如何解密802.11无线报文

Adding Keys: 802.11 Preferences
Go to Edit->Preferences->IEEE 802.11. You should see a window that looks like this:

141900_1rQE_1432594.png
Note that the key examples mention WPA, and that each key item is labeled "Key". If your preferences
window doesn't mention WPA, like this:

141923_UGYw_1432594.png

    then your version of Wireshark only supports WEP decryption. This might be the case with older versions of Wireshark, particularly the 64-bit Windows version.
    In all versions WEP keys can be specified as a string of hexadecimal numbers, with or without colons:

a1:b2:c3:d4:e5
0102030405060708090a0b0c0d

    In versions that support WPA decryption you should use a prefix to tell Wireshark what kind of key you're using:
    wep The key is parsed as a WEP key.

wep:a1:b2:c3:d4:e5


    wpa-pwd The password and SSID are used to create a raw pre-shared key.

wpa-pwd:MyPassword:MySSID


    wpa-psk The key is parsed as a raw pre-shared key.

wpa-psk:0102030405060708091011...6061626364 

Adding Keys: Wireless Toolbar
    If you are using the Windows version of Wireshark and you have an AirPcap adapter you can add decryption keys using the wireless toolbar. If the toolbar isn't visible, you can show it by selecting View->Wireless Toolbar. Click on the Decryption Keys... button on the toolbar:

142227_snPP_1432594.png

    This will open the decryption key managment window. As shown in the window you can select between three decryption modes: None, Wireshark, and Driver:

142242_LLle_1432594.png

    Selecting None disables decryption. Selecting Wireshark uses Wireshark's built-in decryption features. Driver will pass the keys on to the AirPcap adapter so that 802.11 traffic is decrypted before it's passed on to Wireshark. Driver mode only supports WEP keys.

Gotchas
Along with decryption keys there are other preference settings that affect decryption.

        Make sure Enable decryption is selected.
       You may have to toggle Assume Packets Have FCS and Ignore the Protection bit depending          on how your 802.11 driver delivers frames.
The WPA passphrase and SSID preferences let you encode non-printable or otherwise troublesome characters using URI-style percent escapes, e.g. %20 for a space. As a result you have to escape the percent characters themselves using %25.


WPA and WPA2 use keys derived from an EAPOL handshake to encrypt traffic. Unless all four
handshake packets are present for the session you're trying to decrypt, Wireshark won't be able to
decrypt the traffic. You can use the display filter eapol to locate EAPOL packets in your capture.

WPA and WPA2 use individual keys for each device. Older versions of Wireshark may only be able to use the most recently calculated session key to decrypt all packets. Therefore, when several devices have attached to the network while the trace was running, the packet overview shows all packets decoded, but in the detailed packet view, only packets of the last device that activated ciphering are properly deciphered.

Wildcard SSIDs
    The "password" key preference has the form wpa-pwd:password:ssid. You can optionally omit the SSID, and Wireshark will try to decrypt packets using the last-seen SSID. This may not work on busy networks, since the last-seen SSID may not be correct. For the key "Induction" and SSID "Coherer", the following key preferences are equivalent:

wpa-pwd:Induction
wpa-pwd:Induction:Coherer

 

转载于:https://my.oschina.net/665544/blog/1623388

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值