- GTK (Group Temporal Key): Encrypts/decrypts multicast/broadcast data traffic.
- IGTK (Integrity Group Temporal Key): Protects multicast/broadcast management frames (only visible when 802.11w is enabled).
- Both keys are delivered from the Access Point (AP) to clients during the 4-way handshake (specifically in Message 3), encrypted using the KEK (Key Encryption Key)—a part of the PTK (Pairwise Temporal Key) used for unicast traffic encryption.
Can these keys be viewed in Wireshark?
Absolutely! However, you need the KEK to decrypt them.
Good News!
If your AP uses WPA2 security, you can decrypt the capture in Wireshark.
To decrypt WPA2 traffic:
- Capture the EAPOL (Extensible Authentication Protocol Over LAN) messages.
- Provide the SSID and Passphrase in Wireshark.
This enables Wireshark to generate the PTK (including the KEK), allowing decryption of EAPOL Message 3 to reveal the GTK and IGTK.
What you need:
- EAPOL exchange
- SSID
- Password
Step-by-Step Process:
- Open a .pcap file that captures the EAPOL exchange between a client and an AP using WPA2 security.
- Decrypt the .pcap file by providing the correct SSID and passphrase. Refer to the following guide for detailed instructions:
Decrypting WPA2 Traffic in Wireshark - Navigate to EAPOL Message 3 → 802.1x Authentication Field → WPA Key Data (IE).
- Inspect the Vendor Specific Tags to view the GTK and IGTK keys. At the bottom, you can also find the KCK and KEK keys.
In the image below, you’ll see the decrypted GTK, IGTK, KCK, and KEK keys in EAPOL Message 3.
For more insights, check out this resource:
Wireshark Key Decryption
Source: 