Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 28

Thread: Wireshark capture problems

  1. #11
    Just burned his ISO
    Join Date
    Aug 2009
    Posts
    12

    Default

    Do you know what a "4-way handshake" is?

  2. #12
    Member
    Join Date
    Jan 2010
    Location
    Helsinki, Finland
    Posts
    235

    Default

    Quote Originally Posted by jaapbaas View Post
    Do you know what a "4-way handshake" is?
    I know that, that I need to get that, when trying to solve WLAN password and I can do that to get it. Iv done it, and been able to solve that password
    airodump-ng --channel 6 --bssid 00:02:CF:7A:52:7E --write weak mon0
    aireplay-ng -0 1 -a 00:02:CF:7A:52:7E -c 00:24:2C:6B:C1:79 mon0

  3. #13
    Just burned his ISO
    Join Date
    Aug 2009
    Posts
    12

    Default

    That sentence doesn't make any sense. But I'll try.

    So if I understand you correctly, you've captured the 4-way handshake? (This means that there is something like "handshake captured +your AP's MAC", in the top right corner of your airodump screen.)

  4. #14
    Member
    Join Date
    Jan 2010
    Location
    Helsinki, Finland
    Posts
    235

    Default

    Quote Originally Posted by jaapbaas View Post
    That sentence doesn't make any sense. But I'll try.

    So if I understand you correctly, you've captured the 4-way handshake? (This means that there is something like "handshake captured +your AP's MAC", in the top right corner of your airodump screen.)
    Yes I understand, and my last post was a bit confising.

    If I use wireshark, do I need to get that WPA-handshake, to decrypt that file. I tought that I need that handshake only when trying to solve WLANs password.

    YES, I did it. I was able to do that, I think that there was something wrom it that fhirst capture. It havent a WPA-handshake.


    --------------------------------------------------------------------------------------------------------------------------------
    Is it OK to use Wireshark and Kismet at same time.

    My biggest problem when trying to use wireshark to capture files, is channel hopping. Whit Kismet, I have locked channel to 6, so Is wireshark now capturing only from channel 6?

  5. #15

    Default

    Is it OK to use Wireshark and Kismet at same time.

    My biggest problem when trying to use wireshark to capture files, is channel hopping. Whit Kismet, I have locked channel to 6, so Is wireshark now capturing only from channel 6?
    Yes you can use both at the same time. From your post, it appears that you are capturing with wireshark on a different interface than what kismet is using.

    You seem to have 2 separate issues (At least from what I can deduce from the thread).
    1. decrypting a known wpa-tkip session in wireshark
    2. capturing a wpa-tkip handshake

    For the first, as mentioned earlier, make sure you have the correct syntax and key in the IEEE802.11 preferences box for wireshark and that you have selected "enable decryption".

    For the 2nd, make sure the interface you are using in wireshark is locked to the same channel as the AP that you are trying to capture the traffic on. No channel hopping. Also, to help see when you capture the handshake, use the "eapol" filter in wireshark.

    Good Luck...

  6. #16
    Member
    Join Date
    Jan 2010
    Location
    Helsinki, Finland
    Posts
    235

    Default

    Quote Originally Posted by cybrsnpr View Post
    Yes you can use both at the same time. From your post, it appears that you are capturing with wireshark on a different interface than what kismet is using.

    You seem to have 2 separate issues (At least from what I can deduce from the thread).
    1. decrypting a known wpa-tkip session in wireshark
    2. capturing a wpa-tkip handshake

    For the first, as mentioned earlier, make sure you have the correct syntax and key in the IEEE802.11 preferences box for wireshark and that you have selected "enable decryption".

    For the 2nd, make sure the interface you are using in wireshark is locked to the same channel as the AP that you are trying to capture the traffic on. No channel hopping. Also, to help see when you capture the handshake, use the "eapol" filter in wireshark.

    Good Luck...
    Do I need to capture handshake, to be able to decrypt that capture.
    How to lock channel?
    I use kismet and I have locked that to channel 6 (capture device wlan0) and in wireshark I capture from wlan0?

    Actually I know how to capture wpa handshake, Iv done it a couple times

    I finally clicked that "enable decryption"-box, ain -i password is there 2 times like this
    wpa-pwd:PASSWORD:AP
    wpa-psk:that long generated key
    It didnt work

  7. #17

    Default

    You do need to capture the 4 way handshake in order to decrypt the packets, even if you provided the WPA key. Here is the relevant wireshark wiki entry.

    Are you using kismet or kismet-newcore? I ask this because with newcore, it may create a VAP that actually does the capturing. That interface will be labeled something like "wlan0mon". If this is the case, then that would be the interface that is locked on the channel not wlan0.

    In the past, there have been bugs in various drivers and also occasionally kismet, where you "lock" to a channel, but it actually keeps hopping. You may want to double check that your interface is indeed locked to the single channel. I would use something like iwconfig or iw to lock the channel.

    To test, get everything set up, and then disconnect your victim host from the AP and reconnect. You should see the 4 way handshake. Make sure you filter on "eapol" in wireshark so you can see the packets come across.

    There are a bunch of other variables and possibilities and not sitting next to you makes it difficult to figure out all the possibilities. This is the best I can do based on what you have told me.

    So, good luck!

    Regards,

    cybrsnpr

  8. #18
    Member
    Join Date
    Jan 2010
    Location
    Helsinki, Finland
    Posts
    235

    Default

    Quote Originally Posted by cybrsnpr View Post
    Are you using kismet or kismet-newcore? I ask this because with newcore, it may create a VAP that actually does the capturing. That interface will be labeled something like "wlan0mon". If this is the case, then that would be the interface that is locked on the channel not wlan0.

    In the past, there have been bugs in various drivers and also occasionally kismet, where you "lock" to a channel, but it actually keeps hopping. You may want to double check that your interface is indeed locked to the single channel. I would use something like iwconfig or iw to lock the channel.
    I think that channel is locked succesfully, cause only channel 6 collects packets.

    How can I kown is it kismet or kismet-newcore. I use that, which come whit BT4 beta.

    It seems that I cant decyrpt my captures Using BT4, but cause Im usine BT4 on VMware, I can copy those files to Windows 7 and airdecap those in windows.

    I started again, 1st I run "airmon-ng stop wlan0" then "airmon-ng start wlan0" then "airodump-ng mon0 --channel 6 --w /tmp/filename"
    Then I open kismet. It works.

  9. #19

    Default

    If you are already using airdump-ng you don't need to use kismet.

    If you are using BT4 Beta, and you haven't upgraded, you are probably using the older version of kismet.

    To check if the channel is locked, after you have started airdump-ng, run "iwconfig mon0" (or whatever interface you are sniffing on) a couple times. If the frequency output doesn't change, the channel is locked.

    If that is the case, then it is a question of capturing the 4 way handshake.

    Start up wireshark and then try moving your capture device (laptop or whatever you are using) farther and closer to your victim and/or AP. Run your deauth in a seperate shell when you are doing this. Make sure you are filtering wireshark for only eapol packets and that you are collecting on the same interface in wireshark as you are using in airdump-ng. You should see at least 2 packets of the 4 way handshake. Keep changing distance until you get the complete 4 way handshake.

    Hope this helps.

  10. #20
    Member
    Join Date
    Jan 2010
    Location
    Helsinki, Finland
    Posts
    235

    Default

    I can decrypt capturefiles, made by ariodump-ng, using windows and wireshark

    Airodump-ng stops working afrer one hour, kismet keeps working, thats why I started using it. So why airodump-ng doesnt work?

Page 2 of 3 FirstFirst 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •