Project 11x: WPA Decryption (Up to 20 pts. extra credit)

What you need


To understand the way WPA-PSK networks isolate users from one another, and defeat that protection.

If you go to a wireless network and capture frames in Monitor mode, you see traffic from other users, but you can't decrypt it because each user has a different encryption key.

However, the process of assigning that key uses a four-way EAPOL handshake, which can be captured. If you capture the EAPOL packets, Wireshark can determine that user's key and decrypt the traffic.

Installing Wireshark

If you don't already have Wireshark, get it here:

Task 1: Analyzing an Existing Packet Capture File (10 pts.)

Downloading the PCAP File

Right-click the link below and save the file somewhere you can find it, such as your desktop:


If that link doesn't work, use this alternate download link:

Viewing the EAPOL Handshake

Double-click the wpa-Induction.pcap file. It opens in Wireshark.

Scroll down to find the four frames with a Protocol of "EAPOL", as shown below. Here an Apple device is joining a Cisco wireless network, and the four EAPOL packets are used to negotiate a private key for that user.

Viewing Encrypted Traffic

Scroll down to frame 99. Wireshark is unable to decrypt the contents of this frame--all it can say is that it contains "Data", as shown below.

Entering the WPA Key

The precise steps vary, depending on which version of Wireshark you are using.

For Wireshark 2.0.0 on Mac OS X:

From the menu bar, click Wireshark, Preferences. In the left pane, expand Protocols. Scroll down and click "IEEE 802.11", as shown below.

In the "Decryption Keys" line, click the Edit... button.

Enter a key of type wpa-pwd, with the value Induction:Coherer, as shown below.

The key is "Induction" and the SSID of the network is "Coherer".

In the "WEP and WPA Decryption Keys" box, click the OK button.

In the "Wireshark Preferences" box, check the "Enable decryption" box. Click the OK button.

Frame 99 is now decrypted, revealing that it contains a DHCP packet, as shown below.

Saving the Screen Image

Make sure you can see the frame number of 99 and the Protocol of DHCP, as shown above.

Save a FULL DESKTOP image with the filename Proj 11xa from Your Name.

Task 2: Capturing Live Frames (10 pts.)

Using Monitor Mode

Most wireless interfaces only support Managed mode, which is used to join wireless networks as a client.

But to capture EAPOL frames, you must use Monitor mode. I know the MacBook Air and MacBook Pro can do it, and the Asus Eee machines in the closet in S214. The computers in S214 with wireless cards can also do it if you boot them using Kali Linux DVDs.

Unless you are very lucky, your personal laptop won't be able to do this.

Here are the steps I performed to do it on a MacBook.

Configuring Wireshark to Capture in Monitor Mode

From the Wireshark menu bar, click Capture, Options.

In the "en0" line, change "Link-Layer Header" to "Per-Packet Information", and change "Monitor Mode" to enabled, as shown below.

Join a Target Device to the Network

You need a WPA-protected network, such as "CCSF Wireless".

To make the project easier, we'll prepare the target machine to connect quickly.

Get another wireless device to use as the target. I used an iPad. Join it to the wireless network, and set it to automatically join. Then disable the wireless card.

Performing the Capture

Start Wireshark capturing frames. Then re-enable the network card on your target device.

Once the target connects, stop the Wireshark capture.

You should be able to see the four EAPOL frames, and a frames after that containing encrypted Data, as shown below.

Saving the Screen Image

Make sure you can see the Data in the frame, as shown above, and that the packet number is visible. My packet number was 708, but yours will be different.

Save a FULL DESKTOP image with the filename Proj 11xb from Your Name.

Adding the Network Key

In Wireshark Preferences, add the WPA encryption key, as shown below.

Now view the same frame in Wireshark. It should be decrypted, showing the higher-level protocol, a shown below.

Saving the Screen Image

Make sure you can see the same frame number, and that the higher-level protocol is visible now. It may be ARP, DHCP, or something else, but it should no longer be 802.11.

Save a FULL DESKTOP image with the filename Proj 11xc from Your Name.

Turning in Your Project

Email the images to with a Subject line of Proj 11x from Your Name.


How to Decrypt 802.11

WPA 4-way handshake

Posted 11:19 am 12-9-15 by Sam Bowne