When doing wireless assessments, I end up generating a ton of different scripts for various things that I thought it would be worth sharing. I’m going to try write some of them up. This is the first one on decrypting WPA/2 PSK traffic. The second will cover some tricks/scripts for rogue access-points. If you are keen on learn further techniques or advancing your wifi hacking knowledge/capability as a whole, please check out the course Hacking by Numbers: Unplugged, I’ll be teaching at BlackHat Las Vegas soon.
When hackers find a WPA/2 network using a pre-shared key, the first thing they try and do most times, is to capture enough of the 4-way handshake to attempt to brute force the pairwise master key (PMK, or just the pre-shared key PSK). But, this often takes a very long time. If you employ other routes to find the key (say a client-side compromise) that can still take some time. Once you have the key, you can of course associate to the network and perform your layer 2 hackery. However, if you had been capturing traffic from the beginning, you would now be in a position to decrypt that traffic for analysis, rather than having to waste time by only starting your capture now. You can use the airdecap-ng tool from the aircrack-ng suite to do this:
airdecap-ng -b <BSSID of target network> -e <ESSID of target network> -p <WPA passphrase> <input pcap file>
However, because the WPA 4-way handshake generates a unique temporary key (pairwise temporal key PTK) every time a station associates, you need to have captured the two bits of random data shared between the station and the AP (the authenticator nonce and supplicant nonce) for that handshake to be able to initialise your crypto with the same data. What this means, is that if you didn’t capture a handshake for the start of a WPA/2 session, then you won’t be able to decrypt the traffic, even if you have the key.
So, the trick is to de-auth all users from the AP and start capturing right at the beginning. This can be done quite simply using aireplay-ng:
aireplay-ng --deauth=5 -e <ESSID>
Although, broadcast de-auth’s aren’t always as successful as a targeted one, where you spoof a directed deauth packet claiming to come from the AP and targeting a specific station. I often use airodump-ng to dump a list of associated stations to a csv file (with –output-format csv), then use some grep/cut-fu to excise their MAC addresses. I then pass that to aireplay-ng with:
cat <list of associated station MACs>.txt | xargs -n1 -I% aireplay-ng --deauth=5 -e <ESSID> -c % mon0
This tends to work a bit better, as I’ve seen some devices which appear to ignore a broadcast de-auth. This will make sure you capture the handshake so airdecap can decrypt the traffic you capture. Any further legitimate disconnects and re-auths will be captured by you, so you shouldn’t need to run the de-auth again.
In summary:
- Don’t forget how useful examining traffic can be, and don’t discount that as an option just because it’s WPA/2
- Start capturing as soon as you get near the network, to maximise how much traffic you’ll have to examine
- De-auth all connected clients to make sure you capture their handshakes for decryption
Once again, I’ll be teaching a course covering this and other techniques at BlackHat Las Vegas, please check it out or recommend it to others if you think it’s worthwhile. We’re also running a curriculum of other courses at BH, including a brand new mobile hacking course.