Can't capture handshakes

[wifiguy]

Just got my wifi pineapple. Plugged it in and did a recon scan with automatic capturing. Out of 10 APs around me, it only managed to capture 3 handshakes. One in 2 mins, one in 15 mins, and one in 52 mins. I've left it scanning continuously for 24 hours and still only 3 handshakes captures. Why would this be? Does signal strength matter a lot when it comes to handshake capturing? I have noticed that the 3 it has captures are the 3 that are within closest range.

How much does signal strength matter when capturing handshakes? The further away the longer it will take? How long has it taken you to capture handshakes from long distance APs? 

[dark_pyrro]

Do you have the Pineapple only or do you have the 5 GHz add-on adapter as well? If just having the Pineapple, then it will just try to capture handshakes for 2.4 GHz APs. Are all of your 10 APs 2.4 GHz? Also take into account that the Pineapple loops through all the channels, it doesn't listen on all channels at the same time. So, if some handshake is being made on channel 3 when the Pineapple is listening on channel 11, then that handshake won't get caught. If running 5 GHz as well, then you have even more channels for the Pineapple to loop through on each cycle making it possible for handshakes to happen undetected. You also need to have clients trying to connect to the networks around you. If no one joins, then there will most likely not be any handshakes going on either.

[wifiguy]

Thanks for your reply.

1. I only have the Pineapple, not the 5Ghz Addon. In the list of access points listed in the Recon scanning page are all 2.4Ghz versions, none of their 5Ghz are even showing up.

2. When you say the Pineapple loops through channels, does this take hours to do? Are you saying I should just leave it running for several days straight to see if it captures more handshakes?

3. So if an access point has 0 clients connected to it, does that means it's impossible to capture a handshake? Is a "handshake" done when a client is TRYING TO CONNECT to that access point? Or when they are ALREADY CONNECTED? Or when it simply scans for networks to connect to? Which of these 3 is actually what a "handshake" is? (I don't quite understand).

4. The more clients connected to an AP, does this mean it "easer" to capture a handshake then? 

5. Lastly, does range and signal make a big difference? 

[DramaKing]

The four-way handshake is how a station (client) authenticates to the AP. The PMKID is used for roaming between APs. If no client connects, no handshake is broadcast. That's why you can deauthenticate clients that are not on a PMF network. As for signal strength, it does make a difference. The Pineapple needs to be able to capture the client traffic reliably. I would say that -70 dbm is okay, but -80 could cause issues, and -90 means don't even try.

I should also note that in 2022, most devices have 5 GHz Wi-Fi. You'll probably miss most of the clients.

Edited October 13, 2022 by DramaKing

[wifiguy]

14 hours ago, DramaKing said:

The four-way handshake is how a station (client) authenticates to the AP. The PMKID is used for roaming between APs. If no client connects, no handshake is broadcast. That's why you can deauthenticate clients that are not on a PMF network. As for signal strength, it does make a difference. The Pineapple needs to be able to capture the client traffic reliably. I would say that -70 dbm is okay, but -80 could cause issues, and -90 means don't even try.

I should also note that in 2022, most devices have 5 GHz Wi-Fi. You'll probably miss most of the clients.

So in a nutshell, if an AP has no clients connected to it already, it's impossible to collect the handshake, right? 

While a client is connected to an AP, does it send signals like every minute to the AP with the encrypted handshake is that how it works? And pineapple sniffs out those packets and captures them

[DramaKing]

On 10/13/2022 at 10:02 PM, wifiguy said:

So in a nutshell, if an AP has no clients connected to it already, it's impossible to collect the handshake, right? 

While a client is connected to an AP, does it send signals like every minute to the AP with the encrypted handshake is that how it works? And pineapple sniffs out those packets and captures them

Nope, the handshake is the authentication. Kind of like how you enter your password to login to this website and then stay logged in. If a client gets disconnected, then it needs to associate again, the AP sends an M1 with a nonce or shared secret, the station uses the password to hash that data and sends it back as the M2. The AP replies with an M3 and then gets an M4, fully establishing the connection.