capture.
One additional note that may be the most important. Be sure to have permission, In Writing, before decrypting any data. The organization may have a policy prohibiting such behavior and you’ll want to avoid any problem beforehand.
If you find that the frames you have collected are encrypted, double check that you have performed the steps properly and are seeing the 4-way handshake from the wireless client.