securitywifiwpa

If I know the password of a WPA2 access point, can I passively eavesdrop to communications?


Suppose there's a WPA2 hotspot with a few stations connected to it, and suppose I know the passphrase to connect to this hotspot. Will it be possible to decrypt everyone's communication by being completely passive? (i.e. just sniffing the packets with a wifi sniffer, and without connecting to the network or sending packets to the air).

For this matter, is there a difference between knowing the alphanumeric passphrase or the hexadecimal PSK?


Solution

  • The passphrase is used to generate a PSK via a password hashing function (PBKDF2) which you can easily do yourself, so knowing either the passphrase or the PSK is sufficient.

    Between the AP and any particular station, the PSK is used to create a set of temporal keys that are actually used to encrypt frames.

    If you capture the 4-way handshake which takes place after authentication/association between the AP and a station, then you will be able to deduce the temporal keys that were calculated for that session, and use these to decrypt unicast frames between the two, and broadcast frames from the AP.

    Wireshark will do this for you if you capture the traffic complete with 4 way handshake, and enter the PSK/passphrase.

    So to answer your question - yes, you can theoretically passively decrypt traffic if you know the PSK/passhprase without having to actively inject any extra frames, as long as you capture the initial 4-way handshake.

    You only need to start injecting frames if you want to force a station to reauthenticate and perform its 4 way handshake, for example by spoofing a deauth.