An EAPOL key exchange consists of 4 parts.
https://www.wifi-professionals.com/2019/...-handshake
Or simply explained:
1. The AP transmit an EAPOL M1 (challenge) to the CLIENT "hey CLIENT, let's see if you entitled to enter this NETWORK"
2. The CLIENT respond with an EAPOL M2 (challenge) "hey AP, this my PSK, am I allowed to enter the NETWORK"
3. The AP transmit an EAPOL M3 message (authorization) "hey CLIENT, you are allowed to join the NETWORK"
4. The CLIENT confirm with an EAPOL M4 (authorization) and join the NETWORK
If the PSK is wrong, or the CLIENT belong to a different NETWORK, using the same ESSID the AP doesn't allow to join the NETWORK. It will not transmit EAPOL M3.
BTW:
This behavior is desired to retrieve an EAPOL M2 from a single CLIENT and major part of an AP-LESS attack.
You can control how many M2's hcxdumptool should accept by this options:
The last field of a 22000 hash line contain information about the kind of the EAPOL MESSAGEPAIR that was converted by hcxpcapngtool. It is explained hcxpcapngtool help:
Please notice that hcxdumptool/hcxtools are designed to be analysis tools. By default options they grep and convert everything that they will get, in order to filter/anaylse later on, offline.
How to get exactly the kind of the EAPOL MESSAGEPAIR that you want, is explained here:
https://hashcat.net/forum/thread-10253-p...l#pid53580
"In this test I run hcxdumptool -c 52 -i wlan1 -o wpatest.pcapng --enable-status=15 --active_beacon"
Please notice:
Not every AP will send a PMKID.
You're trying to run an attack on 5GHz. Therefore you must allow the driver to transmit on this RF band. That is mandatory.
If your regulatory domain is unset, transmission on 5GHz band is not allowed:
The regulatory domain (hcxdumptool respects it) and how to change it, is explained here:
https://wiki.archlinux.org/title/Network...ory_domain
e.g.:
From now on, active scanning is allowed.
https://www.wifi-professionals.com/2019/...-handshake
Or simply explained:
1. The AP transmit an EAPOL M1 (challenge) to the CLIENT "hey CLIENT, let's see if you entitled to enter this NETWORK"
2. The CLIENT respond with an EAPOL M2 (challenge) "hey AP, this my PSK, am I allowed to enter the NETWORK"
3. The AP transmit an EAPOL M3 message (authorization) "hey CLIENT, you are allowed to join the NETWORK"
4. The CLIENT confirm with an EAPOL M4 (authorization) and join the NETWORK
If the PSK is wrong, or the CLIENT belong to a different NETWORK, using the same ESSID the AP doesn't allow to join the NETWORK. It will not transmit EAPOL M3.
BTW:
This behavior is desired to retrieve an EAPOL M2 from a single CLIENT and major part of an AP-LESS attack.
You can control how many M2's hcxdumptool should accept by this options:
Code:
--stop_client_m2_attacks=<digit> : stop attacks against CLIENTS after 10 M2 frames received
affected: ap-less (EAPOL 2/4 - M2) attack
require hcxpcangtool --all option
or
--all_m2 : accept all connection attempts from a CLIENT
affected: CLIENTs
warning: that can prevent that a CLIENT can establish a connection to an assigned ACCESS POINTThe last field of a 22000 hash line contain information about the kind of the EAPOL MESSAGEPAIR that was converted by hcxpcapngtool. It is explained hcxpcapngtool help:
Code:
$ hcxpcapngtool --help
Bitmask of message pair field:
2,1,0:
000 = M1+M2, EAPOL from M2 (challenge)
001 = M1+M4, EAPOL from M4 usable if not zeroed (authorized)
010 = M2+M3, EAPOL from M2 (authorized)
011 = M2+M3, EAPOL from M3 (authorized) - unused
100 = M3+M4, EAPOL from M3 (authorized) - unused
101 = M3+M4, EAPOL from M4 usable if not zeroed (authorized)
3: reserved
4: ap-less attack (set to 1) - nonce-error-corrections not required
5: LE router detected (set to 1) - nonce-error-corrections required only on LE
6: BE router detected (set to 1) - nonce-error-corrections required only on BE
7: not replaycount checked (set to 1) - replaycount not checked, nonce-error-corrections mandatoryPlease notice that hcxdumptool/hcxtools are designed to be analysis tools. By default options they grep and convert everything that they will get, in order to filter/anaylse later on, offline.
How to get exactly the kind of the EAPOL MESSAGEPAIR that you want, is explained here:
https://hashcat.net/forum/thread-10253-p...l#pid53580
"In this test I run hcxdumptool -c 52 -i wlan1 -o wpatest.pcapng --enable-status=15 --active_beacon"
Please notice:
Not every AP will send a PMKID.
You're trying to run an attack on 5GHz. Therefore you must allow the driver to transmit on this RF band. That is mandatory.
If your regulatory domain is unset, transmission on 5GHz band is not allowed:
Code:
$ iw reg get
global
country 00: DFS-UNSET
(2402 - 2472 @ 40), (N/A, 20), (N/A)
(2457 - 2482 @ 20), (N/A, 20), (N/A), AUTO-BW, PASSIVE-SCAN
(2474 - 2494 @ 20), (N/A, 20), (N/A), NO-OFDM, PASSIVE-SCAN
(5170 - 5250 @ 80), (N/A, 20), (N/A), AUTO-BW, PASSIVE-SCAN
(5250 - 5330 @ 80), (N/A, 20), (0 ms), DFS, AUTO-BW, PASSIVE-SCAN
(5490 - 5730 @ 160), (N/A, 20), (0 ms), DFS, PASSIVE-SCAN
(5735 - 5835 @ 80), (N/A, 20), (N/A), PASSIVE-SCAN
(57240 - 63720 @ 2160), (N/A, 0), (N/A)The regulatory domain (hcxdumptool respects it) and how to change it, is explained here:
https://wiki.archlinux.org/title/Network...ory_domain
e.g.:
Code:
$ sudo iw reg set US
$ iw reg get
global
country US: DFS-FCC
(2400 - 2472 @ 40), (N/A, 30), (N/A)
(5150 - 5250 @ 80), (N/A, 23), (N/A), AUTO-BW
(5250 - 5350 @ 80), (N/A, 23), (0 ms), DFS, AUTO-BW
(5470 - 5730 @ 160), (N/A, 23), (0 ms), DFS
(5730 - 5850 @ 80), (N/A, 30), (N/A), AUTO-BW
(5850 - 5895 @ 40), (N/A, 27), (N/A), NO-OUTDOOR, AUTO-BW, PASSIVE-SCAN
(57240 - 71000 @ 2160), (N/A, 40), (N/A)