In what stage (Probing?) in the connection process does the AP "tells" the host it's security protocol? (e.g. "I'm using WEP,WPA etc.)
I've sniffed a packet using wireshark but I can't find any security information in it(probing packet), furthermore, I've guessed that during the association request I should've seen the password itself (Hashed) somewhere, no?
Frame 1087: 243 bytes on wire (1944 bits), 243 bytes captured (1944 bits) on interface 0
Interface id: 0 (\\.\airpcap00)
Encapsulation type: IEEE 802.11 plus radiotap radio header (23)
Arrival Time: Mar 18, 2014 21:32:34.530912000 Jerusalem Standard Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1395171154.530912000 seconds
[Time delta from previous captured frame: 0.002115000 seconds]
[Time delta from previous displayed frame: 0.052362000 seconds]
[Time since reference or first frame: 16.649345000 seconds]
Frame Number: 1087
Frame Length: 243 bytes (1944 bits)
Capture Length: 243 bytes (1944 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: radiotap:wlan_radio:wlan]
Radiotap Header v0, Length 20
Header revision: 0
Header pad: 0
Header length: 20
Present flags
Present flags word: 0x000018ee
Flags: 0x10
.... ...0 = CFP: False
.... ..0. = Preamble: Long
.... .0.. = WEP: False
.... 0... = Fragmentation: False
...1 .... = FCS at end: True
..0. .... = Data Pad: False
.0.. .... = Bad FCS: False
0... .... = Short GI: False
Data Rate: 1.0 Mb/s
Channel frequency: 2412 [BG 1]
Channel flags: 0x00a0, Complementary Code Keying (CCK), 2 GHz spectrum
Antenna signal: -71dBm
Antenna noise: -100dBm
Signal Quality: 76
Antenna: 0
dB antenna signal: 29dB
802.11 radio information
PHY type: 802.11b (4)
Short preamble: False
Data rate: 1.0 Mb/s
Channel: 1
Frequency: 2412MHz
Signal strength (dBm): -71dBm
Noise level (dBm): -100dBm
[Duration: 1976µs]
IEEE 802.11 Probe Response, Flags: ........C
Type/Subtype: Probe Response (0x0005)
Frame Control Field: 0x5000
.... ..00 = Version: 0
.... 00.. = Type: Management frame (0)
0101 .... = Subtype: 5
Flags: 0x00
.000 0001 0011 1010 = Duration: 314 microseconds
Receiver address: Apple_b5:b8:13 (bc:3b:af:b5:b8:13)
Destination address: Apple_b5:b8:13 (bc:3b:af:b5:b8:13)
Transmitter address: Sagemcom_fb:5d:9d (00:78:9e:fb:5d:9d)
Source address: Sagemcom_fb:5d:9d (00:78:9e:fb:5d:9d)
BSS Id: Sagemcom_fb:5d:9d (00:78:9e:fb:5d:9d)
.... .... .... 0000 = Fragment number: 0
0011 0011 0000 .... = Sequence number: 816
Frame check sequence: 0xd381a870 [correct]
[FCS Status: Good]
IEEE 802.11 wireless LAN
Fixed parameters (12 bytes)
Timestamp: 0x0000008df3014db9
Beacon Interval: 0.102400 [Seconds]
Capabilities Information: 0x0411
.... .... .... ...1 = ESS capabilities: Transmitter is an AP
.... .... .... ..0. = IBSS status: Transmitter belongs to a BSS
.... ..0. .... 00.. = CFP participation capabilities: No point coordinator at AP (0x00)
.... .... ...1 .... = Privacy: AP/STA can support WEP
.... .... ..0. .... = Short Preamble: Not Allowed
.... .... .0.. .... = PBCC: Not Allowed
.... .... 0... .... = Channel Agility: Not in use
.... ...0 .... .... = Spectrum Management: Not Implemented
.... .1.. .... .... = Short Slot Time: In use
.... 0... .... .... = Automatic Power Save Delivery: Not Implemented
...0 .... .... .... = Radio Measurement: Not Implemented
..0. .... .... .... = DSSS-OFDM: Not Allowed
.0.. .... .... .... = Delayed Block Ack: Not Implemented
0... .... .... .... = Immediate Block Ack: Not Implemented
Tagged parameters (183 bytes)
Tag: SSID parameter set: HOTBOX-9810
Tag Number: SSID parameter set (0)
Tag length: 11
SSID: HOTBOX-9810
Tag: Supported Rates 1(B), 2(B), 5.5(B), 11(B), 18, 24, 36, 54, [Mbit/sec]
Tag Number: Supported Rates (1)
Tag length: 8
Supported Rates: 1(B) (0x82)
Supported Rates: 2(B) (0x84)
Supported Rates: 5.5(B) (0x8b)
Supported Rates: 11(B) (0x96)
Supported Rates: 18 (0x24)
Supported Rates: 24 (0x30)
Supported Rates: 36 (0x48)
Supported Rates: 54 (0x6c)
Tag: DS Parameter set: Current Channel: 1
Tag Number: DS Parameter set (3)
Tag length: 1
Current Channel: 1
Tag: ERP Information
Tag Number: ERP Information (42)
Tag length: 1
ERP Information: 0x00
Tag: ERP Information
Tag Number: ERP Information (47)
Tag length: 1
ERP Information: 0x00
Tag: RSN Information
Tag Number: RSN Information (48)
Tag length: 24
RSN Version: 1
Group Cipher Suite: 00:0f:ac (Ieee 802.11) TKIP
Pairwise Cipher Suite Count: 2
Pairwise Cipher Suite List 00:0f:ac (Ieee 802.11) AES (CCM) 00:0f:ac (Ieee 802.11) TKIP
Auth Key Management (AKM) Suite Count: 1
Auth Key Management (AKM) List 00:0f:ac (Ieee 802.11) PSK
RSN Capabilities: 0x000c
Tag: Extended Supported Rates 6, 9, 12, 48, [Mbit/sec]
Tag Number: Extended Supported Rates (50)
Tag length: 4
Extended Supported Rates: 6 (0x0c)
Extended Supported Rates: 9 (0x12)
Extended Supported Rates: 12 (0x18)
Extended Supported Rates: 48 (0x60)
Tag: HT Capabilities (802.11n D1.10)
Tag Number: HT Capabilities (802.11n D1.10) (45)
Tag length: 26
HT Capabilities Info: 0x18fc
.... .... .... ...0 = HT LDPC coding capability: Transmitter does not support receiving LDPC coded packets
.... .... .... ..0. = HT Support channel width: Transmitter only supports 20MHz operation
.... .... .... 11.. = HT SM Power Save: SM Power Save disabled (0x3)
.... .... ...1 .... = HT Green Field: Transmitter is able to receive PPDUs with Green Field (GF) preamble
.... .... ..1. .... = HT Short GI for 20MHz: Supported
.... .... .1.. .... = HT Short GI for 40MHz: Supported
.... .... 1... .... = HT Tx STBC: Supported
.... ..00 .... .... = HT Rx STBC: No Rx STBC support (0x0)
.... .0.. .... .... = HT Delayed Block ACK: Transmitter does not support HT-Delayed BlockAck
.... 1... .... .... = HT Max A-MSDU length: 7935 bytes
...1 .... .... .... = HT DSSS/CCK mode in 40MHz: Will/Can use DSSS/CCK in 40 MHz
..0. .... .... .... = HT PSMP Support: Won't/Can't support PSMP operation
.0.. .... .... .... = HT Forty MHz Intolerant: Use of 40 MHz transmissions unrestricted/allowed
0... .... .... .... = HT L-SIG TXOP Protection support: Not supported
A-MPDU Parameters: 0x1b
Rx Supported Modulation and Coding Scheme Set: MCS Set
HT Extended Capabilities: 0x0000
Transmit Beam Forming (TxBF) Capabilities: 0x00000000
Antenna Selection (ASEL) Capabilities: 0x00
Tag: HT Information (802.11n D1.10)
Tag Number: HT Information (802.11n D1.10) (61)
Tag length: 22
Primary Channel: 1
HT Information Subset (1 of 3): 0x08
HT Information Subset (2 of 3): 0x0004
HT Information Subset (3 of 3): 0x0000
Rx Supported Modulation and Coding Scheme Set: Basic MCS Set
Tag: Vendor Specific: Broadcom
Tag Number: Vendor Specific (221)
Tag length: 9
OUI: 00:10:18 (Broadcom)
Vendor Specific OUI Type: 2
Vendor Specific Data: 0202f02c0000
Tag: Vendor Specific: Microsoft Corp.: WPA Information Element
Tag Number: Vendor Specific (221)
Tag length: 28
OUI: 00:50:f2 (Microsoft Corp.)
Vendor Specific OUI Type: 1
Type: WPA Information Element (0x01)
WPA Version: 1
Multicast Cipher Suite: 00:50:f2 (Microsoft Corp.) TKIP
Unicast Cipher Suite Count: 2
Unicast Cipher Suite List 00:50:f2 (Microsoft Corp.) AES (CCM) 00:50:f2 (Microsoft Corp.) TKIP
Auth Key Management (AKM) Suite Count: 1
Auth Key Management (AKM) List 00:50:f2 (Microsoft Corp.) PSK
Tag: Vendor Specific: Microsoft Corp.: WMM/WME: Parameter Element
Tag Number: Vendor Specific (221)
Tag length: 24
OUI: 00:50:f2 (Microsoft Corp.)
Vendor Specific OUI Type: 2
Type: WMM/WME (0x02)
WME Subtype: Parameter Element (1)
WME Version: 1
WME QoS Info: 0x80
Reserved: 00
Ac Parameters ACI 0 (Best Effort), ACM no, AIFSN 3, ECWmin/max 4/10 (CWmin/max 15/1023), TXOP 0
Ac Parameters ACI 1 (Background), ACM no, AIFSN 7, ECWmin/max 4/10 (CWmin/max 15/1023), TXOP 0
Ac Parameters ACI 2 (Video), ACM no, AIFSN 2, ECWmin/max 3/4 (CWmin/max 7/15), TXOP 94
Ac Parameters ACI 3 (Voice), ACM no, AIFSN 2, ECWmin/max 2/3 (CWmin/max 3/7), TXOP 47
And here is the association request:
Frame 731: 210 bytes on wire (1680 bits), 210 bytes captured (1680 bits) on interface 0
Interface id: 0 (\\.\airpcap00)
Encapsulation type: IEEE 802.11 plus radiotap radio header (23)
Arrival Time: Mar 18, 2014 21:32:33.235805000 Jerusalem Standard Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1395171153.235805000 seconds
[Time delta from previous captured frame: 0.001751000 seconds]
[Time delta from previous displayed frame: 3.447067000 seconds]
[Time since reference or first frame: 15.354238000 seconds]
Frame Number: 731
Frame Length: 210 bytes (1680 bits)
Capture Length: 210 bytes (1680 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: radiotap:wlan_radio:wlan]
Radiotap Header v0, Length 20
Header revision: 0
Header pad: 0
Header length: 20
Present flags
Present flags word: 0x000018ee
Flags: 0x10
.... ...0 = CFP: False
.... ..0. = Preamble: Long
.... .0.. = WEP: False
.... 0... = Fragmentation: False
...1 .... = FCS at end: True
..0. .... = Data Pad: False
.0.. .... = Bad FCS: False
0... .... = Short GI: False
Data Rate: 1.0 Mb/s
Channel frequency: 2412 [BG 1]
Channel flags: 0x00a0, Complementary Code Keying (CCK), 2 GHz spectrum
Antenna signal: -44dBm
Antenna noise: -100dBm
Signal Quality: 100
Antenna: 0
dB antenna signal: 56dB
802.11 radio information
PHY type: 802.11b (4)
Short preamble: False
Data rate: 1.0 Mb/s
Channel: 1
Frequency: 2412MHz
Signal strength (dBm): -44dBm
Noise level (dBm): -100dBm
[Duration: 1712µs]
IEEE 802.11 Association Request, Flags: ........C
Type/Subtype: Association Request (0x0000)
Frame Control Field: 0x0000
.... ..00 = Version: 0
.... 00.. = Type: Management frame (0)
0000 .... = Subtype: 0
Flags: 0x00
.000 0001 0011 1010 = Duration: 314 microseconds
Receiver address: Sagemcom_fb:5d:9d (00:78:9e:fb:5d:9d)
Destination address: Sagemcom_fb:5d:9d (00:78:9e:fb:5d:9d)
Transmitter address: SamsungE_74:b9:f9 (d0:22:be:74:b9:f9)
Source address: SamsungE_74:b9:f9 (d0:22:be:74:b9:f9)
BSS Id: Sagemcom_fb:5d:9d (00:78:9e:fb:5d:9d)
.... .... .... 0000 = Fragment number: 0
0011 0011 1000 .... = Sequence number: 824
Frame check sequence: 0xa7de824d [correct]
[FCS Status: Good]
IEEE 802.11 wireless LAN
Fixed parameters (4 bytes)
Capabilities Information: 0x0431
.... .... .... ...1 = ESS capabilities: Transmitter is an AP
.... .... .... ..0. = IBSS status: Transmitter belongs to a BSS
.... ..0. .... 00.. = CFP participation capabilities: No point coordinator at AP (0x00)
.... .... ...1 .... = Privacy: AP/STA can support WEP
.... .... ..1. .... = Short Preamble: Allowed
.... .... .0.. .... = PBCC: Not Allowed
.... .... 0... .... = Channel Agility: Not in use
.... ...0 .... .... = Spectrum Management: Not Implemented
.... .1.. .... .... = Short Slot Time: In use
.... 0... .... .... = Automatic Power Save Delivery: Not Implemented
...0 .... .... .... = Radio Measurement: Not Implemented
..0. .... .... .... = DSSS-OFDM: Not Allowed
.0.. .... .... .... = Delayed Block Ack: Not Implemented
0... .... .... .... = Immediate Block Ack: Not Implemented
Listen Interval: 0x000a
Tagged parameters (158 bytes)
Tag: SSID parameter set: HOTBOX-9810
Tag Number: SSID parameter set (0)
Tag length: 11
SSID: HOTBOX-9810
Tag: Supported Rates 1(B), 2(B), 5.5(B), 11(B), 18, 24, 36, 54, [Mbit/sec]
Tag Number: Supported Rates (1)
Tag length: 8
Supported Rates: 1(B) (0x82)
Supported Rates: 2(B) (0x84)
Supported Rates: 5.5(B) (0x8b)
Supported Rates: 11(B) (0x96)
Supported Rates: 18 (0x24)
Supported Rates: 24 (0x30)
Supported Rates: 36 (0x48)
Supported Rates: 54 (0x6c)
Tag: Power Capability Min: 8, Max: 18
Tag Number: Power Capability (33)
Tag length: 2
Minimum Transmit Power: 8
Maximum Transmit Power: 18
Tag: Supported Channels
Tag Number: Supported Channels (36)
Tag length: 2
Supported Channels Set #1 First: 1, Range: 13
Tag: RSN Information
Tag Number: RSN Information (48)
Tag length: 20
RSN Version: 1
Group Cipher Suite: 00:0f:ac (Ieee 802.11) TKIP
Pairwise Cipher Suite Count: 1
Pairwise Cipher Suite List 00:0f:ac (Ieee 802.11) AES (CCM)
Auth Key Management (AKM) Suite Count: 1
Auth Key Management (AKM) List 00:0f:ac (Ieee 802.11) PSK
RSN Capabilities: 0x0000
Tag: Extended Supported Rates 6, 9, 12, 48, [Mbit/sec]
Tag Number: Extended Supported Rates (50)
Tag length: 4
Extended Supported Rates: 6 (0x0c)
Extended Supported Rates: 9 (0x12)
Extended Supported Rates: 12 (0x18)
Extended Supported Rates: 48 (0x60)
Tag: HT Capabilities (802.11n D1.10)
Tag Number: HT Capabilities (802.11n D1.10) (45)
Tag length: 26
HT Capabilities Info: 0x112d
.... .... .... ...1 = HT LDPC coding capability: Transmitter supports receiving LDPC coded packets
.... .... .... ..0. = HT Support channel width: Transmitter only supports 20MHz operation
.... .... .... 11.. = HT SM Power Save: SM Power Save disabled (0x3)
.... .... ...0 .... = HT Green Field: Transmitter is not able to receive PPDUs with Green Field (GF) preamble
.... .... ..1. .... = HT Short GI for 20MHz: Supported
.... .... .0.. .... = HT Short GI for 40MHz: Not supported
.... .... 0... .... = HT Tx STBC: Not supported
.... ..01 .... .... = HT Rx STBC: Rx support of one spatial stream (0x1)
.... .0.. .... .... = HT Delayed Block ACK: Transmitter does not support HT-Delayed BlockAck
.... 0... .... .... = HT Max A-MSDU length: 3839 bytes
...1 .... .... .... = HT DSSS/CCK mode in 40MHz: Will/Can use DSSS/CCK in 40 MHz
..0. .... .... .... = HT PSMP Support: Won't/Can't support PSMP operation
.0.. .... .... .... = HT Forty MHz Intolerant: Use of 40 MHz transmissions unrestricted/allowed
0... .... .... .... = HT L-SIG TXOP Protection support: Not supported
A-MPDU Parameters: 0x17
Rx Supported Modulation and Coding Scheme Set: MCS Set
HT Extended Capabilities: 0x0000
Transmit Beam Forming (TxBF) Capabilities: 0x00000000
Antenna Selection (ASEL) Capabilities: 0x00
Tag: Vendor Specific: Broadcom
Tag Number: Vendor Specific (221)
Tag length: 9
OUI: 00:10:18 (Broadcom)
Vendor Specific OUI Type: 2
Vendor Specific Data: 020000100000
Tag: Vendor Specific: Epigram, Inc.: HT Capabilities (802.11n D1.10)
Tag Number: Vendor Specific (221)
Tag length: 30
OUI: 00:90:4c (Epigram, Inc.)
Vendor Specific OUI Type: 51
802.11n (Pre) Type: HT Capabilities (802.11n D1.10) (51)
HT Capabilities Info (VS): 0x112d
.... .... .... ...1 = HT LDPC coding capability: Transmitter supports receiving LDPC coded packets
.... .... .... ..0. = HT Support channel width: Transmitter only supports 20MHz operation
.... .... .... 11.. = HT SM Power Save: SM Power Save disabled (0x3)
.... .... ...0 .... = HT Green Field: Transmitter is not able to receive PPDUs with Green Field (GF) preamble
.... .... ..1. .... = HT Short GI for 20MHz: Supported
.... .... .0.. .... = HT Short GI for 40MHz: Not supported
.... .... 0... .... = HT Tx STBC: Not supported
.... ..01 .... .... = HT Rx STBC: Rx support of one spatial stream (0x1)
.... .0.. .... .... = HT Delayed Block ACK: Transmitter does not support HT-Delayed BlockAck
.... 0... .... .... = HT Max A-MSDU length: 3839 bytes
...1 .... .... .... = HT DSSS/CCK mode in 40MHz: Will/Can use DSSS/CCK in 40 MHz
..0. .... .... .... = HT PSMP Support: Won't/Can't support PSMP operation
.0.. .... .... .... = HT Forty MHz Intolerant: Use of 40 MHz transmissions unrestricted/allowed
0... .... .... .... = HT L-SIG TXOP Protection support: Not supported
A-MPDU Parameters (VS): 0x17
Rx Supported Modulation and Coding Scheme Set (VS): MCS Set
HT Extended Capabilities (VS): 0x0000
Transmit Beam Forming (TxBF) Capabilities (VS): 0x00000000
Antenna Selection (ASEL) Capabilities (VS): 0x00
Tag: Vendor Specific: Microsoft Corp.: WMM/WME: Information Element
Tag Number: Vendor Specific (221)
Tag length: 7
OUI: 00:50:f2 (Microsoft Corp.)
Vendor Specific OUI Type: 2
Type: WMM/WME (0x02)
WME Subtype: Information Element (0)
WME Version: 1
WME QoS Info: 0x00
Tag: Vendor Specific: Epigram, Inc.
Tag Number: Vendor Specific (221)
Tag length: 17
OUI: 00:90:4c (Epigram, Inc.)
Vendor Specific OUI Type: 55
802.11n (Pre) Type: Unknown (55)
802.11n (Pre) Unknown Data: 00000000000000000000000000
Best Answer
The probe response frame contains a lot of information about the encryption used by the AP.
First of all the vendor specific WPA Information Element tells you that the AP is using WPA2 with a pre-shared key (PSK).
Furthermore, the Robust Security Network (RSN) Element gives you further details about the cipher suites used. Some more details can be found in this post.
Regarding the exchange of the password. There you need to look for the EAPOL frames in your capture. In those four frames, the four way handshake for WPA2 is performed, where not the password, but a message integrity check (MIC) element is sent from station to AP. This MIC proves that the station has the correct pairwise master key (PMK), which is used for encryption. This pairwise master key is derived from the pre-shared key in WPA2-PSK.