11

I have WPA2-personal on my laptop and I'm connected wirelessly to my home AP. The traffic I capture from Wireshark is all unencrypted.

Some days ago I had my router on WPA-personal and did a MITM attack on my smartphone and the traffic was unencrypted too.

Isn't WPA supposed to encrypt the traffic and not just ask a password to enter the network?

Bounty edit:

I would like to know little bit more about this matter. What is the key difference between WPA2-PSK (TKIP), WPA2-PSK (AES), and WPA2-PSK (TKIP/AES) in this matter? I know that they are all different options and if I choose the wrong option and I’ll have a slower, less-secure network. What are the differences in encryptions for capturing the traffic and what's the best solution for home / work network? Thanks.

Improve this question
10
  • Where did you exactly capture the traffic because the encrypted packets are for the man-in-the-middle scenario. to sniff the traffic you have to use a device with sniff capabilities
    – emirjonb
    Commented Oct 7, 2015 at 7:58
  • WPA does indeed encrypt the data. But you performed an attack on it. I am not sure i understand your confusing why the traffic was decrypted, by performing the attack, you were able to do so.
    – Ramhound
    Commented Oct 7, 2015 at 10:58
  • Please add some details on the MITM setup. It's weird that Wireshark could see that traffic, unless you actually gave Wireshark the secrets...
    – Arjan
    Commented Oct 23, 2015 at 10:10
  • Then please edit your question, if it doesn't invalidate the existing answers. (The bounty message will disappear in 7 days.)
    – Arjan
    Commented Oct 23, 2015 at 10:55
  • I've edited the question
    – Josip Ivic
    Commented Oct 23, 2015 at 10:56

4 Answers 4

Reset to default
15

WPA (and WPA2) encrypts traffic below the level that Wireshark or similar tools capture. Those tools capture at the operating system's socket interface, not at the level of the actual network media. When you send a packet over WPA-protected WiFi, the WPA encryption isn't added until the last moment before the data is broadcast.

There might still be other encryption - for example, I could apply PGP encryption to an email and send it to SMTP server over TLS, which would be two levels of encryption... but those levels would be visible to (and, indeed, created by) the application (such as my email client). Somebody sniffing that traffic would still be able to see things like what protocol it's using (TCP, on top of IP), what port it comes from and is routing to, the destination IP address, and so on.

However, once the packet reaches the WiFi interface driver, it gets encrypted with the AES key that my machine is using for WPA. At that point, about the only things visible are the network SSID that I'm using (I think the source and destination MAC addresses may also be visible) and a vague idea of the size. Somebody without the WiFi key sniffing the network traffic using software-defined radio or a WiFi card in promiscuous mode wouldn't be able to tell the difference between my email and me sending a network ping or chatting on Skype; they wouldn't even be able to tell where the packets were going beyond the WiFi access point.

Improve this answer
4
  • Note that Wireshark can capture the encrypted packets in monitor mode, if the driver supports it.
    – grawity_u1686
    Commented Oct 7, 2015 at 8:41
  • Also note that Wireshark can capture encrypted packages for other clients when the network card is in promiscuous mode. But then Wireshark needs to be set up with the WEP or WPA/WPA2 pre-shared secrets to be able to snif the handshakes and decrypt the messages.
    – Arjan
    Commented Oct 23, 2015 at 10:07
  • Just the SSID / station MAC? Or also your transmitting device MAC?
    – Conrad Meyer
    Commented Dec 7, 2019 at 9:26
  • @ user1686 @Arjan aren't you two referring to scenarios where the device using wireshark is not connected to the AP, therefore allowing it to capture packets that are encrypted ... if it were on the LAN, like in the posted question, this would not be needed right, since they would all have the decryption key as soon as it reached the NIC for that specific client, right?
    – oemb1905
    Commented Mar 31, 2021 at 0:58
3
+50

What WPA-Personal (aka WPA-PSK) does is encrypt the packets that go on the air, so that people who aren't connected to this network can't read your messages (and WEP did the same in this respect, by the way, it just did it in a different way, which suffered from a serious hole). It additionally tries to make it difficult/impossible to connect to the network without knowing the secret password.

Without this encryption (e.g. on open networks), anyone can read all the packets that are being exchanged, without even being "connected" to the network: it just needs to be close enough to "hear" the signal.

If you think of a foreign language as a kind of encryption, WPA is a bit like the situation where all machines connected to this WPA network speak their very own language language which only the AP also understands. So, machines not connected to the network can't understand anything (other than witness that some communication is taking place between the machines and the AP) and those that are connected to this network can only talk to each other by communicating via the AP.

Improve this answer
10
  • Now that is written in a way I could even explain it to a total newbie. +1
    – Hennes
    Commented Oct 29, 2015 at 12:20
  • 1
    Except it's almost completely wrong.
    – qasdfdsaq
    Commented Oct 29, 2015 at 12:38
  • @qasdfdsaq: Please, do enlighten us.
    – Stefan
    Commented Oct 29, 2015 at 12:47
  • Well, let's see. Encryption has nothing to do with people who are "connected to this network". Being able to read your messages has nothing to do with people who are "connected to this network". Encryption has nothing to do with people who can or cannot "connect to this network". WPA does not make it like "all machines connected to this network speak the same language". Machines connected to this network cannot "attack each other and see all packets sent by others".
    – qasdfdsaq
    Commented Oct 29, 2015 at 12:50
  • 3
    Every client that connects generates a random key derived from the PSK and randomly generated data. en.wikipedia.org/wiki/IEEE_802.11i-2004#The_four-way_handshake Client-to-client communication does not exist in an Infrastructure network, it all must go via the AP.
    – qasdfdsaq
    Commented Oct 29, 2015 at 13:08
1

As described here here the encryption is done on Layer 2 right after MAC address (frame payload) so to see the encrypted traffic you have to use a device with sniff capabilities at L2 and try to read on the packet you sniffed.

Improve this answer
1
  • There needs to be discussion about where the packet sniffing device is, i.e., is it an authenticated client on the LAN/AP, or not. If is it not authenticated - which is not what the poster implies - then this would apply, right? But if it is on the LAN, it should just see layer 3 traffic by default, correct? @emirjonb
    – oemb1905
    Commented Mar 31, 2021 at 1:01
1

What is the key difference between WPA2-PSK (TKIP), WPA2-PSK (AES), and WPA2-PSK (TKIP/AES)

Source: Wi-Fi Security: Should You Use WPA2-AES, WPA2-TKIP, or Both?

TKIP and AES are two different types of encryption that can be used by a Wi-Fi network. TKIP stands for “Temporal Key Integrity Protocol.” It was a stopgap encryption protocol introduced with WPA to replace the very-insecure WEP encryption at the time. TKIP is actually quite similar to WEP encryption. TKIP is no longer considered secure, and is now deprecated. In other words, you shouldn’t be using it.

AES stands for “Advanced Encryption Standard.” This was a more secure encryption protocol introduced with WPA2, which replaced the interim WPA standard. AES isn’t some creaky standard developed specifically for Wi-Fi networks; it’s a serious worldwide encryption standard that’s even been adopted by the US government. For example, when you encrypt a hard drive with TrueCrypt, it can use AES encryption for that. AES is generally considered quite secure, and the main weaknesses would be brute-force attacks (prevented by using a strong passphrase) and security weaknesses in other aspects of WPA2.

In summary, TKIP is an older encryption standard used by the old WPA standard. AES is a newer Wi-Fi encryption solution used by the new-and-secure WPA2 standard. In theory, that’s the end of it. But, depending on your router, just choosing WPA2 may not be good enough.

While WPA2 is supposed to use AES for optimal security, it also has the option to use TKIP for backward compatibility with legacy devices. In such a state, devices that support WPA2 will connect with WPA2 and devices that support WPA will connect with WPA. So “WPA2” doesn’t always mean WPA2-AES. However, on devices without a visible “TKIP” or “AES” option, WPA2 is generally synonymous with WPA2-AES.

what's the best solution for home / work network? Thanks.

It's all covered in the rest of the above article:

On most routers we’ve seen, the options are generally WEP, WPA (TKIP), and WPA2 (AES) — with perhaps a WPA (TKIP) + WPA2 (AES) compatibility mode thrown in for good measure.

If you do have an odd sort of router that offers WPA2 in either TKIP or AES flavors, choose AES. Almost all your devices will certainly work with it, and it’s faster and more secure. It’s an easy choice, as long as you can remember AES is the good one.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .