Xjyuk

Fastest way to perform complex search on pandas dataframe

Are UK pensions taxed twice?

How can I grammatically understand "Wir über uns"?

Is it possible to kill all life on Earth?

What is the indigenous Russian word for a wild boar?

Can non-English-speaking characters use wordplay specific to English?

Can a helicopter mask itself from Radar?

Is having a hidden directory under /etc safe?

Uncommanded roll at high speed

Creating Fictional Slavic Place Names

Self-Preservation: How to DM NPCs that Love Living?

Can an old DSLR be upgraded to match modern smartphone image quality

How did early x86 BIOS programmers manage to program full blown TUIs given very few bytes of ROM/EPROM?

How was Apollo supposed to rendezvous in the case of a lunar abort?

What does "Marchentalender" on the front of a postcard mean?

Biblical Basis for 400 years of silence between old and new testament

Intuition behind eigenvalues of an adjacency matrix

What are the problems in teaching guitar via Skype?

Do creatures all have the same statistics upon being reanimated via the Animate Dead spell?

Is there an evolutionary advantage to having two heads?

Could IPv6 make NAT / port numbers redundant?

Draw a checker pattern with a black X in the center

Can a non-EU citizen travel within the Schengen area without identity documents?

What is game ban VS VAC ban in steam?

Decrypting WPA2-Enterprise (EAP-PEAP) in Wireshark

Windows WiFi with WPA2-Enterprise + EAP-TTLS + PAPHow do I decrypt WPA2 encrypted packets using Wireshark?Wireshark on WPA2-PSK [AES] not decryptingDecrypting WPA with wiresharkHow can I find Protected EAP credentials of a wireless network stored on Windows 7?wireshark monitor mode, decrypting captureUnified Write Filter with WPA2-Enterprise PEAP-MSCHAPv2Decrypting Application Data with (Pre)-Master-Secret log file in WiresharkDecrypting WiFi packets on a public hotspotDecrypting Captive Portal Data

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

2

The network packets that I want to decrypt uses username and password to log in with EAP-PEAP. Not on a captive portal. Where would I put the username when decrypting network packets. I can get the handshakes.

wireshark username wpa2

share|improve this question

edited 7 hours ago

grawity

249k38526586

asked 8 hours ago

Nicholas FicaraNicholas Ficara

132

New contributor

Nicholas Ficara is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

2

The network packets that I want to decrypt uses username and password to log in with EAP-PEAP. Not on a captive portal. Where would I put the username when decrypting network packets. I can get the handshakes.

wireshark username wpa2

share|improve this question

edited 7 hours ago

grawity

249k38526586

asked 8 hours ago

Nicholas FicaraNicholas Ficara

132

New contributor

Nicholas Ficara is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

The network packets that I want to decrypt uses username and password to log in with EAP-PEAP. Not on a captive portal. Where would I put the username when decrypting network packets. I can get the handshakes.

wireshark username wpa2

share|improve this question

edited 7 hours ago

grawity

249k38526586

asked 8 hours ago

Nicholas FicaraNicholas Ficara

132

New contributor

Nicholas Ficara is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

edited 7 hours ago

grawity

249k38526586

asked 8 hours ago

Nicholas FicaraNicholas Ficara

132

New contributor

Nicholas Ficara is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

edited 7 hours ago

grawity

249k38526586

asked 8 hours ago

Nicholas FicaraNicholas Ficara

132

New contributor

Nicholas Ficara is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

edited 7 hours ago

grawity

249k38526586

edited 7 hours ago

grawity

249k38526586

asked 8 hours ago

Nicholas FicaraNicholas Ficara

132

New contributor

Nicholas Ficara is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 8 hours ago

Nicholas FicaraNicholas Ficara

132

1 Answer
1

active

oldest

votes

4

Nowhere.

Capturing the PEAP handshake is useless, as the session key for EAP-TLS, EAP-PEAP, EAP-TTLS is derived from the TLS master secret, which is protected by the TLS handshake – it is the same as in HTTPS connections and provides the same level of security against monitoring.¹

The TLS handshake has no relationship to the username or password, so knowing those does not help either.

(In rare cases it might be decryptable using the RADIUS server's certificate/key, but probably most TLS handshakes just use DH key exchange.)

So your only option is to obtain the key from the RADIUS server itself (e.g. activate verbose logging – the keys are delivered to the access point, and so can be found in MS-MPPE-*-Key attributes. Then you can add the keys as raw PSK.

---

"Raw" EAP-MSCHAPv2 (without EAP-TLS protection) keys are derived from the password hash and the 'NtResponse' found in the handshake. (But not the username.) You probably can calculate the resulting PSK using various Linux tools and add it to Wireshark (again as wpa-psk), but Wireshark itself isn't capable of doing this.

(Not that you should ever see WPA-Enterprise without EAP-TLS in the first place, but...)

---

¹ (As long as the client verifies the certificate. If it doesn't, it's vulnerable to active MITM attacks (rogue access points), but still not to passive interception.)

share|improve this answer

edited 6 hours ago

answered 7 hours ago

grawitygrawity

249k38526586

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "3"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

Nicholas Ficara is a new contributor. Be nice, and check out our Code of Conduct.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1442223%2fdecrypting-wpa2-enterprise-eap-peap-in-wireshark%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

4

Nowhere.

Capturing the PEAP handshake is useless, as the session key for EAP-TLS, EAP-PEAP, EAP-TTLS is derived from the TLS master secret, which is protected by the TLS handshake – it is the same as in HTTPS connections and provides the same level of security against monitoring.¹

The TLS handshake has no relationship to the username or password, so knowing those does not help either.

(In rare cases it might be decryptable using the RADIUS server's certificate/key, but probably most TLS handshakes just use DH key exchange.)

So your only option is to obtain the key from the RADIUS server itself (e.g. activate verbose logging – the keys are delivered to the access point, and so can be found in MS-MPPE-*-Key attributes. Then you can add the keys as raw PSK.

---

"Raw" EAP-MSCHAPv2 (without EAP-TLS protection) keys are derived from the password hash and the 'NtResponse' found in the handshake. (But not the username.) You probably can calculate the resulting PSK using various Linux tools and add it to Wireshark (again as wpa-psk), but Wireshark itself isn't capable of doing this.

(Not that you should ever see WPA-Enterprise without EAP-TLS in the first place, but...)

---

¹ (As long as the client verifies the certificate. If it doesn't, it's vulnerable to active MITM attacks (rogue access points), but still not to passive interception.)

share|improve this answer

edited 6 hours ago

answered 7 hours ago

grawitygrawity

249k38526586

add a comment | 

4

Nowhere.

Capturing the PEAP handshake is useless, as the session key for EAP-TLS, EAP-PEAP, EAP-TTLS is derived from the TLS master secret, which is protected by the TLS handshake – it is the same as in HTTPS connections and provides the same level of security against monitoring.¹

The TLS handshake has no relationship to the username or password, so knowing those does not help either.

(In rare cases it might be decryptable using the RADIUS server's certificate/key, but probably most TLS handshakes just use DH key exchange.)

So your only option is to obtain the key from the RADIUS server itself (e.g. activate verbose logging – the keys are delivered to the access point, and so can be found in MS-MPPE-*-Key attributes. Then you can add the keys as raw PSK.

---

"Raw" EAP-MSCHAPv2 (without EAP-TLS protection) keys are derived from the password hash and the 'NtResponse' found in the handshake. (But not the username.) You probably can calculate the resulting PSK using various Linux tools and add it to Wireshark (again as wpa-psk), but Wireshark itself isn't capable of doing this.

(Not that you should ever see WPA-Enterprise without EAP-TLS in the first place, but...)

---

¹ (As long as the client verifies the certificate. If it doesn't, it's vulnerable to active MITM attacks (rogue access points), but still not to passive interception.)

share|improve this answer

edited 6 hours ago

answered 7 hours ago

grawitygrawity

249k38526586

add a comment | 

Nowhere.

Capturing the PEAP handshake is useless, as the session key for EAP-TLS, EAP-PEAP, EAP-TTLS is derived from the TLS master secret, which is protected by the TLS handshake – it is the same as in HTTPS connections and provides the same level of security against monitoring.¹

The TLS handshake has no relationship to the username or password, so knowing those does not help either.

(In rare cases it might be decryptable using the RADIUS server's certificate/key, but probably most TLS handshakes just use DH key exchange.)

So your only option is to obtain the key from the RADIUS server itself (e.g. activate verbose logging – the keys are delivered to the access point, and so can be found in MS-MPPE-*-Key attributes. Then you can add the keys as raw PSK.

---

"Raw" EAP-MSCHAPv2 (without EAP-TLS protection) keys are derived from the password hash and the 'NtResponse' found in the handshake. (But not the username.) You probably can calculate the resulting PSK using various Linux tools and add it to Wireshark (again as wpa-psk), but Wireshark itself isn't capable of doing this.

(Not that you should ever see WPA-Enterprise without EAP-TLS in the first place, but...)

---

¹ (As long as the client verifies the certificate. If it doesn't, it's vulnerable to active MITM attacks (rogue access points), but still not to passive interception.)

share|improve this answer

edited 6 hours ago

answered 7 hours ago

grawitygrawity

249k38526586

share|improve this answer

edited 6 hours ago

answered 7 hours ago

grawitygrawity

249k38526586

answered 7 hours ago

grawitygrawity

249k38526586

answered 7 hours ago

grawitygrawity

249k38526586