Skip to content

Commit 606ed9c

Browse files
ZerBeaZerBea
authored
Merge pull request #374 from StrongWind1/readme-message-pair-table
README: improve Bitmask Message Pair Field section
2 parents 7ce441c + a22ae80 commit 606ed9c

1 file changed

Lines changed: 68 additions & 24 deletions

File tree

README.md

Lines changed: 68 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -121,7 +121,7 @@ Useful Scripts
121121
| Script | Description |
122122
| ------------ | -------------------------------------------------------- |
123123
| piwritecard | Example script to restore SD-Card |
124-
| piwreadcard | Example script to backup SD-Card |
124+
| pireadcard | Example script to backup SD-Card |
125125
| hcxgrep.py | Extract records from m22000 hashline/hccapx/pmkid file based on regexp |
126126

127127
Notice
@@ -142,29 +142,73 @@ Notice
142142
Bitmask Message Pair Field (hcxpcapngtool)
143143
-------------------------------------------
144144

145-
bits 0-2
146-
147-
000 = M1+M2, EAPOL from M2 (challenge - ANONCE from M1)
148-
149-
001 = M1+M4, EAPOL from M4 (authorized) - usable if M4 NONCE is not zeroed and using option --all
150-
151-
010 = M2+M3, EAPOL from M2 (authorized - ANONCE from M3)
152-
153-
011 = M2+M3, EAPOL from M3 (authorized) - only with option --all
154-
155-
100 = M3+M4, EAPOL from M3 (authorized) - only with option --all
156-
157-
101 = M3+M4, EAPOL from M4 (authorized) - usable if M4 NONCE is not zeroed and using option --all
158-
159-
3: reserved
160-
161-
4: ap-less attack (set to 1) - no nonce-error-corrections necessary
162-
163-
5: LE router detected (set to 1) - nonce-error-corrections only for LE necessary
164-
165-
6: BE router detected (set to 1) - nonce-error-corrections only for BE necessary
166-
167-
7: not replaycount checked (set to 1) - replaycount not checked, nonce-error-corrections definitely necessary
145+
Each EAPOL hash in the `WPA*02*` hash line is built from two handshake
146+
messages. One message provides the EAPOL frame (which contains the MIC
147+
to verify against and one nonce already embedded at byte offset 17). The
148+
other message provides the second nonce that is not present in the frame.
149+
Together they give hashcat everything it needs: ANonce + SNonce + MIC +
150+
EAPOL frame.
151+
152+
### Why 12 theoretical combos become 6 message pairs with 3 unique hashes
153+
154+
There are three independent choices when building a hash from a complete
155+
4-way handshake:
156+
157+
- **ANonce source**: M1 or M3 (2 choices)
158+
- **SNonce source**: M2 or M4 (2 choices)
159+
- **EAPOL/MIC source**: M2, M3, or M4 (3 choices, M1 has no MIC)
160+
161+
That gives 2 x 2 x 3 = **12 theoretical combinations**.
162+
163+
But the EAPOL frame already contains one nonce embedded at byte offset
164+
17 (SNonce in M2/M4, ANonce in M3). Hashcat extracts that automatically.
165+
It only needs the *other* nonce supplied externally. So the real model
166+
is: 3 EAPOL sources x 2 external nonce sources = **6 message pairs**.
167+
168+
Within one handshake session, M1 and M3 carry the same ANonce value, and
169+
M2 and M4 carry the same SNonce value. Swapping which message the
170+
external nonce came from doesn't change the nonce itself. So each pair
171+
of message pairs that share the same EAPOL source produces an identical
172+
hash. 6 pairs collapse to **3 unique hashes**, one per EAPOL source.
173+
174+
### Bits 0-2: Message Pair Type
175+
176+
Rows are grouped by EAPOL source (Hash 1/2/3). Pairs within the same
177+
group produce identical crackable hashes.
178+
179+
| ID | Bits | Hex | Messages | EAPOL from | External Nonce | Unique Hash | Status |
180+
|------|------|------|----------|-------------------|----------------|-------------|--------|
181+
| N1E2 | 000 | 0x00 | M1+M2 | M2 (MIC + SNonce) | M1 (ANonce) | Hash 1 | challenge, default |
182+
| N3E2 | 010 | 0x02 | M2+M3 | M2 (MIC + SNonce) | M3 (ANonce) | Hash 1 | authorized, default |
183+
| N2E3 | 011 | 0x03 | M2+M3 | M3 (MIC + ANonce) | M2 (SNonce) | Hash 2 | authorized, --all |
184+
| N4E3 | 100 | 0x04 | M3+M4 | M3 (MIC + ANonce) | M4 (SNonce) | Hash 2 | authorized, --all (requires non-zero M4 nonce) |
185+
| N1E4 | 001 | 0x01 | M1+M4 | M4 (MIC + SNonce) | M1 (ANonce) | Hash 3 | authorized, --all (requires non-zero M4 nonce) |
186+
| N3E4 | 101 | 0x05 | M3+M4 | M4 (MIC + SNonce) | M3 (ANonce) | Hash 3 | authorized, --all (requires non-zero M4 nonce) |
187+
188+
The **ID** column uses the format N{nonce source}E{eapol source}. For
189+
example, N1E2 means the external nonce comes from M1 and the EAPOL frame
190+
comes from M2.
191+
192+
"Challenge" means only M1 and M2 were needed. The AP has not yet
193+
confirmed the password was correct (M3 was not required). "Authorized"
194+
means M3 or M4 were involved, which only exist after both sides verified
195+
the MIC. The password was both sent and validated.
196+
197+
M4's Key Nonce shall be 0 per IEEE 802.11i-2004 Section 8.5.3.4. Most
198+
implementations conform to the spec and zero it. Some reuse the SNonce
199+
from M2 instead. When zeroed, message pairs 0x01 and 0x05 are unusable
200+
because hashcat cannot reconstruct both nonces. In practice, most
201+
captures yield only Hash 1 and Hash 2.
202+
203+
### Bits 3-7: Flags
204+
205+
| Bit | Hex | Meaning |
206+
|-----|------|---------|
207+
| 3 | 0x08 | Reserved |
208+
| 4 | 0x10 | AP-less attack (no nonce-error-corrections necessary) |
209+
| 5 | 0x20 | LE router detected (nonce-error-corrections only for LE necessary) |
210+
| 6 | 0x40 | BE router detected (nonce-error-corrections only for BE necessary) |
211+
| 7 | 0x80 | Replaycount not checked (nonce-error-corrections definitely necessary) |
168212

169213
Warning
170214
--------

0 commit comments

Comments
 (0)