Wireshark-bugs: [Wireshark-bugs] [Bug 10296] Encoded WPA-PSK key exceeds 64 byte limit blocking
Date: Thu, 24 Jul 2014 20:49:32 +0000

Comment # 3 on bug 10296 from
OK lots of news

: Using the Wireless keybar in Wireshark entering the full pass phrase with no
encoding from the kismet capture works correctly.
: Trying the same with packets captures from Microsoft Network Monitor 3.4 no
decryption even though four way handshake is present.
: Using TShark from the command line with no pass phrase on the kismet file
works ,becuase it uses the Wireshark keys.
:Disabling Wiresharks key and trying TShark with the pass phrase is imposible
becuase the double quotes can not be encoded without the pass phrase exceeding
the expected maximum of 63.

You can test this with the Induction WPA sample

tshark.exe -nr wpa-Induction.pcap -o wlan.enable_decryption:TRUE -o
"uat:80211_keys:\"wpa-pwd\",\"A really long pass phrase to test tsharks input
parsing PAD PAD:Coherer\"" -2 -R "http"

tshark.exe -nr wpa-Induction.pcap -o wlan.enable_decryption:TRUE -o
"uat:80211_keys:\"wpa-pwd\",\"A really long pass phrase to test tsharks input
parsing PAD PAD1:Coherer\"" -2 -R "http"
tshark: Invalid -o flag "uat:80211_keys:"wpa-pwd","A really long pass phrase to
test tsharks input parsing PAD PAD1:Coherer""

tshark.exe -nr wpa-Induction.pcap -o wlan.enable_decryption:TRUE -o
"uat:80211_keys:\"wpa-pwd\",\"A really long pass phrase to test tsharks input
parsing PAD"PAD:Coherer\"" -2 -R "http"
tshark: Invalid -o flag "uat:80211_keys:"wpa-pwd","A really long pass phrase to
test tsharks input parsing PADPAD:Coherer" -2 -R http"

tshark.exe -nr wpa-Induction.pcap -o wlan.enable_decryption:TRUE -o
"uat:80211_keys:\"wpa-pwd\",\"A really long pass phrase to test tsharks input
parsing PAD%22PAD:Coherer\"" -2 -R "http"
tshark: Invalid -o flag "uat:80211_keys:"wpa-pwd","A really long pass phrase to
test tsharks input parsing PAD%22PAD:Coherer""

The first one works (no errors).
The second one errors as expected, the "1" on the end exceeds the 63 byte
limit.
The third one fails as the addition of the double quote between "PAD PAD" does
not change the length of the input and indicates that the character must be
encoded.
The fouth on tries to encode the double quote character via url encoding as per
the documentation http://wiki.wireshark.org/HowToDecrypt802.11

I did try other encodings but nothing worked.

So that leaves us with;

The documentation is wrong/unhelpfull if you enter a pass phrase with these
characters into Wireshark directly.

Both wireshark and tshark fail to understand that providing url encoded
characters should not increase the byte count used to validate the length of
the pass phrase by more than one.

Files produced by Microsoft Network Monitor 3.4 are incompatible with
Wiresharks process of decrypting WPA2. I am blaming Microsoft for this one.


You are receiving this mail because:
  • You are watching all bug changes.