Hi JohnDN90.
Pushed an update some minutes ago. Using Option -O will give you raw handshakes (comparable to pyrit: --all-handhakes).
You can use every messagepair to recover the key:
M1M2 (not authenticated)
M2M3 (authenticated)
M3M4 (authenticated) (if M4 snonce isn't zeroed)
M1M4 (authenticated) (if M4 snonce isn't zeroed)
as long as the cracker is able to calculate a valid Pairwise Transient Key (PTK) from data of the captured frames.
Therefore you need exact 3 frames:
- one management frame (containing the ESSID)
- one EAPOL frame from the access point (you can spoof that: ap-less attack)
- one EAPOL frame from the client
Both EAPOL frames must be in relation to each other.
Basically that's all.
Pushed an update some minutes ago. Using Option -O will give you raw handshakes (comparable to pyrit: --all-handhakes).
You can use every messagepair to recover the key:
M1M2 (not authenticated)
M2M3 (authenticated)
M3M4 (authenticated) (if M4 snonce isn't zeroed)
M1M4 (authenticated) (if M4 snonce isn't zeroed)
as long as the cracker is able to calculate a valid Pairwise Transient Key (PTK) from data of the captured frames.
Therefore you need exact 3 frames:
- one management frame (containing the ESSID)
- one EAPOL frame from the access point (you can spoof that: ap-less attack)
- one EAPOL frame from the client
Both EAPOL frames must be in relation to each other.
Basically that's all.