3

I have a pcap file with two captured packets only.

Time            Protocol    Info
0.000000        EAPOL       Key (Message 3 of 4)
2934.200222     EAPOL       Key (Message 2 of 4)

I already know, messages 2 and 3 are sufficient to launch a password recovery attack. I'm still confused about the order: Message 3 was captured long time before message 2. These messages seem to appear in different handshakes. Nevertheless aircrack found a valid handshake.

Encryption

WPA (1 handshake)

I thought EAPOL messages must appear in same handshake because of exchange of nonce values.

Edit: I have SSID and MAC addresses as well.

user182672
  • 31
  • 3

2 Answers2

2

Let's recap, what is necessary information to retrieve the psk:

  • Nonce of AP (included in EAPOL 1 and 3)
  • Nonce of station (included in EAPOL 2)
  • MAC address of AP
  • MAC address of station
  • MIC (included in EAPOL 2)
  • SSID

This means you need to have at least

  • EAPOL 1 and 2 or
  • EAPOL 2 and 3

of one handshake to be able to find the psk with a dictionary attack.

In my opinion this has to be a bug in aircrack-ng to report the two packets in your capture as one handshake.

Although aircrack-ng reports them as one handshake, it will not work, even if you give the correct passphrase, because the nonce from EAPOL3 was not the one used in the calculation of the MIC transferred in EAPOL2.

oh.dae.su
  • 256
  • 3
  • 9
  • Thanks! Can I determine if some EAPOL messages belong to same handshake by analyzing packet fields or payload (except time stamp)? – user182672 Jul 23 '18 at 13:18
  • To my knowledge there is no field inside the EAPOL frames that gives you this information. Therefore the temporal proximity of the frames (and the order in which they arrive) are the best information available. If you have frame 1 and 3 and both don't have the same AP nonce, they are definitely from a separate handshake. – oh.dae.su Jul 23 '18 at 21:00
  • You could narrow your results filtering by origin and destination of the messages. – Philippe Delteil Mar 06 '19 at 03:45
1

Should be covered with the Aircrack-ng patch 87bf572.

As it seems from the code:

// ...

if ((st_cur->wpa.found & (1 << 1)) == (1 << 1))
{
    if (st_cur->wpa.tv_sec != 0
        && (pkh->tv_sec - st_cur->wpa.tv_sec) >= 5) // Here
    {
        st_cur->wpa.state &= ~1;
        st_cur->wpa.found &= ~(1 << 1);
    }
}


// ...

The sequence is omitted if its time difference is equal to or longer than 5 seconds.

schroeder
  • 129,372
  • 55
  • 299
  • 340
Artfaith
  • 111
  • 3