Doubt about hcxdumptool output (Columns "P", "3" and "2")

[gorkarai]

Hi Mr. @ZerBea (Master of the universe ;-)
First of all: Excuse me for my bad english... I'll try to do my best. Let's go!
after execute this command...
sudo hcxdumptool -i wlan1 -w dumpfile.pcapng --rds=1 -F
I'm seing this output (see below)...

As I read in the documentation (hcxdumptool -h), the most interesting columns are those named as "P", "3" and "2" cause if I can see the "+" symbol in any of them means that "hashcat / JtR can work on" right?

The question is this: After leaving the process running for long periods of time (several hours), I only see the columns mentioned above filled with the "+" symbol on the networks I own ("MyAP", "MyAP Guests" and "MyAP_OLD"). So I don't know if I should wait more time (until I get value in those columns) or if I should stop the process and proceed with the next step hcxpcapngtool -o hash.hc2200 -E essidlist dumpfile.pcapng

Thank you for yor excellent software & support Mr. @ZerBea !!!

[ZerBea]

10:31:19 you got a + every column which means you got a PMKID, an EAPL MESSAGEPAIR M1M2 (challenge) and an EAPOL MESSAGEPAIR M2M3 (authorized). That is more than enough and hashcat/JtR can work on it.

10:30:46 the + in R column disappeared. That means that this AP is not longer under attack or it is out of Range.
This is no problem, because you got a PMKID, an EAPL MESSAGEPAIR M1M2 (challenge) and an EAPOL MESSAGEPAIR M2M3 (authorized). That is more than enough and hashcat/JtR can work on it.

10:30:46 No + in the R column. You got no 4way handshake, but a PMKID. hashcat and JtR can work on it.

10:36:26 + in R column and Plus in 1 column. The AP is still under attack and hcxdumptool is waiting for a CLIENT because the AP does not support PMKID caching. There are no hashes hashcat or JtR can work on.

10:30:35 The AP is out of range and no longer under attack. There are no hashes hashcat or JtR can work on

10:36:38 + in R column and Plus in 1 column. The AP is still under attack and hcxdumptool is waiting for a CLIENT because the AP does not support PMKID caching. There are no hashes hashcat or JtR can work on.

10:31:19 AP is still under attack, but it does not respond to hcxdumptool.

10:31:31 AP is not in range

10:31:46 AP is still under attack, but it does not respond to hcxdumptool.

Hashcat / Jtr can work on the first three entries. of the list.

Please notice:
The EAPOL TIMEOUT to detect a valid handshake is much lower than on hcxpcapngtool.
This makes sure that hcxdumptool stops an attack only on very good handshakes but it is possible that much more handshakes are recorded

To verify this, you can (at any time) run hcxpcapngtool in parallel on the pcapng file:
$ hcxpcapngtool -o hash.hc2200 -E essidlist dumpfile.pcapng
and use hcxhashtool to see if your target is already inside:

$ hcxhashtool -i hash.hc2200 -E owned
$ cat owned

BTW:
I'll convert move this to discussions, because it is not an issue.

[gorkarai]

WOW!! THANK YOU Mr. @ZerBea
Thank you for your quick and detailed response... You're a master!! ;-)

So, just as you said

"Hashcat / Jtr can work on the first three entries of the list."

and I understand that (again, thank you for your detailed explanation!!) but I am surprised that the tool is not capable of capturing PMKID or EAPOL messages on the other networks. Is it a matter of time or maybe I will never be able to capture those PMKID and EAPOL messages for those networks for some other reasons?

BTW: My apologies for opening this topic in the wrong thread.

[LLH-l]

 CHA  FREQ  BEACON  RESPONSE S    MAC-AP    ESSID  SCAN-FREQUENCY   5700
--------------------------------------------------------------------------
 1  2412 13:53:53  13:53:51      + fffffffffffff0 SSID [57]

This display [57] info, it purpose ? 57 responses ? larger value represent ?

[ZerBea]

Just an information that the target is in range and that it respond to hcxdumptool.