Full Report
When doing wireless assessments, I end up generating a ton of different scripts for various things that I thought it would be worth sharing. I’m going to try write some of them up. This is the first one on decrypting WPA/2 PSK traffic. The second will cover some tricks/scripts for rogue access-points. If you are keen on learn further techniques or advancing your wifi hacking knowledge/capability as a whole, please check out the course Hacking by Numbers: Unplugged, I’ll be teaching at BlackHat Las Vegas soon.
Analysis Summary
# Tool/Technique: WPA/2 PSK Traffic Decryption Techniques
## Overview
This summary details techniques and tools used during wireless assessments, specifically focusing on capturing and decrypting WPA/2 Pre-Shared Key (PSK) traffic, even when the key is known or during an ongoing session. The prerequisite for post-capture decryption is capturing the initial 4-way handshake, which enables the initialization of the cryptographic session using the necessary nonces.
## Technical Details
- Type: Technique / Toolset Usage
- Platform: Wireless Networks (802.11 environments)
- Capabilities: Capturing 4-way handshakes, forcing re-authentication events, decrypting captured WPA/2 traffic using Aircrack-ng suite components.
- First Seen: Techniques described are documented usage circa May 2013.
## MITRE ATT&CK Mapping
- T1090 - Proxy
- T1090.003 - Multi-hop Proxy (Implied access to the network once decrypted)
- T1567 - Exfiltration Over Web Service (Decrypted traffic analysis can lead to identification of exfiltration)
- T1113 - Screen Capture (Implied operational steps on the analyst's machine)
*Note: Direct mappings for wireless capture/decryption often fall into Preparation/Discovery or specific implementation details, but the ultimate goal relates to gaining access for lateral movement or data exfiltration.*
## Functionality
### Core Capabilities
- **Traffic Capture:** Utilizing tools to capture 802.11 traffic, specifically looking for the WPA/2 4-way handshake required for decryption.
- **Traffic Decryption:** Using `airdecap-ng` to decrypt captured traffic once the PSK and the correct handshake (including supplicant and authenticator nonces) are available.
### Advanced Features
- **Forced Re-authentication:** Employing de-authentication attacks (`aireplay-ng`) against connected clients to force them to re-authenticate with the Access Point (AP), ensuring the analyst captures the necessary 4-way handshake data for a new session key (PTK).
- **Targeted De-authentication:** Moving beyond broadcast de-auths by identifying MAC addresses of connected stations (via `airodump-ng` output) and sending targeted de-authentication packets to specific clients, increasing the success rate of capturing the required handshake.
## Indicators of Compromise
This section primarily relates to the tools used by the analyst, not typical malware artifacts.
- File Hashes: N/A (Tool usage)
- File Names: `airdecap-ng`, `aireplay-ng`, `airodump-ng`
- Registry Keys: N/A
- Network Indicators: N/A (Focus is on capturing existing network traffic)
- Behavioral Indicators: Sending crafted 802.11 de-authentication frames.
## Associated Threat Actors
Threat actors engaging in high-level reconnaissance and network penetration testing or those using specialized wireless capabilities often use similar approaches and components of the Aircrack-ng suite.
## Detection Methods
Since the activity involves legitimate wireless auditing tools (`aircrack-ng` suite), detection relies heavily on behavioral analysis rather than simple signature matching for file executables.
- Signature-based detection: Can detect known binaries of the Aircrack-ng suite if present on a system.
- Behavioral detection: Monitoring for the use of wireless interface manipulation commands, high-volume frame injection, or targeted de-authentication packet transmission from a system's wireless interface.
- YARA rules: N/A
## Mitigation Strategies
The techniques described are generally defensive countermeasures against security assessments, but they highlight poor security posture.
- Prevention measures: Using WPA3 or implementing robust WPA2 Enterprise (802.1X) instead of WPA2 PSK to make offline brute-forcing of the key infeasible, and to require client certificate validation.
- Hardening recommendations: Rapidly re-associating clients if a de-authentication flood is detected, monitoring for unusual de-authentication packet rates directed at clients.
## Related Tools/Techniques
- Aircrack-ng: The suite containing the core tools used (`aireplay-ng`, `airodump-ng`, `airdecap-ng`).
- Rogue Access Points: Mentioned as a topic for the subsequent article, often relying on successful initial network compromise or traffic redirection.
- Brute-forcing PSK: The primary activity that traffic decryption attempts to circumvent or complement.