First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Need help with 802.11 decryption and monitor mode!

  • retag add tags

Hi there,

i'm very new in this topic. I have a WLan with WPA2-PSK decryption. My idea was to switch my TP-Link TL-WN722N into monitor mode and sniff the packets. My problem is that I put in the pre-shared-key (created with www.wireshark.org/tools/wpa-psk.html) in the preferences, but it did not decrypt the traffic. Also when I want to change the mode into monitor mode, I have to kill the network-manager, which is bad, because I lose the connection to my WLan. Knows anybody a solution for this? I'm using Kali Linux and Wireshark version 2.6.8. I hope that you guys can help me!

Best wishes!

PS: If i had 60 points, i would upload pictures...

der_Schokomuffin's avatar
1
der_Schokomuffin
asked 2019-05-04 10:04:38 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

but it did not decrypt the traffic

There is a sample file here that is known to work - suggest to try this one before attempting your specific test case. There are also specific requirements that you will need to fulfill to obtain a capture that is decryptable, such as obtaining all four EAPOL frames from device authentication; this is all in the link.

I want to change the mode into monitor mode ... I lose the connection to my WLan

Yes, this is best practice. I would not recommend capturing on monitor mode and using the WLAN adapter in managed mode at the same time. There is unusual behavior here that you will have to chase; you can search this site and you will find others who try to do it. Use monitor mode on the Linux host to capture a DIFFERENT device communicating to the AP, and practice on this traffic.

If you feel you must capture and use the adapter at the same time, you want to use the iw command to create a virtual interface. You would create a monitor mode interface in this case.

The prototype from my version:

iw phy <phyname> interface add <name> type <type> [mesh_id <meshid>] [4addr on|off] [flags <flag>*] [addr <mac-addr>]
                Add a new virtual interface with the given configuration.
                Valid interface types are: managed, ibss, monitor, mesh, wds.

                The flags are only used for monitor interfaces, valid flags are:
                none:     no special flags
                fcsfail:  show frames with FCS errors
                control:  show control frames
                otherbss: show frames from other BSSes
                cook:     use cooked mode
                active:   use active mode (ACK incoming unicast packets)
                mumimo-groupid <GROUP_ID>: use MUMIMO according to a group id
                mumimo-follow-mac <MAC_ADDRESS>: use MUMIMO according to a MAC address
Bob Jones's avatar
1.5k
Bob Jones
answered 2019-05-04 11:58:07 +0000
edit flag offensive 0 remove flag delete link
more

Comments

OK, thank you, it all works now!

der_Schokomuffin's avatar der_Schokomuffin (2019-05-04 14:12:16 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer