Quick answer:

Yes, that's correct.

Long statement:

You need only to capture the M2 from a client. wlandump-ng and wlanresponse will calculate the M1.

wlandump-ng will show us this (using the -s xx option):

transmitted m1/received appropriate m2...: 343/719

and the regular messages from a real ap connected to a client:

received regular m1/m2/m3/m4.............: 146/98/143/68

Using the defaults, a client probes every ap which has an entry in his wpa_supplicant.conf.

A stupid client also probes and authenticates his 5GHz access point on 2.4GHz!

wlandump-ng accepts and transmitts a M1. After receiving this M1 the client transmitts his M2. So we receive a valid M2, calculated from an entry in his wpa_supplicant.conf.

If the client has 10 entries (from 10 different networks) in his wpa_supplicant.conf, we get 10 different crackable M2's.

Yes, that's correct.

Long statement:

You need only to capture the M2 from a client. wlandump-ng and wlanresponse will calculate the M1.

wlandump-ng will show us this (using the -s xx option):

transmitted m1/received appropriate m2...: 343/719

and the regular messages from a real ap connected to a client:

received regular m1/m2/m3/m4.............: 146/98/143/68

Using the defaults, a client probes every ap which has an entry in his wpa_supplicant.conf.

A stupid client also probes and authenticates his 5GHz access point on 2.4GHz!

wlandump-ng accepts and transmitts a M1. After receiving this M1 the client transmitts his M2. So we receive a valid M2, calculated from an entry in his wpa_supplicant.conf.

If the client has 10 entries (from 10 different networks) in his wpa_supplicant.conf, we get 10 different crackable M2's.