07-24-2023, 03:17 PM
First, thanks for you time and patience, it is still a bit blurry to me ^^
So basically for my example above the WPA*02 line is not usable since the PSK was not authorized, if I bruteforce that one I might recover a wrong PSK. Am I right ?
And the 2 others WPA*01 comes from AP so the password might be find.
I am able to distiguinsh the differents parts of the output, you said the MP 10 is unauthorized, so i'm just checking the doc.
From what i see there (which is obvisouly wrong) 010 is authorized, so I must missing a key somewhere
So basically for my example above the WPA*02 line is not usable since the PSK was not authorized, if I bruteforce that one I might recover a wrong PSK. Am I right ?
And the 2 others WPA*01 comes from AP so the password might be find.
I am able to distiguinsh the differents parts of the output, you said the MP 10 is unauthorized, so i'm just checking the doc.
Code:
bitmask of message pair field EAPOL (WPA*02):
2,1,0:
000 = M1+M2, EAPOL from M2 (challenge)
001 = M1+M4, EAPOL from M4 (authorized) - usable if NONCE_CLIENT is not zeroed
010 = M2+M3, EAPOL from M2 (authorized)
011 = M2+M3, EAPOL from M3 (authorized) - unused
100 = M3+M4, EAPOL from M3 (authorized) - unused
101 = M3+M4, EAPOL from M4 (authorized) - usable if NONCE_CLIENT is not zeroed
3: reserved
4: ap-less attack (set to 1) - nonce-error-corrections not required
5: LE router detected (set to 1) - nonce-error-corrections required only on LE
6: BE router detected (set to 1) - nonce-error-corrections required only on BE
7: not replaycount checked (set to 1) - replaycount not checked, nonce-error-corrections mandatoryFrom what i see there (which is obvisouly wrong) 010 is authorized, so I must missing a key somewhere