09-25-2019, 07:50 AM
We can take the PMKID from this frames (PBKDF2 hashcat hashmode 16800):
EAPOL M1 from access point (in this case we need one additional frame to get the ESSID: ASSOCIATIONREQUEST, REASSOCIATIONREQUEST, PROBERESPONSE, directed PROBEREQUEST, BEACON, where BEACON is the last choice we should use)
REASSOCIATIONREQUEST from client (in this case we need only one single frame to get needed information: ESSID + PMKID + MAC_AP + MAC_STA)
Additional we can take the PMKID from this frame (non PBKDF2 - AKM defined authentications: FBT, EAP-SIM, EAP-AKA, ...)
AUTHENTICATION
BTW:
The most important frames in combination with EAP/EAPOL are:
ASSOCIATION + REASSOCIATION
AUTHENTICATION
BEACONs contain less(!) informations!
So it is definitely not(!) a good idea to store only one BEACON and one frame M1 for PMKID or two frames M1/M2, M2/M3, M1/not zeroed M4 or M3/not zeroed M4 for EAPOL 4way in a pcapng, pcap, cap file!
EAPOL M1 from access point (in this case we need one additional frame to get the ESSID: ASSOCIATIONREQUEST, REASSOCIATIONREQUEST, PROBERESPONSE, directed PROBEREQUEST, BEACON, where BEACON is the last choice we should use)
REASSOCIATIONREQUEST from client (in this case we need only one single frame to get needed information: ESSID + PMKID + MAC_AP + MAC_STA)
Additional we can take the PMKID from this frame (non PBKDF2 - AKM defined authentications: FBT, EAP-SIM, EAP-AKA, ...)
AUTHENTICATION
BTW:
The most important frames in combination with EAP/EAPOL are:
ASSOCIATION + REASSOCIATION
AUTHENTICATION
BEACONs contain less(!) informations!
So it is definitely not(!) a good idea to store only one BEACON and one frame M1 for PMKID or two frames M1/M2, M2/M3, M1/not zeroed M4 or M3/not zeroed M4 for EAPOL 4way in a pcapng, pcap, cap file!