0

I'm learning about sniffing packets in Wireshark. When I enter the password of my wifi and I can start seeing a lot of traffics and I realize that they are all decrypted. But I don't know how these packets are decrypted because different clients have different PTKs and counter mode in ccmp. For example, I perform a simple MITM between my phone and the router. I think that the HTTP packet that sending from my phone must be encrypted with its AES-CCMP(PTK) at the data link layer but somehow I can capture password from a simple HTTP authorization page through GET request. So how can Wireshark do that? enter image description here

enter image description here

1 Answers1

0

Sorry for late answer.

HTTP protocol by itself does not support encryption, this means content of the packet can be seen in plain text. For example, webpage http://icanhazip.com uses HTTP protocol, so if you run Wireshark and head over to this website, you can see IP responded by the webpage in the wireshark's "follow TCP stream" window. I run this scenario and posted its picture.

Entering https://icanhazip.com url in the browser

Sniffing traffic of http://icanhazip.com in wireshark

Not all of the pages are on HTTP, and the majority of the websites, nowadays, use HTTPS. HTTPS is HTTP which send its packets with TLS protocol. TLS is responsible for encrypting and sending the HTTP packet. So if you sniff traffic of a website that uses HTTPS, you can't see the content of the request and response. For example, run Wireshark and go to https://icanhazip.com. Here is a picture of it.

entering https://icanhazip.com url in the browser

Sniffing traffic of https://icanhazip.com in wireshark

In your case, because web page you are visiting (I think you are visiting this page) uses HTTP and not HTTPS, the content of the packets can be seen in the Wireshark, even vital things like authorization information.

mrghofrani
  • 1,335
  • 2
  • 13
  • 32
  • I see your point. But those HTTP packets must be encrypted AES-CCMP(PTK) when it goes through my phone's data link layer but I can see it by sniffing or even if it's HTTPS Wireshark is still able to decrypt all the packets layers headers but not the TLS part. And what I want to clarify is that packets must be protected with AES-CCMP instead Wireshark can decrypt partly of it and I don't know how Wireshark does it. –  Nov 10 '21 at 13:37
  • @snowman could you share the .pcap file of the traffic? – mrghofrani Nov 10 '21 at 14:08