Oh, I noticed, that I didn't answer your first question:
How does one find/extract these clear passwords (Example commands please!)? Do we need to enable a certain option for wlandump to capture these? What causes these to be sent in the first place; isn't wireless communication encrypted and only hashes are exchanged? thanks
Finding PSKs is easy. But you have to develop a sight for that.
PSKs can be found in proberequests, identity responses and authentication frames (usernames).
A detailed tutorial is here: https://hashcat.net/forum/thread-6661-po...l#pid35891
including a test cap: https://hashcat.net/forum/attachment.php?aid=512
command to save them:
hcxpcaptool -o test.hccapx -E probes -I identities -U usernames *.cap
What causes these to be sent in the first place?
A damaged wpa-supplicant.conf of the client.
We can annoy a client in such a way, that he sends us his PSK and/or complete NVRAM.
Isn't wireless communication encrypted and only hashes are exchanged?
Yes, but that (managament) frames are unencrypted.
How does one find/extract these clear passwords (Example commands please!)? Do we need to enable a certain option for wlandump to capture these? What causes these to be sent in the first place; isn't wireless communication encrypted and only hashes are exchanged? thanks
Finding PSKs is easy. But you have to develop a sight for that.
PSKs can be found in proberequests, identity responses and authentication frames (usernames).
A detailed tutorial is here: https://hashcat.net/forum/thread-6661-po...l#pid35891
including a test cap: https://hashcat.net/forum/attachment.php?aid=512
command to save them:
hcxpcaptool -o test.hccapx -E probes -I identities -U usernames *.cap
What causes these to be sent in the first place?
A damaged wpa-supplicant.conf of the client.
We can annoy a client in such a way, that he sends us his PSK and/or complete NVRAM.
Isn't wireless communication encrypted and only hashes are exchanged?
Yes, but that (managament) frames are unencrypted.