Penetration Testing

Using Wireshark to Monitor WPA2 Protected Traffic

Many who are starting out with Wireshark think that just getting it running in ‘promiscuous’ mode on a WPA2 network is enough. Sadly, as opposed to open networks, there are a few more steps that need to be taken. This post will walk you through those additional steps.

First you should know that there are some caveats to this. While Wireshark does have decryption capabilities, you must capture the WPA2 handshake of any devices for which you wish to monitor traffic. Without that handshake, there’s no way to get anything else.

The second caveat is that you need to save the WiFi password in Wireshark. This will allow you to capture the handshake discussed above. After that just a few more minor things and you’re home free!

Let’s get started. Put your wireless card into monitor mode with airmon:

sudo airmon-ng start wlan0

This should start monitoring on mon0.

Now you can fire up Wireshark. Click on the Edit Preferences on the right side of the toolbar. It might look like this:

Screenshot from 2014-03-18 20:13:18

Then expand ‘Protocols’ on the left and scroll down to ‘IEEE 802.11.’ Click on that, and in the detail pane click ‘Edit Passwords,’ or something similar. In the new window, select ‘wpa-pwd’ and enter your password and network in like so:

Screenshot from 2014-03-18 20:15:56

where ‘SomePassword’ is the password for the network named after the colon (in this case, the network is ‘linksys’).

Now you should be ready to start monitoring the network. Start listening on the mon0 interface. Then, turn on/activate the device you want to monitor (if the device is already on and authenticated, you may need to send the router a deauth packet so that the device authenticates again — you can send a deauth packet with aireplay-ng, which I encourage you to google). In Wireshark, when you apply the filter eapol it should show you 4 packets, which constitute the handshake. If that’s the case, you should be set to monitor all traffic from that device! If you’re just interested in http traffic, you can then apply the ‘http’ filter by typing it into the bar and clicking apply.

As always, only monitor networks for which you have permission to do so!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s