Quick answer:
Yes, that's correct.
Long statement:
You need only to capture the M2 from a client. wlandump-ng and wlanresponse will calculate the M1.
wlandump-ng will show us this (using the -s xx option):
transmitted m1/received appropriate m2...: 343/719
and the regular messages from a real ap connected to a client:
received regular m1/m2/m3/m4.............: 146/98/143/68
Using the defaults, a client probes every ap which has an entry in his wpa_supplicant.conf.
A stupid client also probes and authenticates his 5GHz access point on 2.4GHz!
wlandump-ng accepts and transmitts a M1. After receiving this M1 the client transmitts his M2. So we receive a valid M2, calculated from an entry in his wpa_supplicant.conf.
If the client has 10 entries (from 10 different networks) in his wpa_supplicant.conf, we get 10 different crackable M2's.
Yes, that's correct.
Long statement:
You need only to capture the M2 from a client. wlandump-ng and wlanresponse will calculate the M1.
wlandump-ng will show us this (using the -s xx option):
transmitted m1/received appropriate m2...: 343/719
and the regular messages from a real ap connected to a client:
received regular m1/m2/m3/m4.............: 146/98/143/68
Using the defaults, a client probes every ap which has an entry in his wpa_supplicant.conf.
A stupid client also probes and authenticates his 5GHz access point on 2.4GHz!
wlandump-ng accepts and transmitts a M1. After receiving this M1 the client transmitts his M2. So we receive a valid M2, calculated from an entry in his wpa_supplicant.conf.
If the client has 10 entries (from 10 different networks) in his wpa_supplicant.conf, we get 10 different crackable M2's.