The MESSAGEPAIR information on PMKID (format WPA*01*) is new. It was added to hcxpcapngtool since version 6.3.1
Older versions of hcxpcapngtool don't have this information.
Regarding a PMKID, it is important to know where it comes from.
A CLIENT can hold an old/outdated PMKID. It also can hold a PMKID of a REPEATER.
This PMKIDs may calculated by an old/outdated PSK.
If you have something like this:
If the MAC_AP of WPA*01 and WPA*02 is the same
and if the MAC_CLIENT of WPA*01 and WPA*02 is the same
and if THE ESSID of WPA*01 and WPA*02 is the same
and if the PMKID is from the AP (MESSAGEPAIR: 01)
and if the EAPOL is AUTHORIZED (MESSAGEPAIR x2 or x5)
the PSK belong to the same NETWORK.
Take a look at this NETWORK:
https://wpa-sec.stanev.org/?search=inwi+Home+4G181E6D
The conditions mentioned above met.
An example of a valid MESSAGEPAIR that does not belong to the target NETWORK:
The NETWORK PSK is ABCDEFGH.
A not authorized CLIENT tries to connect to the NETWORK using the PSK 12345678.
Your word list contain 12345678.
You got a PMKID MP 01.
You got an EAPOL MP 00.
In that case hashcat recover the PSK 12345678 from the EAPOL MESSAGEPAIR but this is not the PSK of the NETWORK. The NETWORK PSK remain unrecovered.
If you add ABCDEFGH to the word list, hashcat is able to recover both.
As a result, you get 2 different PSKs for this NETWORK:
an authorized one ABCDEFGH that allow to get access to the NETWORK
a not authorized one 12345678 from the try of a CLIENT that does not have the permission to enter the NETWORK.
If you do not want to run hashcat on not authorized EAPOL MESSAGEPAIRs you have to remove them (MP x0) from your hash list.
Older versions of hcxpcapngtool don't have this information.
Regarding a PMKID, it is important to know where it comes from.
A CLIENT can hold an old/outdated PMKID. It also can hold a PMKID of a REPEATER.
This PMKIDs may calculated by an old/outdated PSK.
If you have something like this:
Code:
WPA*01*PMKID*fc690c158264*f4747f87f9f4*686173686361742d6573736964***01
WPA*02*MIC*fc690c158264*f4747f87f9f4*686173686361742d6573736964*ANONCE*EAPOL*x2If the MAC_AP of WPA*01 and WPA*02 is the same
and if the MAC_CLIENT of WPA*01 and WPA*02 is the same
and if THE ESSID of WPA*01 and WPA*02 is the same
and if the PMKID is from the AP (MESSAGEPAIR: 01)
and if the EAPOL is AUTHORIZED (MESSAGEPAIR x2 or x5)
the PSK belong to the same NETWORK.
Take a look at this NETWORK:
https://wpa-sec.stanev.org/?search=inwi+Home+4G181E6D
The conditions mentioned above met.
An example of a valid MESSAGEPAIR that does not belong to the target NETWORK:
The NETWORK PSK is ABCDEFGH.
A not authorized CLIENT tries to connect to the NETWORK using the PSK 12345678.
Your word list contain 12345678.
You got a PMKID MP 01.
You got an EAPOL MP 00.
In that case hashcat recover the PSK 12345678 from the EAPOL MESSAGEPAIR but this is not the PSK of the NETWORK. The NETWORK PSK remain unrecovered.
If you add ABCDEFGH to the word list, hashcat is able to recover both.
As a result, you get 2 different PSKs for this NETWORK:
an authorized one ABCDEFGH that allow to get access to the NETWORK
a not authorized one 12345678 from the try of a CLIENT that does not have the permission to enter the NETWORK.
If you do not want to run hashcat on not authorized EAPOL MESSAGEPAIRs you have to remove them (MP x0) from your hash list.