WPA2 Pairwise Transient Keys on the OpenWrt router

  • Where are the WPA2 Pairwise Transient Keys (PTK) stored (keys used to encrypt the frames exchanged between the router and a user)?
  • How can I get them?

I have administrator access.

If your using LUCI

Network->Wireless
--> Wireless Overview
--->Edit
---->Interface configuration
----->Wireless Security
------->Key
------->*

1 Like

/etc/config/wireless

1 Like

This key is the wireless network password. I would like to get the keys set on the 4-way handshake between the router and each client.

In /etc/config/wireless you can configure the wireless encryption type and password, but the keys used by each client are not stored in it.

  • Please use one post to respond to multiple questions on the thread, we all can read above

And you won't find "keys."

Can you better explain WHY you think you need to see the key?

Perhaps we can better help you then.

Are you sure you are trying to obtain the pre-shared keys?

1 Like

I am using an external device to sniff network traffic and I need to access the encrypted layers of the packets.

After some research, I realized that the key I'm looking for is the Pairwise Transient Key (PTK), which is set in the 4-way handshake.

It is only necessary to know the passphrase. Everything else is derived from that. In other words, WPA2 lacks forward secrecy.

Wireshark can decrypt WPA2 packets when given the SSID and the passphrase.

2 Likes

Wireshark can decrypt WPA packets with the SSID and password. But in the case of WPA2, you need to capture all 4-way handshake packets.

https://wiki.wireshark.org/HowToDecrypt802.11

WPA and WPA2 use keys derived from an EAPOL handshake, which occurs when a machine joins a Wi-Fi network, to encrypt traffic. Unless all fourhandshake packets are present for the session you're trying to decrypt, Wireshark won't be able to decrypt the traffic.

1 Like

Someone have success with getting these keys?

I'm on a project about monitoring IoT devices and we assume we have the control of a router in the network.

We want to develop a monitor that captures the packets in the network and fowards the packet information to another component that will extract useful things about the network flow. One of the information we aren't being able to extract from the packet is the destination ip from the captured packets. So, our idea is to make the router send to our monitor the wpa2 keys so we can get the destination IP.

@Juniorlimaivd, if you truly control the router, why do you have to crack the key on air?

Just monitor the router and/or WiFi PHY.

@lleachii We want to open the packets outside the router. Monitor the router will generate unnecessary traffic/processing for our router, which may be not able to handle this.

But the router receives the packets and decrypts them already, all you need to do is enable packet mirroring to an Ethernet port... Done. The mirroring has some overhead but not that much.

You can drop a $35 tp link switch on the router and let the switch do the packet mirroring

2 Likes

@dlakelan How do i do that? If i use iptables to do the packet mirroring, i will lose the information present in the link layer and bellow. Is there a way to do the packet mirroring while preserving the packet completely?

tc-mirred is where I'd start, get a router with two ethernet interfaces, hook one up to your monitor device, and mirror packets to the monitor ethernet.

http://man7.org/linux/man-pages/man8/tc-mirred.8.html

@dlakelan how do i install tc-mirred?

I'm not sure which package mirred is in, but I suspect it's part of the kmod-sched-core which is pulled in when you install "tc", so start by just installing tc and see if that works. if it doesn't work you might need to install kmod-ifb because it's common to use mirred with ifb