We all know that the client device and WiFi AP will perform the 4 way handshake to generate the session key (PTK). Here is the recap of the 4 way handshake.
1.Client device<—–ANonce—–WiFi AP
2.Client device——SNonce—->WiFi AP
3.Client device<–Install PTK—WiFi AP
4.Client device——–OK——->WiFi AP
I understand why Anonce and Snonce has to share to each other, they need to create a Initialization vector to increase the randomization of the PTK. PTK is actually the session key.
PTK=PRF (PMK + Anonce + SNonce + Mac (AA)+ Mac (SA))
My problem is that all those components here can be sniffed by another client device in the same network who share the same PMK(pre-shared key).
Mac address of AP is no secret, mac address of another device in the same network can be sniffed too.
Anonce and Snonce can be captured, the only problem is to distinguish it is nonce, but anyway it can be done.
PMK is shared to all the member.
We all know wpa-psk is vulnerable but it should not be that vulnerable. Even no need to do brutte force!!!!!!
I believe i must miss some concept. Hoped someone can help