Key reinstallation attack how does it work without a pre-shared key?
The author of the key reinstallation attack released scripts on Github to test AP and clients. To test the clients, you have to connect to a fake AP but you still need to know the pre-shared key. Of course you know the password, because you created the fake AP. But if you're performing a real attack, and you created a fake AP with the same essid of a real AP, the clients when trying to connect to the fake AP (that act as MITM) won't be able to since the pre-shared key is different. So, since the pre-shared key is a mismatch you will never be able to reinstall the PTK or GTK because you wouldn't get all the frames you need to replay them. Am I correct?
Same thing for the script to test the real AP. If you know the pre-shared key of the real AP, assuming it supports FT, then you can go ahead and connect to it to do the propers tests regarding packet number reusing. But if you don't know the pre-shared key, if the AP is vulnerable, how are you going to get the all frames of the handshake?
I think with a pre-shared key mismatch you would get only message 1 and 2 of the handshake.
