# PMKID attack

> Source: Courseiva IT Certification Glossary — https://courseiva.com/glossary/pmkid-attack

## Quick definition

A PMKID attack is a way for an attacker to break into a Wi-Fi network by using a small piece of data called the PMKID. This attack works against many WPA and WPA2 networks that have a feature called roaming enabled. The attacker only needs to capture one frame from the network, not the full handshake. This makes the attack faster and easier than older methods like a full WPA handshake capture.

## Simple meaning

Imagine you have a secret clubhouse with a locked door. The door only opens if you know the secret password. In the old days, to break in, someone would have to hide nearby and listen to a long conversation between two members who are entering the clubhouse, capturing every word of their greeting ritual. That’s like capturing the full four-way handshake.

A PMKID attack is much sneakier. The clubhouse has a special welcome mat that, every time it’s used, leaves behind a tiny scrap of paper with a scrambled version of the password on it. An attacker can just pick up that scrap without waiting for a full greeting ritual. This scrap, called the PMKID, is sent out by the wireless router (the Access Point) when a device first connects. The attacker sniffs this one small piece of data and then uses their computer to try millions of possible passwords until they find the one that matches the scrambled version.

This attack is dangerous because it works even if no one is currently logging into the network. The attacker can passively listen to the router’s beacon or probe response and grab the PMKID. Once they have the PMKID, they can go offline and crack the password at their leisure. For IT learners, understanding this attack is crucial because it shows that simply having WPA2 encryption is not enough if the router supports fast roaming (802.11r) which is enabled by default on many modern routers.

## Technical definition

The PMKID attack is a cryptographic attack against WPA/WPA2-Personal (PSK) networks that use the Robust Security Network Information Element (RSN IE) transmitted by Access Points (APs) that advertise support for the 802.11r fast roaming standard (also known as FT or Fast BSS Transition). The PMKID is a 128-bit hash value computed as HMAC-SHA1(PMK, "PMK Name" || AA || SA), where PMK is the Pairwise Master Key derived from the Pre-Shared Key (PSK) and SSID, AA is the Authenticator Address (the MAC address of the AP), and SA is the Supplicant Address (the MAC address of the client). This PMKID is included in the first message of the four-way handshake (the AP’s EAPOL-Key frame) when the AP supports 802.11r, but importantly, the PMKID is also present in the beacon frames and probe response frames if the AP advertises RSN capabilities with the PMKID count set to a non-zero value.

The attack was first publicly disclosed in 2018 by security researcher Jens “Atom” Steube of the Hashcat team. The critical insight was that the PMKID does not require the full four-way handshake capture. An attacker only needs to associate with the AP (or passively observe a beacon/probe response containing the RSN IE), capture the single EAPOL-Key frame that carries the PMKID, and then perform an offline dictionary or brute-force attack to recover the PSK. The computational work required is the same as cracking a traditional WPA handshake: the attacker computes candidate PMKs from a wordlist (using PBKDF2-SHA1 with the SSID as the salt) and then computes HMAC-SHA1 to verify against the captured PMKID. No preshared key is known; it is discovered only after successful cracking.

From a protocol perspective, the PMKID is part of the RSN IE defined in IEEE 802.11i-2004. The RSN IE includes fields like Version, Group Cipher Suite, Pairwise Cipher Suite Count, Pairwise Cipher Suite List, AKM Suite Count, AKM Suite List, RSN Capabilities, PMKID Count, and PMKID List. When the PMKID count is set to 1 or more, the PMKID List field contains one or more 16-byte PMKID values. The attack specifically targets the presence of any PMKID in these frames. The attack is most effective against networks using WPA2-Personal (AES/CCMP) with 802.11r enabled, but it has also been shown to work against some WPA3 networks in transitional mode or with certain configuration errors.

In real IT implementation, network administrators must be aware that many enterprise-grade and consumer routers ship with 802.11r enabled by default to improve roaming performance for voice-over-Wi-Fi and mobile devices. Disabling 802.11r or using WPA2-Enterprise with 802.1X authentication (which uses a per-session PSK) effectively mitigates the PMKID attack for PSK-based networks. The attack does not work against WPA2-Enterprise because the PMK is derived from the authentication server, not a fixed PSK. The attack is not a live network attack in the sense that it does not inject packets or disrupt connectivity; it is purely a passive or semi-passive offline cracking attack after capturing the relevant frame.

## Real-life example

Think of a coffee shop that gives out a loyalty card. To get a free drink, you need to collect ten stamps. In the old way, the barista would have to watch a customer’s entire transaction-ordering, paying, receiving the stamp-to see how the stamp is applied. That is like capturing the full four-way handshake. It takes time and requires the interaction to happen while the attacker is watching.

Now imagine the coffee shop introduces a new “fast stamp” program. The moment you walk in, the barista hands you a small piece of paper that already has one stamp on it, just for showing up. This stamp contains a secret code that is a simplified version of your membership number. An attacker can just pick up this piece of paper from the counter without waiting for you to order. They then take it home and use a computer to try every possible membership number until they find the one that matches the code on the stamp. Once they have your membership number, they can pretend to be you and claim your rewards.

In the Wi-Fi context, the “stamp” is the PMKID. The coffee shop’s “fast stamp” program is the 802.11r fast roaming feature. The attacker (someone in the parking lot with a laptop and a wireless card in monitor mode) captures the PMKID from the router’s beacon or the first message of the handshake. They don’t need to wait for a full login. They just grab that one frame and go offline to crack it. This makes the attack much more practical for attackers because they can collect PMKIDs from multiple networks in a short walk and then crack them later without being detected.

## Why it matters

The PMKID attack matters in practical IT because it exposes a widespread vulnerability in the most common Wi-Fi security protocol used by homes and small businesses. WPA2-Personal with a pre-shared key is still the dominant security method for millions of routers, and the 802.11r fast roaming feature that enables this attack is enabled by default on a large percentage of those devices. A network administrator who assumes that WPA2 encryption is sufficient might be blindsided by an attacker who can crack the password in hours using a PMKID capture, without ever needing to wait for a legitimate user to connect.

From a network defense perspective, understanding this attack drives home the importance of using strong, complex pre-shared keys (at least 20 characters with mixed case, numbers, and symbols) because the cracking is only as hard as the password’s entropy. It also reinforces the need to disable unnecessary features like 802.11r in environments where fast roaming is not critical, or to migrate to WPA3 or WPA2-Enterprise where possible. For penetration testers and security auditors, the PMKID attack is a go-to tool because it is faster and more reliable than traditional handshake capture, especially in busy environments where clients are not constantly reconnecting.

the PMKID attack highlights the broader principle that cryptographic implementations must be carefully designed to avoid leaking information that can be used offline. The fact that the PMKID is derived from the PSK and broadcast in plaintext within the management frames is a design weakness that was not fully appreciated until researchers demonstrated its practical exploit. This serves as a critical lesson for IT professionals: security is not just about using encryption; it is about how that encryption is implemented and what side channels exist.

## Why it matters in exams

The PMKID attack is a high-yield topic for several IT security certifications, including CompTIA Security+, CompTIA Network+, CEH (Certified Ethical Hacker), and CISSP. In CompTIA Security+ (SY0-701), the attack falls under domain 1.4 (Explain common threat vectors and attack surfaces) and domain 2.3 (Given a scenario, implement secure network architecture concepts). The objective explicitly mentions “wireless attacks” such as “WPA2 cracking” and “PMKID attack.” Learners can expect multiple-choice questions that ask them to identify the attack based on a description (e.g., “An attacker captures a single frame from a WPA2 network and cracks the password offline. What type of attack is this?”).

In CEH, the attack is covered in the module on wireless network security and tools like Hashcat and Aircrack-ng. CEH exam questions may present a scenario where a penetration tester obtains a PMKID from a target AP and asks which tool or technique to use next. The candidate must know that Hashcat with the -m 16800 mode is used for PMKID cracking, vs. -m 2500 for traditional handshake cracking.

For CISSP, the PMKID attack is relevant in the Communications and Network Security domain, particularly regarding wireless security protocols and cryptographic attacks. Questions may focus on mitigation strategies, such as disabling 802.11r or using EAP-based authentication. The exam may ask why WPA2-Enterprise is not vulnerable to PMKID attacks, requiring the learner to understand that the PMK is not static in enterprise deployments.

CompTIA Network+ (N10-008) covers wireless security protocols in domain 2.0 (Networking Security), and the PMKID attack appears as a specific example of WPA2 vulnerability. The exam might ask about the purpose of the four-way handshake and how the PMKID attack bypasses the need for a full handshake.

Question types vary from straightforward identification (multiple-choice) to scenario-based questions where the learner must choose the best defense. Performance-based questions (PBQs) are less likely but possible in a simulation where the learner must analyze a packet capture to find the PMKID. Overall, the PMKID attack is a modern, exam-relevant example of the risks in legacy wireless protocols, making it a common distractor and an important concept to master.

## How it appears in exam questions

In certification exams, PMKID attack questions typically appear in three main patterns: identification, tool use, and mitigation.

Identification questions are the most common. They present a short scenario: “A security analyst captures network traffic and notices a frame containing an RSN IE with a PMKID. The analyst uses this to crack the Wi-Fi password. What type of attack is this?” The answer choices might include “Evil twin,” “PMKID attack,” “WPA2 handshake capture,” or “Deauthentication attack.” The correct answer is PMKID attack. The trick is that learners might confuse it with a standard WPA2 handshake capture, but the key differentiator is the single frame requirement.

Tool-related questions ask what software or mode is used for the attack. For example: “Which Hashcat mode is used to crack a PMKID hash?” Answer: 16800. Or: “Which Aircrack-ng suite tool is used to capture PMKID frames?” Answer: airodump-ng with the --pmkid flag or bettercap. The candidate must also know that the PMKID attack is supported in tools like hcxdumptool and Hashcat.

Mitigation and prevention questions are scenario-based: “A network administrator wants to prevent PMKID attacks on a company’s Wi-Fi network that uses WPA2-Personal. Which of the following is the most effective mitigation?” Options could include disabling 802.11r, enabling MAC filtering, reducing signal strength, or using WPA2-Enterprise. The correct answer is disabling 802.11r or migrating to WPA2-Enterprise. These questions test understanding of the root cause.

Troubleshooting scenarios might involve a slow network or failed penetration test. Example: “A penetration tester is unable to capture a valid four-way handshake for a target WPA2 network. However, they capture a PMKID. What does this mean for the assessment?” The answer: they can proceed with offline cracking using the PMKID without needing a full handshake. The question tests the practical advantage of the attack.

Finally, some questions use the attack as a distractor for other concepts. For instance, a question about WPA3 might ask: “Which attack is mitigated by WPA3’s SAE handshake?” The wrong option might be PMKID attack (which is correct, but SAE also mitigates others). The learner must know that WPA3 with SAE eliminates both traditional handshake capture and PMKID attacks because the pre-shared key is never directly used in a static PMK.

## Example scenario

You are a junior network administrator for a small law firm. The office uses a single WPA2-Personal Wi-Fi network with the password “LawFirm2023!”. One day, you receive a report that an unknown device connected to the network at 2 AM. You suspect a breach but you are not sure how the attacker got the password since it was a complex 12-character password.

You decide to investigate by looking at the firm’s router settings. You notice that the router has a feature called “Fast Roaming” or “802.11r” enabled. You read about the PMKID attack online and realize that an attacker could have captured the PMKID from the router’s beacon frames without ever connecting to the network. The attacker then used a GPU cluster to crack the password offline, possibly using a wordlist containing “LawFirm2023!” or a variant.

To confirm, you check a packet capture taken from a network monitor you had running. You filter for EAPOL frames and find a frame that contains an RSN IE with a PMKID value. The frame was transmitted at 1:45 AM, just before the breach. This matches the PMKID attack pattern.

Now you know the attack vector. You immediately disable 802.11r in the router settings, change the Wi-Fi password to a 20-character random string, and implement WPA2-Enterprise with RADIUS authentication for future expansion. You also document this incident and present it to the partners as a reason to upgrade to WPA3-capable access points. The scenario teaches you that even a complex password is not safe if the router configuration exposes the PMKID. It also shows that proactive monitoring and understanding of modern wireless attacks are essential for network defense.

## The PMKID Attack Mechanism and Frame Capture

The PMKID attack is a technique used against WPA/WPA2 Wi-Fi networks that exploits the Robust Security Network (RSN) handshake, specifically the PMKID field in the first EAPOL frame. Unlike traditional WPA handshake cracking, which requires capturing the full 4-way handshake and waiting for a client to authenticate, the PMKID attack allows an attacker to derive the Pairwise Master Key Identifier (PMKID) directly from an Access Point (AP) without needing a connected client. This makes it particularly effective against networks where clients are scarce or never disconnect and reconnect.

To execute a PMKID attack, a wireless adapter capable of monitor mode and packet injection is required. The attacker sends a probe request to the target AP, which responds with a beacon frame containing the RSN information element. The attacker then sends an EAPOL start frame, triggering the AP to respond with the first EAPOL frame of the 4-way handshake. This frame includes the PMKID, which is computed as HMAC-SHA1(PMK, "PMK Name" || AA || SPA), where AA is the AP MAC address and SPA is the client MAC address. The attacker captures this frame using a tool like hcxdumptool or bettercap.

The captured PMKID is then saved to a file, typically in a hash format compatible with hashcat (mode 22000) or aircrack-ng. The attacker can then crack this hash offline using a dictionary or brute-force attack. The key advantage is that no client interaction is needed-the AP will respond to any device that sends a valid EAPOL start frame, as long as it supports PMKID caching (which most modern APs do). This drastically reduces the time needed to gather a capture and increases the likelihood of success in exam scenarios where network conditions are simulated.

In certification contexts, understanding the PMKID attack mechanism tests knowledge of Wi-Fi security protocols, EAPOL frames, and the cryptographic weaknesses in WPA2. It demonstrates that even without client handshakes, a deterministic value derived from the PMK can be intercepted and attacked offline. Candidates should remember that the attack targets the PMKID field, not the handshake itself, and that it works best against APs with PMKID caching enabled. It is also important to note that WPA3 networks are generally immune to this attack due to the Simultaneous Authentication of Equals (SAE) handshake, which does not expose PMKID in the same way.

The PMKID attack is a prime example of how a single implementation detail-the inclusion of a fixed PMKID in the first EAPOL frame-can be turned into a vulnerability. It is a favorite exam topic because it highlights the evolution of wireless attacks and the importance of understanding frame structures. Tools like hcxdumptool automate the capture process, and hashcat accelerates the cracking phase using GPU acceleration. In a typical lab, a student might simulate this by setting up a WPA2 AP, using hcxpcapngtool to convert captures, and then running a dictionary attack.

## Mitigations and Limitations of the PMKID Attack

While the PMKID attack is powerful, it has several limitations and mitigation strategies that are important for both security professionals and certification exam candidates to understand. One primary limitation is that the attack only works against networks that support PMKID caching, which is a feature of the 802.11i standard but is optional. Some enterprise-grade APs and older firmware may not include PMKID in their EAPOL frames, rendering the attack ineffective. The attack requires the AP to respond to an EAPOL start frame from an unknown client, which can be mitigated by configuring the AP to require authentication before responding to management frames.

Another limitation is that the PMKID attack only extracts a partial hash: essentially the first 128 bits of the PMKID derived from the PMK. The attacker must still brute-force the Pre-Shared Key (PSK) to verify it against the PMK. This means the attack is still vulnerable to weak passwords. Strong, random PSKs of 20 characters or more remain resistant even if a PMKID is captured. In exam scenarios, candidates should emphasize that the attack does not bypass password complexity requirements-it simply provides a faster way to get a hash without a client handshake.

Mitigation strategies include disabling PMKID caching on the AP if not needed, though this may impact roaming performance for clients. Using WPA3 is the most effective defense, as it uses the SAE handshake, which is resistant to offline dictionary attacks and does not expose a static PMKID. Enabling 802.11w (Management Frame Protection) can prevent the sending of EAPOL start frames from unauthenticated clients, though not all APs support this. Network segmentation and monitoring for abnormal EAPOL frame patterns can also help detect PMKID capture attempts.

From a certification perspective, questions often ask about the conditions under which the PMKID attack succeeds: it requires a vulnerable AP, a monitor-mode capable adapter, and no client needed. Another common exam topic is the hash format. In hashcat mode 22000, the hash string includes the PMKID, AP MAC, station MAC, and ESSID. Understanding this format is critical for correctly using cracking tools. The attack also appears in discussions of wireless defense tactics, where candidates must recommend countermeasures such as regular PSK rotation, use of WPA3, and enabling MFP.

Finally, the PMKID attack is a reminder that security is not just about encryption algorithms but also about protocol design. The WPA2 PMKID field was intended to speed up reconnections but inadvertently created a new attack vector. In labs, students often practice this attack using tools like hcxdumptool to capture PMKIDs and hashcat to crack them. They learn that while the attack is efficient, it is not a silver bullet-it only works on accessible APs with specific configurations. Mastery of these nuances distinguishes knowledgeable candidates in exams and real-world scenarios.

## Common mistakes

- **Mistake:** Thinking the PMKID attack requires capturing the full four-way handshake like traditional WPA2 cracking.
  - Why it is wrong: The entire advantage of the PMKID attack is that it only needs the first EAPOL-Key frame (or even a beacon/probe response) that contains the PMKID, not all four handshake messages.
  - Fix: Remember: PMKID = one frame needed; traditional handshake = four frames needed.
- **Mistake:** Believing that PMKID attack only works on networks using WPA2-Personal with 802.11r disabled.
  - Why it is wrong: The attack specifically relies on the presence of the PMKID in the RSN IE, which is included when 802.11r is enabled. If 802.11r is disabled, the PMKID is usually not sent in beacon frames, but it can still appear in the first handshake message if the AP supports it. However, the attack is most effective when 802.11r is on.
  - Fix: Know that PMKID attack is tightly linked to the 802.11r feature; disabling it is a primary mitigation.
- **Mistake:** Assuming the PMKID attack works against WPA2-Enterprise or WPA3 in all cases.
  - Why it is wrong: WPA2-Enterprise uses a unique PMK derived per session from the authentication server, so the static PMKID is not present. WPA3 with SAE (Simultaneous Authentication of Equals) uses a different key derivation that does not expose a static PMKID. The attack only works against WPA2-Personal (and some transitional WPA3 modes).
  - Fix: PMKID attack is only effective against WPA/WPA2-Personal networks with PSK authentication.
- **Mistake:** Confusing the PMKID attack with a deauthentication attack or evil twin attack.
  - Why it is wrong: A deauthentication attack forcibly disconnects a client, while an evil twin sets up a rogue AP. The PMKID attack is a passive/offline cracking attack that does not involve injecting deauth frames or impersonating an AP. It is purely based on capturing a legitimate frame.
  - Fix: PMKID attack is a data capture + offline cracking technique, not a denial of service or impersonation attack.
- **Mistake:** Thinking that using a strong, complex password completely prevents the attack.
  - Why it is wrong: A strong password increases the time required to crack the PMKID, but it does not prevent the attack itself. The attacker can still capture the PMKID and attempt cracking offline. If the password is in the attacker’s wordlist or can be brute-forced, the attack succeeds.
  - Fix: Mitigation requires disabling 802.11r or using enterprise authentication. Password strength helps but is not a full defense.

## Exam trap

{"trap":"A question states that an attacker captures a single EAPOL frame from a WPA2 network and uses it to crack the password. The answer choices include “PMKID attack,” “Four-way handshake capture,” “Evil twin,” and “WPA3 attack.” Many learners choose “Four-way handshake capture” because they know handshake capture is common for WPA2 cracking.","why_learners_choose_it":"They associate WPA2 cracking with the four-way handshake and overlook the specific phrase “single EAPOL frame.” The exam trap is that the description includes “single frame” which is the hallmark of the PMKID attack, not the traditional handshake which requires multiple frames.","how_to_avoid_it":"Read carefully: if the question specifies “single frame” or “one message,” it is likely referring to the PMKID attack. The traditional handshake requires capturing at least the first and second messages (two frames) to have enough data for cracking. Also, remember that the PMKID is part of the RSN IE, often mentioned explicitly in more advanced questions."}

## Commonly confused with

- **PMKID attack vs Four-way handshake capture:** The traditional WPA handshake capture requires capturing all four EAPOL-Key messages (or at least the first two) between the client and the AP to derive the PTK and then verify the PSK. The PMKID attack only needs the first message of the handshake or even a beacon frame, making it faster and more reliable in low-traffic environments. (Example: Imagine waiting to record a full conversation between two people versus only needing to see the first greeting. The PMKID attack is the latter.)
- **PMKID attack vs Deauthentication attack:** A deauthentication attack sends forged deauth frames to disconnect a client from the AP, often used to force a reconnection and capture the four-way handshake. The PMKID attack does not require disconnecting anyone; it works passively by capturing frames that are already being broadcast. (Example: A deauth attack is like unplugging someone’s phone so they have to call again. A PMKID attack is like eavesdropping on the first ring without interrupting the call.)
- **PMKID attack vs Evil twin attack:** An evil twin attack involves setting up a rogue access point with the same SSID as the legitimate network to trick clients into connecting. The PMKID attack does not require an adversary AP; it simply captures frames from the legitimate AP. (Example: An evil twin is a counterfeit coffee shop that steals your order. A PMKID attack is reading the receipt left on the counter of the real coffee shop.)
- **PMKID attack vs WPA3 SAE attack:** WPA3 with SAE (Simultaneous Authentication of Equals) uses a different key exchange that is resistant to offline dictionary attacks. The PMKID attack specifically targets WPA2’s reliance on a static PMK derived from a pre-shared key. WPA3 does not have a static PMKID in the same way, so the attack is ineffective against true WPA3 networks. (Example: WPA3 is like a lock that changes its key each time you use it, while WPA2 is a lock with a permanent key that you can’t change without resetting the whole system.)

## Step-by-step breakdown

1. **Target Selection** — The attacker identifies a target wireless network that uses WPA2-Personal (PSK) authentication. The attacker checks if the Access Point (AP) advertises fast roaming capabilities (802.11r) by looking for the RSN IE in beacon frames or probe responses. The presence of the PMKID field indicates vulnerability.
2. **Packet Capture** — The attacker puts their wireless network interface into monitor mode and begins capturing frames. Using a tool like `airodump-ng`, `hcxdumptool`, or `bettercap`, they filter for beacon frames or EAPOL-Key frames. The target frame is the one containing the RSN IE with a non-zero PMKID count and the associated PMKID value (16 bytes).
3. **Frame Extraction** — The attacker extracts the captured frame that contains the PMKID. This is often the first message of the four-way handshake (message 1) sent from the AP to a client. However, if the AP is configured to include PMKID in beacons (common when 802.11r is enabled), the attacker may also use a beacon or probe response frame. The essential data needed are: the SSID of the network, the MAC address of the AP (BSSID), and the 16-byte PMKID value.
4. **Hash Formatting** — The attacker converts the captured data into a hash format compatible with cracking tools like Hashcat. The standard format for PMKID cracking is: `PMKID:MACAP:MACClient:ESSID`. For Hashcat, the mode 16800 expects this format. The MAC addresses are in uppercase without separators, and the ESSID is the network name.
5. **Offline Cracking** — Using a tool like Hashcat with mode 16800, the attacker attempts to recover the Pre-Shared Key (PSK) by iterating through a wordlist (or brute-forcing). For each candidate password, the tool computes the PMK using PBKDF2-SHA1 with the ESSID as salt and 4096 iterations. It then computes the HMAC-SHA1 of (“PMK Name” || AP MAC || Client MAC) using the PMK as the key. If the result matches the captured PMKID, the candidate password is the correct PSK.
6. **Verification and Use** — Once the PSK is cracked, the attacker can connect to the target network as an authenticated user. They now have access to the internal network and can perform further attacks like ARP spoofing, man-in-the-middle, or data exfiltration. The compromised PSK can also be used to decrypt any captured traffic if the attacker also captured the full handshake earlier.

## Practical mini-lesson

The PMKID attack is a practical skill for penetration testers and network security auditors. To perform this attack in a lab setting, you need a wireless adapter that supports monitor mode and packet injection, such as the Alfa AWUS036ACH or a built-in chipset like Intel AX200. On Kali Linux, you first bring the interface down, set it to monitor mode using `ip link set wlan0 down` and `iw dev wlan0 set type monitor`, then bring it up.

Next, use `hcxdumptool` to capture PMKIDs. A typical command is: `hcxdumptool -i wlan0 -o capture.pcapng --enable_status=1`. This tool specifically captures PMKID hashes from beacon and handshake frames. After capturing, convert the pcapng file to a hash format: `hcxpcapngtool -o hash.txt capture.pcapng`. This will produce a file in the format required by Hashcat.

Then run Hashcat with mode 16800: `hashcat -m 16800 -a 0 hash.txt wordlist.txt`. You can also use a rules-based attack or brute-force. The speed of cracking depends on your GPU. A modern RTX 4090 can test around 100-200 kH/s (thousands of hashes per second) for PMKID, versus about 300-500 kH/s for traditional WPA handshake (mode 2500). The PMKID is slightly slower because of the extra HMAC computation.

What can go wrong? The AP may not have 802.11r enabled, so the PMKID is not present in beacons. In that case, you must wait for a client to attempt a connection. Alternatively, the network might use WPA2-Enterprise, which is not vulnerable. Also, some newer routers have firmware patches that randomize the PMKID or disable its inclusion in beacons. Another pitfall is that the captured PMKID might be from a client that used a different PSK (e.g., guest network vs. main network). Always verify the SSID.

Professionals should also consider the legal and ethical boundaries. Capturing Wi-Fi frames without authorization is illegal in many jurisdictions. Always perform PMKID attacks only on networks you own or have explicit permission to test. This technique is a standard part of wireless penetration testing methodologies like the PTES (Penetration Testing Execution Standard) and OWASP Wireless Testing Guide.

## Commands

```
hcxdumptool -o capture.pcap -i wlan0 --enable_status=1
```
Captures PMKID frames and other handshake data from the wireless interface wlan0, outputting to a pcap file. Use to collect PMKID hashes from target APs without needing clients.

*Exam note: Tests understanding of how to capture PMKID using hcxdumptool, a key tool for the attack. This command is often used in labs to simulate clientless capture.*

```
hcxpcapngtool -o hash.hc22000 capture.pcap
```
Converts the pcap file containing PMKID captures into hashcat-compatible format (mode 22000). This step is necessary before attempting to crack the hash.

*Exam note: Exams may ask about the correct hashcat mode for PMKID attacks (22000) and the conversion process from pcap to hash format. This command demonstrates that step.*

```
hashcat -m 22000 -a 0 hash.hc22000 wordlist.txt
```
Cracks the PMKID hash using a dictionary attack (mode 22000) with a wordlist. This is the core cracking command after obtaining the PMKID.

*Exam note: Evaluates knowledge of hashcat syntax, mode numbers, and the attack type. Candidates should know that -a 0 is dictionary mode and -m 22000 is for PMKID.*

```
hashcat -m 22000 -a 3 hash.hc22000 ?l?l?l?l?l?l?l?l
```
Performs a brute-force attack on the PMKID hash using a mask of eight lowercase letters. Useful when wordlists fail and you need to attempt all combinations.

*Exam note: Tests understanding of mask attacks and brute-force options with hashcat. Important for comprehending the effort required to crack complex PSKs.*

```
airodump-ng wlan0 --channel 6
```
Scans wireless networks and shows APs on channel 6, including their encryption type and whether they support PMKID. Use to identify targets before sending EAPOL start frames.

*Exam note: Exams may ask about reconnaissance steps. Knowing that airodump-ng can list APs and channels is fundamental to preparing for a PMKID attack.*

```
wash -i wlan0 -c 6
```
Checks for WPS-enabled APs on channel 6, which sometimes reveal extra information but also helps confirm AP presence. Not directly PMKID, but often used in combination for wireless audits.

*Exam note: While not specific to PMKID, exam questions may ask about complementary tools like wash to gather details about target APs in wireless penetration testing scenarios.*

## Memory tip

PMKID = Press My Key, It’s Disclosed: The Pre-Shared Key is disclosed through the PMKID in one frame.

## FAQ

**Does the PMKID attack work on WPA3 networks?**

The PMKID attack is generally ineffective against WPA3 networks that use SAE (Simultaneous Authentication of Equals) because the key exchange is resistant to offline dictionary attacks and does not expose a static PMKID. However, some WPA3 transitional mode networks may still be vulnerable.

**Can the PMKID attack be performed without a client connecting?**

Yes, if the Access Point includes the PMKID in its beacon frames or probe responses, the attacker can capture it without any client. This is common when 802.11r is enabled.

**What tools are used for a PMKID attack?**

Common tools include hcxdumptool for capturing, hcxpcapngtool for converting, and Hashcat with mode 16800 for cracking. Aircrack-ng (airodump-ng with --pmkid) also supports it.

**Is the PMKID attack passive or active?**

It is largely passive because the attacker only needs to capture frames that are already being transmitted. No packets are injected. However, if the PMKID is not in beacons, the attacker may need to wait for a client to connect, but no interaction is required.

**How can I protect my network from PMKID attacks?**

Disable 802.11r (fast roaming) on your router if it is not needed. Use WPA2-Enterprise with 802.1X authentication, or upgrade to WPA3. If WPA2-Personal is required, use a very long and random PSK (20+ characters) and consider changing it regularly.

**What is the difference between PMKID cracking and traditional WPA2 handshake cracking?**

PMKID cracking only needs one frame (the first EAPOL-Key message or beacon) and works offline. Traditional WPA2 handshake cracking requires at least the first two messages of the four-way handshake and is often slower to capture because it depends on a client connecting.

**Does the PMKID attack work on enterprise Wi-Fi (WPA2-Enterprise)?**

No, because the PMK in WPA2-Enterprise is derived dynamically per session from the RADIUS server, not from a static pre-shared key. The PMKID is not present in the same way.

## Summary

The PMKID attack is a modern and efficient technique for cracking WPA/WPA2-Personal wireless network passwords. It exploits the inclusion of the Pairwise Master Key Identifier (PMKID) in the RSN Information Element of frames transmitted by Access Points that support the 802.11r fast roaming standard. Unlike traditional WPA handshake cracking, which requires capturing all four messages of the EAPOL handshake, the PMKID attack requires only a single frame, making it faster and more reliable in environments where clients are not actively connecting.

The attack works by capturing the PMKID (a 128-bit hash of the PMK), then performing an offline dictionary or brute-force attack to recover the Pre-Shared Key. Mitigation primarily involves disabling 802.11r on the wireless router or migrating to WPA2-Enterprise or WPA3. For IT certification exams, the PMKID attack is a key topic in Security+, Network+, CEH, and CISSP, appearing in identification, tool use, and mitigation questions.

The core exam takeaway is to remember that the PMKID attack is a one-frame capture attack that targets the 802.11r feature, not a full handshake. Understanding this distinction will help you avoid the common trap of confusing it with traditional WPA2 cracking. As wireless security continues to evolve, the PMKID attack serves as a critical reminder that even mature protocols can have subtle design weaknesses that attackers can exploit.

---

Practice questions and the full interactive page: https://courseiva.com/glossary/pmkid-attack
