Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can't decode WPA+AES (CCMP) data with Airdecap-ng #667

Closed
aircrack-ng opened this issue Mar 10, 2018 · 19 comments

Comments

Projects
None yet
1 participant
@aircrack-ng
Copy link
Owner

commented Mar 10, 2018

Reported by Antares on 4 Sep 2009 14:21 UTC

I have a problem with Airdecap-ng, for decoding WPA1+AES traffic...
Here's my setup :

Access Point
-------------
OS = DD-WRT v.24
MAC = 00:0F:66:45:**:**
SSID = Test
Encryption = WPA1-CCMP-PSK
Passphrase = reseautest
IP = 10.0.0.1

Sniffing
--------
OS = Backtrack 3 final
Card = Netgear WG511T pcmcia (Atheros AG5212/5213)
Aircrack-ng version = 1.0 rc1 aircrack-ng/aircrack-ng@7c6f729e6ea6cb99fc625832f12ccc12b271078b

Station
-------
OS = Backtrack 3 final
MAC = 06:15:AF:B6:**:**
Card = internal Eeepc 900 (Atheros AR5006EG, pci-E)
IP = 10.0.0.116

And here are my capture steps :

  • I connect on the network with the station (KDE newtork assistant) : no problem
  • I go on Google site to check connectivity --> all fine
  • on the sniffing machine, I launch Airodump :
airodump-ng -c 3 -d 00:0F:66:45:**:** -w capture ath0
  • on another terminal, I inject a deauth frame to get a handshake :
    Code:
aireplay-ng -0 1 -a 00:0F:66:45:**:** -c 06:15:AF:B6:**:** ath0
  • I let Airodump running, and on the station I get back to Google : I still have access to the net
  • I shut Airodump down and I try to decode the capture file with Airdecap :
airdecap-ng -l -e Test -p reseautest capture-01.cap

When I do so, here's the output :

Total number of packets read           426
Total number of WEP data packets         0
Total number of WPA data packets        64
Number of plaintext data packets         0
Number of decrypted WEP  packets         0
Number of corrupted WEP  packets         0
Number of decrypted WPA  packets         1

And the only packet decrypted is a "EAPOL Key" packet. Why doesn't Airdecap decode all my 64 WPA packets ? I provide the key, and my .cap file contains a valid handshake

When I do exactly the same with TKIP instead of CCMP, I get no trouble with Airdecap...

I can decode the .cap file with Wireshark, so I assume that it is correct

@aircrack-ng

This comment has been minimized.

Copy link
Owner Author

commented Mar 10, 2018

Modified by misterx on 4 Sep 2009 14:21 UTC

@aircrack-ng aircrack-ng added this to the 1.0 milestone Mar 10, 2018

@aircrack-ng aircrack-ng modified the milestones: 1.0, 1.1 Mar 10, 2018

@aircrack-ng

This comment has been minimized.

Copy link
Owner Author

commented Mar 10, 2018

Modified by misterx on 4 Sep 2009 14:21 UTC

@aircrack-ng aircrack-ng modified the milestones: 1.1, 1.3 Mar 10, 2018

@aircrack-ng

This comment has been minimized.

Copy link
Owner Author

commented Mar 10, 2018

Comment by anonymous on 4 Sep 2009 14:21 UTC

Added ticket-667.patch that seems to resolve the issue for me, might need some cleaning up though. (Copied across some logic regarding QoS from the wireshark code.)

@aircrack-ng

This comment has been minimized.

Copy link
Owner Author

commented Mar 10, 2018

Comment by Antares on 4 Sep 2009 14:21 UTC

Sounds nice ! :)

I applied the patch, and now airdecap-ng is able to decode 50 packets on the 64 actually present in the file, nice progress.

I don't have time now to investigate what are the 14 rebel ones, but already thanks to you, kmdm !

Cheers

Antares

@aircrack-ng

This comment has been minimized.

Copy link
Owner Author

commented Mar 10, 2018

Comment by marco puma on 4 Sep 2009 14:21 UTC

hello, i've the same problem of Antares, i've the cap file correct with the handsake 4 ways, but when i try to decript with airdecap-ng i've 0 wpa decripted...
how i can add the patch? where i've to copy it? what i've to write in the terminal to add the patch? please help me....thanks

@aircrack-ng

This comment has been minimized.

Copy link
Owner Author

commented Mar 10, 2018

Comment by v jahandideh on 4 Sep 2009 14:21 UTC

i looked at the source code of crypto.c at aircrack-ng suite
the problem is that in ccmp decryption qos packets were not considered
i changed the source code and could successfully decrypt your file.
copy this after line 1152 in crypto.c

if ( GET_SUBTYPE(h80211[== IEEE80211_FC0_SUBTYPE_QOS ) {
z += 2;
}

copy this after line 1172 in crypto.c
if ( GET_SUBTYPE(h802110)) == IEEE80211_FC0_SUBTYPE_QOS ) {
AAD[1] = 22+2 + 6 * is_a4;
}
i hope this help.

@aircrack-ng

This comment has been minimized.

Copy link
Owner Author

commented Mar 10, 2018

Comment by misterx on 4 Sep 2009 14:21 UTC

Do you have a capture file I can test on?

@aircrack-ng

This comment has been minimized.

Copy link
Owner Author

commented Mar 10, 2018

Comment by caseymdk on 4 Sep 2009 14:21 UTC

I can confirm that the patch works. Airdecap wouldn't decrypt any packets captured over my WPA2-AES encrypted wireless, however wireshark would. I applied the patch, recompiled, used the exact same capture file and airdecap parameters, and it decrypted just fine. I can also confirm that the code v.jahandideh posted works as well, that version decrypts the same number of packets as the patch. Tested on BT5 R1 with aircrack-ng v1.1

@aircrack-ng

This comment has been minimized.

Copy link
Owner Author

commented Mar 10, 2018

Comment by misterx on 4 Sep 2009 14:21 UTC

#858 looks similar.

@aircrack-ng

This comment has been minimized.

Copy link
Owner Author

commented Mar 10, 2018

Comment by misterx on 4 Sep 2009 14:21 UTC

Fixed by 52a8d79

@aircrack-ng aircrack-ng modified the milestones: 1.3, 1.2 Mar 10, 2018

@aircrack-ng aircrack-ng added @major and removed @minor labels Mar 10, 2018

@aircrack-ng

This comment has been minimized.

Copy link
Owner Author

commented Mar 10, 2018

Comment by anonymous on 4 Sep 2009 14:21 UTC

Did this go into a version rather than a patch?

@aircrack-ng

This comment has been minimized.

Copy link
Owner Author

commented Mar 10, 2018

Comment by spikey on 4 Sep 2009 14:21 UTC

Hi,

I'm using a Wireless network WPA2 with CCMP encryption and WMM enabled on 802.11n network.
I tested both patch and this is my result:

decode_ccmp_ticket667.diff <- This patch doesn't decrypt the network traffic with WMM tag
ticket-667.patch <- This patch works and decrypt the network traffic instead with WMM tag

Please, update the source code in to crypto.c.

@aircrack-ng

This comment has been minimized.

Copy link
Owner Author

commented Mar 10, 2018

Comment by misterx on 4 Sep 2009 14:21 UTC

Would you have a small capture file I can test it on?

@aircrack-ng

This comment has been minimized.

Copy link
Owner Author

commented Mar 10, 2018

Comment by misterx on 4 Sep 2009 14:21 UTC

Fixed for WMM networks in 746e4b2.

@aircrack-ng

This comment has been minimized.

Copy link
Owner Author

commented Mar 10, 2018

Comment by spikey on 4 Sep 2009 14:21 UTC

Thank you.

@aircrack-ng

This comment has been minimized.

Copy link
Owner Author

commented Mar 10, 2018

Comment by anonymous on 4 Sep 2009 14:21 UTC

Replying to spikey:

Hi,

I'm using a Wireless network WPA2 with CCMP encryption and WMM enabled on 802.11n network.
I tested both patch and this is my result:

decode_ccmp_ticket667.diff <- This patch doesn't decrypt the network traffic with WMM tag
ticket-667.patch <- This patch works and decrypt the network traffic instead with WMM tag

Please, update the source code in to crypto.c.

@aircrack-ng

This comment has been minimized.

Copy link
Owner Author

commented Mar 10, 2018

Modified by anonymous on 4 Sep 2009 14:21 UTC

@aircrack-ng aircrack-ng reopened this Mar 10, 2018

@aircrack-ng

This comment has been minimized.

Copy link
Owner Author

commented Mar 10, 2018

Comment by misterx on 4 Sep 2009 14:21 UTC

There is no such patch attached to the ticket. I'm closing this ticket. If you have the patch, please attach it to this ticket and reopen the issue.

Or provide a pcap (and password) that fails decrypting without the patch.

@aircrack-ng

This comment has been minimized.

Copy link
Owner Author

commented Mar 10, 2018

Modified by misterx on 4 Sep 2009 14:21 UTC

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.