In every case (WPA1-PSK, WPA2-PSK, WPA2 key version3-PSK), the salt is the ESSID and hashcat will take it from the hash line as well as all other values needed to recover the PSK.
The hash line is explained here:
https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2
Simply explained, recovering the PSK is divided into 2 steps:
1. calculate PMK from ESSID and PSK (via PBKDF2 - rfc2898) - this calculation is very slow
2. calculate PMKID or MIC using the PMK (calculated in step 1) - if the calculated PMKID or MIC is the same as the one stored in the hash line, the PSK is correct - this calculation is fast
The PMKID (identifier WPA*01) calculation is explained here:
https://hashcat.net/forum/thread-7717.html
A proof of concept is explained here:
https://www.cyberark.com/resources/threa...mple-trick
The 4way handshake (identifier WPA*02) calculation is explained here:
https://www.wifi-professionals.com/2019/...-handshake
It is mandatory to have at least one of them (WPA*01 or WPA*02 hash line) to successfully recover the PSK.
BTW:
If you compare the calculation of the PMKID with the calculation of the MIC, you'll notice that calculating a PMKID is slightly faster, while step 1 take the same time on both.
The hash line is explained here:
https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2
Code:
WPA*01*PMKID*MAC_AP*MAC_CLIENT*ESSID***
WPA*02*MIC*MAC_AP*MAC_CLIENT*ESSID*NONCE_AP*EAPOL_CLIENT*MESSAGEPAIRSimply explained, recovering the PSK is divided into 2 steps:
1. calculate PMK from ESSID and PSK (via PBKDF2 - rfc2898) - this calculation is very slow
2. calculate PMKID or MIC using the PMK (calculated in step 1) - if the calculated PMKID or MIC is the same as the one stored in the hash line, the PSK is correct - this calculation is fast
The PMKID (identifier WPA*01) calculation is explained here:
https://hashcat.net/forum/thread-7717.html
A proof of concept is explained here:
https://www.cyberark.com/resources/threa...mple-trick
The 4way handshake (identifier WPA*02) calculation is explained here:
https://www.wifi-professionals.com/2019/...-handshake
It is mandatory to have at least one of them (WPA*01 or WPA*02 hash line) to successfully recover the PSK.
BTW:
If you compare the calculation of the PMKID with the calculation of the MIC, you'll notice that calculating a PMKID is slightly faster, while step 1 take the same time on both.