WPA/WPA2 Attack using PMKID

In Aug. 2018 a new WPA/WPA2 attack has been discovered by the lead developer of the popular password-cracking tool Hashcat, Jens 'Atom' Steube, the attack primarily exploit the PMK Caching feature of wireless standard protocol.

This attack solves a lot of problems like no more regular user require (aka “client less” attack) because the attacker directly communicate with the AP, no more waiting for a complete 4-way handshake between the regular user and the AP, no more eventual invalid passwords sent by the regular user and no more lost EAPOL frames when the regular user or the AP is too far away from the attacker.

The new WiFi hack works explicitly against WPA/WPA2 wireless network protocols that use Pairwise Master Key Identifier (PMKID). To be more clear, the new attack is performed on the RSN IE (Robust Security Network Information Element) of a single EAPOL frame which used in IEEE 802.1x.

The PMKID is computed by using HMAC-SHA1 where the key is the PMK and the data part is the concatenation of a fixed string label "PMK Name", the access point's MAC address and the station's MAC Address.


The PMK is the same as in a regular EAPOL 4-way handshake this is an ideal attacking vector.

PMK = PBKDF2(HMAC−SHA1, PSK, SSID, 4096, 256)

The PMKID can be brute-forced to grant the PMK, then the usual PSK attacks take place.

The new attack works against all 802.11i/p/q/r networks with roaming functions enabled also work against enterprise wireless network that use authentication server (ex: RADIUS) since the adapter, authenticator (AP) and authentication server user EAPOL in authentication process, the personal AP that use IEEE 802.1x protocol in security mode for authentication are also vulnerable.

Attack Proof of Concept:

The RSN IE is an optional field that can be found in 802.11 management frames. One of the RSN capabilities is the PMKID.

1. The first step is to request the PMKID from the AP and to dump the received frame to a file (in pcapng format) using hcxdumptool.

For 4.2.0v

$ hcxdumptool -o test.pcapng -i wlan0mon --enable_status

For 4.2.1v

$hcxdumptool -o test.pcapng -i wlan0mon --enable_status=1

Note: Must use one of supported adapters for hcxdumptool which can be found here.

Structure of EAPOL message

2. The second step is to extract the value of RSN PMKID and convert it to hash format accepted by hashcat using hcxpcaptool.

$ hcxpcaptool -z test.16800 test.pcapng

Note: -z option to extract the hash in 16800 mode (format) which is “WPA-PMKID-PBKDF2”

Content of test.16800 (WPA-PMKID-PBKDF2 format)

The columns are PMKIDMAC APMAC Station and ESSID. (all hex encoded)

3. The third step is to Crack the hash using hashcat either by guessing pattern or wordlist.


$ hashcat -m 16800 test.16800 -a 3 -w 3 '?l?l?l?l?l?lt!'


$ hashcat -m 16800 test.16800 wordlist.txt

To protect your Access Point from this attack do the following:

  1. Choose a complex password to make the cracking process harder.
  2. For enterprise wireless network configure the server with noEAP or another method that doesn't use EAP.
  3. For personal AP don't choose IEEE 802.1x in security settings.

Post a Comment