User Tools

Site Tools


wpa_capture

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
wpa_capture [2009/12/15 17:47]
darkaudax Added additional information regarding identifying valid handshakes
wpa_capture [2014/09/05 02:50] (current)
mister_x Fixed typo
Line 70: Line 70:
 Notice that the AP initiates the four-way handshake by sending the first packet. ​ The first pair of packets has a "​replay counter"​ value of 1.  The second pair has a "​replay counter"​ value of 2.  Packets with the same "​replay counter"​ value are matching sets.  If you have only one packet for a specific "​replay counter"​ value then you are missing it from the capture and packet you do have cannot be used by aircrack-ng. ​ That is why sometimes you have four EAPOL packets in your capture but aircrack-ng still says there are "​0"​ handshakes. ​ You must have matching pairs. Notice that the AP initiates the four-way handshake by sending the first packet. ​ The first pair of packets has a "​replay counter"​ value of 1.  The second pair has a "​replay counter"​ value of 2.  Packets with the same "​replay counter"​ value are matching sets.  If you have only one packet for a specific "​replay counter"​ value then you are missing it from the capture and packet you do have cannot be used by aircrack-ng. ​ That is why sometimes you have four EAPOL packets in your capture but aircrack-ng still says there are "​0"​ handshakes. ​ You must have matching pairs.
  
-There are some other items to point out if you are analyzing a capture looking for a valid capture. ​ EAPOL packets 1 and 3 should have the same Nounce ​value. ​ If they don't, then they are not part of the matching set.  Aircrack-ng also requires a valid beacon. ​ Ensure this beacon is part of the same packet sequence numbers. ​ For example, if the beacon packet sequence number is higher then the EAPOL packet sequence numbers from the AP, the handshake will be ignored. ​ This is because the aircrack-ng "​resets"​ handshake sets when association packets and similar are seen.+There are some other items to point out if you are analyzing a capture looking for a valid capture. ​ EAPOL packets 1 and 3 should have the same nonce value. ​ If they don't, then they are not part of the matching set.  Aircrack-ng also requires a valid beacon. ​ Ensure this beacon is part of the same packet sequence numbers. ​ For example, if the beacon packet sequence number is higher then the EAPOL packet sequence numbers from the AP, the handshake will be ignored. ​ This is because the aircrack-ng "​resets"​ handshake sets when association packets and similar are seen.
  
 IEEE 802.11 -> Frame Control -> Flags -> DS Status Flag: The direction flags show "FROM DS" or "TO DS" depending on the packet. ​ Meaning coming from the AP or going to it. IEEE 802.11 -> Frame Control -> Flags -> DS Status Flag: The direction flags show "FROM DS" or "TO DS" depending on the packet. ​ Meaning coming from the AP or going to it.
wpa_capture.txt ยท Last modified: 2014/09/05 02:50 by mister_x