| Bug ID |
9313
|
| Summary |
Decrypting WLAN packets when capture has multiple EAPOL Key changes
|
| Classification |
Unclassified
|
| Product |
Wireshark
|
| Version |
1.10.2
|
| Hardware |
x86
|
| OS |
Windows 7
|
| Status |
UNCONFIRMED
|
| Severity |
Major
|
| Priority |
Low
|
| Component |
Wireshark
|
| Assignee |
[email protected]
|
| Reporter |
[email protected]
|
Created attachment 11848 [details]
EAP key change
Build Information:
Compiled (64-bit) with GTK+ 2.24.14, with Cairo 1.10.2, with Pango 1.30.1, with
GLib 2.34.1, with WinPcap (4_1_3), with libz 1.2.5, without POSIX capabilities,
without libnl, with SMI 0.4.8, with c-ares 1.9.1, with Lua 5.1, without Python,
with GnuTLS 2.12.18, with Gcrypt 1.4.6, without Kerberos, with GeoIP, with
PortAudio V19-devel (built Sep 10 2013), with AirPcap.
--
During a WLAN capture, the EAP keys between the Station and AP change due to an
attack. After the keys are modified, decryption no longer occurs on subsequent
packets. The WLAN packets are encrypted using WPA/WPA2-PSK
Is it possible for Wireshark to determine that the EAP keys have changed and
decrypt the subsequent packets using the new keys?
Please see attachment. To decrypt a portion of the file, please do the
following:
1) Open file in Wireshark and go to Edit/Preferences
2) On left panel, expand Protocols and go to IEEE 802.11
3) Check mark "Enable Decryption"
4) Click on "Edit" nect to Decryption Keys
5) On new window, click on NEW
6) Key type = wpa-pwd
7) Key = 12345678:Pcache
This should decrypt packets #1 to #309
At packet #306 you should see a new EAPOL exchange. After packet #309, the
data is encrypted again and you cannot view.
You are receiving this mail because:
- You are watching all bug changes.
