The network packets that I want to decrypt uses username and password to log in with EAP-PEAP. Not on a captive portal. Where would I put the username when decrypting network packets. I can get the handshakes.
Asked
Active
Viewed 4,276 times
1 Answers
4
Nowhere.
Capturing the PEAP handshake is useless, as the session key for EAP-TLS, EAP-PEAP, EAP-TTLS is derived from the TLS master secret, which is protected by the TLS handshake – it is the same as in HTTPS connections and provides the same level of security against monitoring.1
The TLS handshake has no relationship to the username or password, so knowing those does not help either.
(In rare cases it might be decryptable using the RADIUS server's certificate/key, but probably most TLS handshakes just use DH key exchange.)
So your only option is to obtain the key from the RADIUS server itself (e.g. activate verbose logging – the keys are delivered to the access point, and so can be found in MS-MPPE-*-Key attributes. Then you can add the keys as raw PSK.
"Raw" EAP-MSCHAPv2 (without EAP-TLS protection) keys are derived from the password hash and the 'NtResponse' found in the handshake. (But not the username.) You probably can calculate the resulting PSK using various Linux tools and add it to Wireshark (again as wpa-psk), but Wireshark itself isn't capable of doing this.
(Not that you should ever see WPA-Enterprise without EAP-TLS in the first place, but...)
1 (As long as the client verifies the certificate. If it doesn't, it's vulnerable to active MITM attacks (rogue access points), but still not to passive interception.)
