Plugins 2500/2501 and 16800/16801 are deprecated
#24
The last field is the message pair field.
It contain detailed information about the endianess of the router and it inform hashcat how to handle the hash
(eg. NC not necessary, NC necessary, NC only on BE necessary, NC on LE necessary)
Code:
bitmask of message pair field:
2,1,0:
000 = M1+M2, EAPOL from M2 (challenge)
001 = M1+M4, EAPOL from M4 if not zeroed (authorized)
010 = M2+M3, EAPOL from M2 (authorized)
011 = M2+M3, EAPOL from M3 (authorized) - unused
100 = M3+M4, EAPOL from M3 (authorized) - unused
101 = M3+M4, EAPOL from M4 if not zeroed (authorized)
3: reserved
4: ap-less attack (set to 1) - no nonce-error-corrections necessary
5: LE router detected (set to 1) - nonce-error-corrections only for LE necessary
6: BE router detected (set to 1) - nonce-error-corrections only for BE necessary
7: not replaycount checked (set to 1) - replaycount not checked, nonce-error-corrections definitely necessary

In your case:
Code:
WPA...0000fac028000*00
00000001
M1+M2, EAPOL from M2 (challenge)

WPA...4000fac020000*02
02 = 00000010
M2+M3, EAPOL from M2 (authorized)

WPA...0000fac020c00*a2
a2 = 10100010
M2+M3, EAPOL from M2 (authorized)
LE router detected (set to 1) - nonce-error-corrections only for LE necessary
not replaycount checked (set to 1) - replaycount not checked, nonce-error-corrections definitely necessary

WPA...0000fac020c00*a0
a0 = 10100000
M1+M2, EAPOL from M2 (challenge),
LE router detected (set to 1) - nonce-error-corrections only for LE necessary
not replaycount checked (set to 1) - replaycount not checked, nonce-error-corrections definitely necessary

WPA...0100000020000*c2
c2 = 11000010
M2+M3, EAPOL from M2 (authorized)
BE router detected (set to 1) - nonce-error-corrections only for BE necessary
not replaycount checked (set to 1) - replaycount not checked, nonce-error-corrections definitely necessary

Here is a hex to binary converter:
https://www.binaryhexconverter.com/hex-t...-converter

Please notice the difference between: valid , invalid, challenge and authorized!

invalid = it is impossible to recover the PSK from this message pair, because the EAPOL messages don't match,
even though if you run hashcat with the correct PSK, it will exhausted
Mostly you will get invalid message pairs if you run passive dumpers in combination with stupid deauthentication tools.
They will not detect a packet loss or if the AP renew the authentication sequence.

challenge = the CLIENT may not belong to the target network and the PSK is recoverable
this message pair is valid!

authorized = the CLIENT belong to the target network and the PSK is recoverable
this message pair is valid!
Reply


Messages In This Thread
RE: Plugins 2500/2501 and 16800/16801 are deprecated - by ZerBea - 09-23-2021, 09:29 AM