First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How to decode WPA3_SAe using cmds in linux via tshark

Hi Can you please let me know if there is any way to decrypt the encrypted packets of sniffer using commands in linux OS

Thanks Thinker.

thinker's avatar
1
thinker
asked 2023-02-18 11:14:27 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

2 Answers

0

May I suggest you visit https://tshark.dev/packetcraft/add_co... first?

hugo.vanderkooij's avatar
76
hugo.vanderkooij
answered 2023-02-20 08:33:20 +0000
edit flag offensive 0 remove flag delete link
more

Comments

The OP should also note that the linked page is 4 years old and contains incorrect info. e.g. that TLS 1.3 decryption is broken.

Another reference is on the Wireshark Wiki page for TLS.

grahamb's avatar grahamb (2023-02-20 10:23:31 +0000) edit
more
  • delete
add a comment see more comments
0

If you can manage to get access to the PMK, decryption of a WPA3-SAE data file can be done via tshark like this:

/usr/bin/tshark -nr file.pcapng -o wlan.enable_decryption:TRUE -o "uat:80211_keys:\"wpa-psk\",\"3db063d481425de62496bf74243f3c4c72d4a4ed0010006d171a85c811bbe2ea\"" -Y "wlan.fc.type_subtype in {0x20 0x28}"

Where we have the following:

  • file.pcapng : the capture file that contains the 4-way EAPOL handshake and the data to decrypt.
  • wpa-psk: use the connection PMK to decrypt
  • 3db063d...ea : this is the PMK value derived from the SAE operation - this should be difficult to get and will likely have to come from either the wireless client or the AP itself.
  • wlan.fc.type_subtype in {0x20 0x28}: filter to display only data/QOS data frames as these are the ones that would be decrypted (not needed).

Notice that this is not as simple as with the WPA2-Personal, where the SSID and passphrase are all that is needed to derive the PMK for subsequent decryption of the data stream (with the 4-way EAPOL handshake, of course). The PMK is now derived per-connection which significantly improves security. I know of no generalized method to access the PMK for these types of connections. In fact, in most cases, this data will not be available for use in this manner. One such method is use of wpa_supplicant in debug mode which has an option to dump keys; the key material for THIS client, for THIS connection, would be present. Likewise, hostapd has an option to dump key material as well as part of its' debug confguration for associated clients.

Bob Jones's avatar
1.5k
Bob Jones
answered 2023-02-20 14:58:58 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Hi,

I got the following warning message while decrypting WPA-SAE.

 ** (tshark:1741616) 09:59:18.308548 [(none) WARNING] epan/crypt/dot11decrypt.c:2376 -- Dot11DecryptGetKckLen(): Unknown akm
 ** (tshark:1741616) 09:59:18.308570 [(none) WARNING] epan/crypt/dot11decrypt.c:2399 -- Dot11DecryptGetKekLen(): Unknown akm
 ** (tshark:1741616) 09:59:18.308578 [(none) WARNING] epan/crypt/dot11decrypt.c:2413 -- Dot11DecryptGetPtkLen(): Invalid PTK len

The akm is 24, tshark seems not to recognize.The output still can not get decryption data. any suggestion about it?

Auth Key Management (AKM) type: SAE (GROUP-DEPEND) (24)

albert's avatar albert (2024-02-01 02:27:49 +0000) edit
more
  • delete

You should create a new post - no one will see this except for those of us who worked on this one before. You will want to get more eye balls on your issue.

Bob Jones's avatar Bob Jones (2024-02-01 23:47:26 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer