The last field of an EAPOL MESSAGEPAIR hash line (WPA*02) will give you an information about the status of the AUTHENTICATION as described here:
https://hashcat.net/forum/thread-10253-p...l#pid53255
https://hashcat.net/forum/thread-10253-p...l#pid53634
I recommend to read the whole thread.
The EAPOL MESSAGEPAIR could be recorded/requested from a CLIENT that doesn't belong to the target NETWORK.
The PMKID (WPA*01) is transmitted by the ACCESS POINT. The PSK, calculated from this hash line should be the one that belong to the target NETWORK.
Example from here:
https://github.com/hashcat/hashcat/files...eless1.zip
as mentioned here:
https://hashcat.net/forum/thread-10253-p...l#pid53255
I use hcxhashtool do analyze the hash file, rather than adding Wireshark screen shots:
The first CLIENT belong to the target NETWORK, the second one not.
hcxpcapngtool convert challenges, too, because it is a good way to detect which kind of PSKs a not authorized CLIENT tried to get access to a target NETWORK.
Please notice:
Due to reuse of PBKDF2, you got two PSKs for the price of one (PBKDF2 calculation using the same SALT).
How to filter challenges out (if you don't need them) is also described in the thread mentioned above.
https://hashcat.net/forum/thread-10253-p...l#pid53255
https://hashcat.net/forum/thread-10253-p...l#pid53634
I recommend to read the whole thread.
The EAPOL MESSAGEPAIR could be recorded/requested from a CLIENT that doesn't belong to the target NETWORK.
The PMKID (WPA*01) is transmitted by the ACCESS POINT. The PSK, calculated from this hash line should be the one that belong to the target NETWORK.
Example from here:
https://github.com/hashcat/hashcat/files...eless1.zip
as mentioned here:
https://hashcat.net/forum/thread-10253-p...l#pid53255
Code:
$ hcxpcapngtool -o test.22000 corp_question1-01.cap
hcxpcapngtool 6.2.4-28-g56174da reading from corp_question1-01.cap...
...
EAPOL pairs (best).......................: 2
EAPOL pairs written to combi hash file...: 2 (RC checked)
EAPOL M12E2 (challenge)..................: 1
EAPOL M32E2 (authorized).................: 1I use hcxhashtool do analyze the hash file, rather than adding Wireshark screen shots:
Code:
$ hcxhashtool -i test.22000 --info=stdout
SSID.......: CORP-WIFI
MAC_AP.....: removed (NETGEAR)
MAC_CLIENT.: removed (Hon Hai Precision Ind. Co.,Ltd.)
VERSION....: 802.1X-2001 (1)
KEY VERSION: WPA2
REPLAYCOUNT: 1
RC INFO....: NC not required
MP M2M3 E2.: authorized
MIC........: removed
HASHLINE...: WPA*02*removed*02
SSID.......: CORP-WIFI
MAC_AP.....: removed (NETGEAR)
MAC_CLIENT.: removed (Apple, Inc.)
VERSION....: 802.1X-2001 (1)
KEY VERSION: WPA2
REPLAYCOUNT: 3
RC INFO....: NC not required
MP M1M2 E2.: challenge
MIC........: removed
HASHLINE...: WPA*02*removed*00The first CLIENT belong to the target NETWORK, the second one not.
hcxpcapngtool convert challenges, too, because it is a good way to detect which kind of PSKs a not authorized CLIENT tried to get access to a target NETWORK.
Please notice:
Due to reuse of PBKDF2, you got two PSKs for the price of one (PBKDF2 calculation using the same SALT).
How to filter challenges out (if you don't need them) is also described in the thread mentioned above.