Wireshark-bugs: [Wireshark-bugs] [Bug 9313] New: Decrypting WLAN packets when capture has multip

Date: Mon, 21 Oct 2013 15:10:23 +0000
Bug ID 9313
Summary Decrypting WLAN packets when capture has multiple EAPOL Key changes
Classification Unclassified
Product Wireshark
Version 1.10.2
Hardware x86
OS Windows 7
Status UNCONFIRMED
Severity Major
Priority Low
Component Wireshark
Assignee [email protected]
Reporter [email protected]

Created attachment 11848 [details]
EAP key change

Build Information:
Compiled (64-bit) with GTK+ 2.24.14, with Cairo 1.10.2, with Pango 1.30.1, with
GLib 2.34.1, with WinPcap (4_1_3), with libz 1.2.5, without POSIX capabilities,
without libnl, with SMI 0.4.8, with c-ares 1.9.1, with Lua 5.1, without Python,
with GnuTLS 2.12.18, with Gcrypt 1.4.6, without Kerberos, with GeoIP, with
PortAudio V19-devel (built Sep 10 2013), with AirPcap.
--
During a WLAN capture, the EAP keys between the Station and AP change due to an
attack. After the keys are modified, decryption no longer occurs on subsequent
packets. The WLAN packets are encrypted using WPA/WPA2-PSK

Is it possible for Wireshark to determine that the EAP keys have changed and
decrypt the subsequent packets using the new keys?

Please see attachment.  To decrypt a portion of the file, please do the
following:
1) Open file in Wireshark and go to Edit/Preferences
2) On left panel, expand Protocols and go to IEEE 802.11
3) Check mark "Enable Decryption"
4) Click on "Edit" nect to Decryption Keys
5) On new window, click on NEW
6) Key type = wpa-pwd
7) Key = 12345678:Pcache

This should decrypt packets #1 to #309
At packet #306 you should see a new EAPOL exchange.  After packet #309, the
data is encrypted again and you cannot view.


You are receiving this mail because:
  • You are watching all bug changes.