Nice to hear that it is working as expected.
It is much easier to attack a weak CLIENT than a hardened ACCESS POINT.
It is much easier to get within range of a mobile CLIENT than to get within the range of a stationary AP.
In every case an EAPOL M2 of a CLIENT is unencrypted.
You get a lot of useful information from EAP identity frames and undirected PROBEREQUEST frames coming from a CLIENT.
Depending on the wpa-supplicant.conf of a CLIENT you'll get hashes of all(!) entries of this conf.
You do not need nonce-error-corrections (hashcat --nonce-error-corrections=0) which speedup hashcat.
Let us say you are a penetration tester and have received the order to check the security of a large company.
You located the ACCESS POINT, attacked it and you got a PMKID and/or a 4way handshake.
Next step is to run hashcat to check if the PSK of the Ap is weak. That will take a while and if it is not weak, you may think everything is well secured, because hashcat was not able to recover the PSK.
Now run hcxdumptool and attack all CLIENTs connected to this AP. If only one CLIENT is weak (transmit PSK within PROBEREQUEST or EAP identity frame) you got the secured PSK, e.g.:
If a user made a typo (type PSK insted of ESSID and ESSID instead of PSK). This information is now stored in its wpa-supplicant.conf and the device transmit the PSK in form of undirected PROBEREQUEST frames.
The more CLIENTs the better the chance to identify a weak one and the entire company is compromised.
BTW:
The injection ratio and the antenna ratio depends on many factors:
TX power of target (TX power of the attack device should always be the same as the TX power of the target devise)
RX sensitivity of target
RX sensitivity of attack device
Frequency
Antenna gain of target
Antenna gain of attack device
Fresnel zone
Assignment of a radio channel (802.11 use time slots which allow a station to transmit or not)
and more...
hcxdumptool is measuring in both directions (attack device -> target and target -> attack device).
If you run the injection test several times, you'll get several different results, depending on the parameters mentioned above which are highly unpredictable.
But anyway, 802.11 is packet oriented and it is more enough if a few packets (mostly 3) reach the target and a few packets reach the attack device (mostly 3).
It is much easier to attack a weak CLIENT than a hardened ACCESS POINT.
It is much easier to get within range of a mobile CLIENT than to get within the range of a stationary AP.
In every case an EAPOL M2 of a CLIENT is unencrypted.
You get a lot of useful information from EAP identity frames and undirected PROBEREQUEST frames coming from a CLIENT.
Depending on the wpa-supplicant.conf of a CLIENT you'll get hashes of all(!) entries of this conf.
You do not need nonce-error-corrections (hashcat --nonce-error-corrections=0) which speedup hashcat.
Let us say you are a penetration tester and have received the order to check the security of a large company.
You located the ACCESS POINT, attacked it and you got a PMKID and/or a 4way handshake.
Next step is to run hashcat to check if the PSK of the Ap is weak. That will take a while and if it is not weak, you may think everything is well secured, because hashcat was not able to recover the PSK.
Now run hcxdumptool and attack all CLIENTs connected to this AP. If only one CLIENT is weak (transmit PSK within PROBEREQUEST or EAP identity frame) you got the secured PSK, e.g.:
If a user made a typo (type PSK insted of ESSID and ESSID instead of PSK). This information is now stored in its wpa-supplicant.conf and the device transmit the PSK in form of undirected PROBEREQUEST frames.
The more CLIENTs the better the chance to identify a weak one and the entire company is compromised.
BTW:
The injection ratio and the antenna ratio depends on many factors:
TX power of target (TX power of the attack device should always be the same as the TX power of the target devise)
RX sensitivity of target
RX sensitivity of attack device
Frequency
Antenna gain of target
Antenna gain of attack device
Fresnel zone
Assignment of a radio channel (802.11 use time slots which allow a station to transmit or not)
and more...
hcxdumptool is measuring in both directions (attack device -> target and target -> attack device).
If you run the injection test several times, you'll get several different results, depending on the parameters mentioned above which are highly unpredictable.
But anyway, 802.11 is packet oriented and it is more enough if a few packets (mostly 3) reach the target and a few packets reach the attack device (mostly 3).