harper77

Yea actually you're right. Capturing packets 1 and 2 can crack the password, provided the client has the correct password. I just set up the an airbase-ng on my computer with a random ESSID on it and got my phone to try to connect to it using the password. Even though my computer didn't know the password, it captured a handshake and through aircrack-ng I was able to crack the password in a few seconds (the correct password was near the top of the list). I looked through the capture file on Wireshark and saw that it only had packets 1 and 2 of the 4 way handshake as well. So this means that airodump-ng can sometimes capture incomplete handshakes and say it's legit, and you'll spend days trying to crack the handshake but it'll never find the correct pass because it's a fail handshake? Is there any way to tell that it's a failed handshake (by looking at sharkwire or something)?

I've done the same thing and can say that aircrack-ng can NOT crack the password from a failed authentication handshake. I just set up my wireless router, my computer with Backtrack and got my phone with the wrong password to try connect to my router. Even though airodump-ng says it's successfully captured a handshake, it's not enough to crack it. Aircrack-ng went through the entire password list without success. I tried the same password list with a working authentication handshake capture and it got the password in a few seconds (the correct password was near the top of the password list). I opened the failed password handshake in Wireshark and it says it has captured "Message 1 of 4" and "Message 2 of 4" of the 4 way handshake. From what I gather, you need at least packets 2 and 3, or packets 3 and 4. Just 1 and 2 will not work.