Skip to content

Capture Requirements

What fields are required for each attack type and where to find them in a capture file.

PSK Attack Requirements

PMKID Extraction

Attack AKM Minimum capture Fields required
PMKID 2 (PSK) M1, M2, Assoc Req, or Reassoc Req with PMKID SSID, MAC_AP, MAC_STA, PMKID
PMKID 4 (FT-PSK) M1, M2, Assoc Req, Reassoc Req, FT Auth, or FT Action with PMKID + FT IEs SSID, MAC_AP, MAC_STA, PMKID, MDID, R0KH-ID, R1KH-ID
PMKID 6 (PSK-SHA256) M1, M2, Assoc Req, or Reassoc Req with PMKID SSID, MAC_AP, MAC_STA, PMKID

EAPOL Handshake Extraction

Attack AKM Minimum capture Fields required
EAPOL 2 (PSK) Any message pair (M1+M2 preferred) SSID, MAC_AP, MAC_STA, ANonce, SNonce, MIC, EAPOL frame
EAPOL 4 (FT-PSK) Any message pair + FT IEs Same as above + MDID, R0KH-ID, R1KH-ID
EAPOL 6 (PSK-SHA256) Any message pair SSID, MAC_AP, MAC_STA, ANonce, SNonce, MIC, EAPOL frame

Field Sources (PSK)

Field Found in Notes
SSID Beacon, Probe Response (IE tag 0) Must be captured separately from handshake
MAC_AP 802.11 header addr2 (M1/M3), addr1 (M2/M4) Role depends on message direction
MAC_STA 802.11 header addr1 (M1/M3), addr2 (M2/M4) Role depends on message direction
ANonce M1 or M3 EAPOL Key Nonce field (32 bytes) Usually identical in M1 and M3
SNonce M2 (or M4 if non-zero) EAPOL Key Nonce field M4 nonce usually zeroed
MIC M2, M3, or M4 EAPOL Key MIC field (16 bytes) M1 has no MIC
EAPOL frame Raw bytes of the EAPOL-Key frame containing the MIC MIC field zeroed for verification
PMKID M1: PMKID KDE in Key Data (tag 0xDD, OUI 00:0F:AC, type 0x04); M2/AssocReq/ReassocReq: RSN IE PMKID List (tag 48) Not always present
MDID Mobility Domain IE (tag 0x36) in Beacon/assoc frames 2 bytes, FT only
R0KH-ID Fast BSS Transition IE (tag 0x37) subelement Variable length, up to 48 bytes
R1KH-ID Fast BSS Transition IE (tag 0x37) subelement 6 bytes, usually = AP MAC

EAP Attack Requirements

MSCHAPv2 (PEAP / EAP-TTLS)

MSCHAPv2 runs inside a TLS tunnel established by PEAP or EAP-TTLS. Passive capture sees only the outer TLS exchange, not the inner credentials. Extraction requires a rogue AP (hostapd-mana) that terminates the TLS tunnel and logs the inner challenge/response.

Field Size Source
Username variable EAP-Identity response (plaintext, before TLS)
Authenticator Challenge 16 bytes Rogue AP MSCHAPv2 challenge
Peer Challenge 16 bytes Client MSCHAPv2 response
NT-Response 24 bytes Client MSCHAPv2 response

hashcat mode 5500 format: username::::NT-Response:challenge

The challenge input is: SHA1(peer_challenge || auth_challenge || username)[0:8]

EAP-MD5

EAP-MD5 exchanges are unencrypted and visible in passive captures.

Field Size Source
Identifier 1 byte EAP-MD5 Request frame
Challenge variable (typically 16 bytes) EAP-MD5 Request frame
MD5 Response 16 bytes EAP-MD5 Response frame

hashcat mode 4800 format: md5_response:identifier:challenge

LEAP (Cisco LEAP)

LEAP is unencrypted and visible in passive captures.

Field Size Source
Username variable LEAP exchange (plaintext)
AP Challenge 8 bytes LEAP AP challenge frame
Peer Response 24 bytes LEAP peer response frame

hashcat mode 5500 format (same as MSCHAPv2).


WEP Capture Requirements

WEP cracking requires data frames encrypted with unique IVs. The PTW attack specifically needs ARP-sized frames typically obtained via ARP replay injection.

Attack Minimum packets Frame type Notes
FMS ~4,000,000 Any data frames Statistical weak IV collection
KoreK ~500,000 Any data frames 17 statistical correlations (WEP-104; ~150K for WEP-40)
PTW ~40,000 ARP frames (68 bytes) Multibyte key attack, default in WEPWolf and aircrack-ng
ChopChop 1 frame Any data frame Interactive decryption, no key recovery
Fragmentation 1 frame Any data frame Generates keystream, no key recovery
Caffe-Latte Client probe required Client data No AP needed

For PTW, known-plaintext ARP frames are required. ARP replay injection (aireplay-ng -3) is typically needed to generate the volume required.