Sniffing as client mode (WPA2 encrypted wireless)

[Breakers]

Hello,

I have MK5 and I want to know how is possible to sniff packets from encrypted wireless network. I have password and I'm connected to it (wlan1)

I tried set promiscuous mode and monitor mode to wlan1 or by airmon-ng (mon0) and ettercap or tcpdump don't catch any packets from other computers in this network.

What is wrong?

ps. I don't want use any MITM attack - only passive mode as connected client.

Best Regards

[digip]

If its not yours, why are you on it?

anyway...probably AP isolation mode that actually works as intended is enabled, or, all wired clients for which monitor mode is not going to see anything and all you should see is normal broadcast and multicast data, smb advertisements and arp data under a wireshark capture of traffic if you are associated and logged onto the AP. If it is yours, you should have an understanding of the topology, and IF there are actually clients ON the AP, which may be none. airodump should show connected clients on the AP if any, and probes from devices looking for the AP, for which they should connect to you, if you're using the pineapple and closer or stronger signal than their AP(if not in client mode) - however, if encrypted, they may only talk to their AP and not dumb down to unecrypted if they are saved for say a WPA2 Enterprise network and not expecting an open access point since their saved settings would try to authenticate to their home/corporate router(in theory). If you want to test if anything is on there, don't use client mode to connect to their AP, and instead impersonate their AP and see what comes to you.

The whole point of the pineapple is to make clients connect to you though and impersonate other access points people's devices probe for, for which you can then do whatever you want/need to see the traffic natively on your side with capture tools like wireshark, etc, to read the packets after data is flowing through you. If the users also use a VPN on top of their regular network, you shouldn't be able to really see anything other than encrypted traffic, but should at a minimum see encrypted traffic going back and forth. The pineapple, should see all traffic of whatever is running across it so long as you feed nodes access to the internet and have tcpdump or other capture tools running.

Ettercap by the way, IS for MITM attacks, which of you're trying to use to see traffic, and can't, probably isn't setup properly and not working as intended. If you don't want to MITM, don't use ettercap. If you want to use ettercap to MITM but can't read anything, you can also use it for DNS poisoning and force requests to go through you which also helps intercept traffic requests, but thats probably not needed if you have everyone connecting through you already via the pineapple. Its not the same as an ARP MITM attack, but can still force traffic requests to speak to you for DNS for which you can do redirects, intercepts, etc via the built in infusions. It can also help with SSL Strip to read HTTPS traffic, but not going to help work around VPN's(or shouldn't be able to since VPN's can have their own DNS fallback server and setup via DHCP from the VPN service which will only allow you to see the encrypted data, but not ready what's in it)

Edited February 15, 2015 by digip

[cooper]

Sorry for the thread hijacking, but if there is a WPA2 AP for which you have the PSK, could you simply put your card in monitor mode, pluck any traffic passively from the air and then at least decrypt the client<->AP link using that, or is there some sort of additional session key exchanging magic going on here aswell that would prevent you from doing this? From what I've read about the handshake, it should be possible...

[Breakers]

Sorry for the thread hijacking, but if there is a WPA2 AP for which you have the PSK, could you simply put your card in monitor mode, pluck any traffic passively from the air and then at least decrypt the client<->AP link using that, or is there some sort of additional session key exchanging magic going on here aswell that would prevent you from doing this? From what I've read about the handshake, it should be possible...

It's my AP, yes I using WPA2 I think that problem is with decrypt packets from my network, I read that only wireshark have option to decrypt WPA packets, it's one way? I tried install wireshark from opkg but without success.

[digip]

http://wiki.wireshark.org/HowToDecrypt802.11

You should be able to do this from any machine with a wireless card that is attached to the AP so long as you provide the keys, and the card you use

supports the functions needed for the specific 802.11 traffic.

Note, read the gotchas section about new clients attaching to the network, keys will change since they each have their own handshake.

Edited February 15, 2015 by digip

[Breakers]

http://wiki.wireshark.org/HowToDecrypt802.11

You should be able to do this from any machine with a wireless card that is attached to the AP so long as you provide the keys, and the card you use

supports the functions needed for the specific 802.11 traffic.

Note, read the gotchas section about new clients attaching to the network, keys will change since they each have their own handshake. Share connection on MK5 will be sufficient to sniffing?

Thanks, I read this tutorial, but how I can install wireshark on MK5 or how use WS by MK5 from other computer.

[barry99705]

Thanks, I read this tutorial, but how I can install wireshark on MK5 or how use WS by MK5 from other computer.

You don't install wireshark on the mk5. You run wireshark on your laptop with the ethernet cable connected to the mk5 as your monitor device in wireshark.

[digip]

Not that the pineapple can't be used as a wireless card, but if you want other tools such as wireshark and such use a computer with compatible wireless card to do what you want. You can do what you're asking without the need for the pineapple at all other than being used as another NIC in this instance.

Edited February 15, 2015 by digip