Part 2: WPA2 PMKID (Silent & Clientless Attacks)
1. Executive Summary
The PMKID attack represents a significant paradigm shift in 802.11 wireless network exploitation. This vector exploits a historical implementation flaw in the IEEE 802.11i Robust Security Network (RSN) standard. By targeting the Access Point's proactive key caching mechanisms, an attacker can extract the Pairwise Master Key Identifier (PMKID) directly and entirely clientless.
This technical write-up details the cryptographic anatomy of the PMKID, dispels common industry myths regarding its origin, and demonstrates a surgically targeted extraction utilizing kernel-level Berkeley Packet Filters (BPF). Crucially, this execution serves as a practical reality check for modern Red Teaming: empirical packet analysis confirms that contemporary vendor firmware has successfully patched this proactive caching behavior. The report highlights how offensive methodologies must adapt to proactive defense-in-depth measures, pivoting from patched vulnerabilities to active frame injection strategies (as covered in Part 3 of this series) to achieve infrastructure compromise.
2. Lab Architecture (RoE)
Target (Authenticator): TP-Link Archer C6 (1.14.30 Build 250729 Rel.74228n(4555))
Attacker Infrastructure: Virtualbox Kali Linux 2025.4 (RTL8812AU)
3. Protocol Theory (PMKID Anatomy)
As will be demonstrated in Part 3 of this series, traditional WPA2-PSK attacks need an active client to capture a complete 4-Way Handshake. This clientless PMKID attack eliminates that necessity by taking advantage of built-in key caching mechanisms. To grasp this more discreet attack vector, it's essential to analyze the mechanics of the Pairwise Master Key Identifier (PMKID) to dispel common misconceptions about it.
3.1 The Reassociation Optimization (802.11i RSN)
A persistent myth in the cybersecurity community attributes the PMKID vulnerability to the IEEE 802.11r standard (Fast BSS Transition / Roaming). However, protocol analysis reveals that the mechanism exploited here is actually rooted in the foundational IEEE 802.11i-2004 standard, which defines the Robust Security Network (RSN) for WPA2.
When a client first authenticates to an Access Point (AP), they derive a Pairwise Master Key (PMK). To optimize future connections and avoid recalculating this resource-intensive key every time the client temporarily drops off and reconnects to the same AP, the 802.11i standard introduced PMK Caching. The AP assigns this cached PMK a unique identifier: the PMKID.
3.2 Cryptographic Anatomy of the PMKID
The PMKID is a cryptographic hash calculated using the HMAC-SHA1 algorithm, binding the PMK to the specific MAC addresses of the entities involved. The formula is defined as:
$$PMKID = HMAC-SHA1-128(PMK, \text{"PMK Name"} \parallel MAC_{AP} \parallel MAC_{STA})$$
PMK: The Pairwise Master Key derived from the SSID and Wi-Fi password via PBKDF2.
"PMK Name": A static, hardcoded ASCII string.
MAC AP/STA: MAC address of the access point and connecting client (Station).
(Note: True 802.11r networks utilize a different key hierarchy involving PMK-R0/PMK-R1 and calculate the PMKID differently. The attack described here targets the base RSN PMKID).
3.3 The Vulnerability
In 2018, Jens Steube (the lead developer of Hashcat) discovered a critical flaw in how modern routers implement the 802.11i standard. Many modern access points proactively append the RSN PMKID to the robust security network element within M1 of the 4-Way Handshake.
For an attacker, this means there's no need to wait for a legitimate client or deauthenticate anyone. An attacker can pose as a rogue client, initiate an association request to the AP, and compel the AP to send Message 1. This packet contains the PMKID, the AP's MAC, and the station's MAC.
Because the MAC addresses and the string "PMK Name" are known in plain text, the only unknown variable is the PMK. By extracting the PMKID, an attacker can immediately transition to an offline dictionary attack to reverse-engineer the PMK and the underlying Pre-Shared Key.
4. The Attack (Execution & OPSEC)
Unlike traditional Deauthentication attacks through frame injection that rely on passive observation of a forced reconnection, the PMKID attack is an active, clientless exploitation of the roaming protocol. The attacker acts as a rogue supplicant, actively requesting the target Access Point to surrender the PMKID within the first message of the 4-Way Handshake.
To achieve the necessary precision and manipulate raw 802.11 frames, the highly specialized frame injection and capture engine hcxdumptool (v7.0.0) is used.
4.1 Interface Preparation and OPSEC
Terminating all interfering processes for monitoring:
sudo airmon-ng check kill
Note on OPSEC: In the PMKID attack, active interaction with the router occurs. The AP logs the MAC address of the device requesting the association. To ensure operational security and avoid forensic attribution, spoofing the interface's MAC address is essential before starting the attack.
macchanger can be used to change the interface's MAC address after bringing it down temporarily. After the MAC has been changed, the interface mode is set to monitor:
sudo ip link set wlan0 down
sudo macchanger -r wlan0 # -r = assigning random MAC
sudo ip link set wlan0 up
sudo airmon-ng start wlan0
(Note: Enabling monitor mode with airmon-ng might append a '-mon' to the interface's name. Wireless interfaces, states and names can be checked with 'ip a' and 'iwconfig'.)
4.2 Target Isolation (RoE)
hcxdumptool is extremely aggressive by default. If executed without parameters, it will indiscriminately request PMKIDs from every Access Point within physical reach, severely violating Rules of Engagement and creating unnecessary noise across the 2.4 GHz and 5 GHz spectrum.
To execute a surgically targeted attack, a filter list containing only the authorized target must be created by writing the target MAC to a Berkeley Packet Filter (BPF) file:
hcxdumptool --bpfc="wlan addr3 8C:90:2D:48:2C:9F" > target.bpf
4.3 Execution: Extracting the PMKID
With the BPF filter compiled and the target isolated, hcxdumptool is launched. To ensure precision, the interface is locked to the target's operating channel (Channel 5 on the 2.4 GHz band, denoted as 5a), and the real-time display (--rds=1) is enabled to monitor incoming Extensible Authentication Protocol over LAN (EAPOL) frames.
sudo hcxdumptool -i wlan0 -w pmkid_capture.pcapng -c 5a --bpf=target.bpf --rds=1
The tool transmits Association Requests to the target AP, attempting to coerce it into responding with Message 1 of the 4-Way Handshake.
4.4 Target Resilience & The Reality of this Attack
During the execution, the captured frames are logged by the real-time display. However, the expected P flag (indicating a successfully extracted PMKID) never appears. Instead, the console outputs indicators like |ep+++ |, signifying that encrypted, pre-shared key EAPOL messages (M1, M2, M3) are being intercepted, but the PMKID itself is missing.
This is not a tool failure, but a demonstration of proactive defense-in-depth. Following the public disclosure of the PMKID vulnerability in 2018, vendor firmware was widely updated. The target device (TP-Link Archer C6, Build 250729) correctly suppresses the proactive transmission of the RSN Information Element in Message 1 unless 802.11r (Fast Roaming) is explicitly configured. In practice, active Access Points are very rarely susceptible to this PMKID since the flawed implementation of the 802.11i-2004 standard was widely patched with firmware updates.
5. Packet Analysis
To mathematically confirm the AP's resilience, the .pcapng file is analyzed in Wireshark utilizing the eapol display filter.
A look into a captured M1 frame reveals that the WPA KEY DATA LENGTH reads 0. This serves as empirical proof that the AP does not cache and transmit the PMKID in standard RSN environments.
6. Offline Cracking
The offline cracking methodology for a successfully extracted PMKID is fundamentally identical to the process utilized for a full 4-Way Handshake (MIC) captured via a deauthentication attack. Modern password recovery engines, specifically Hashcat, leverage the unified hc22000 hash format to parse both types of cryptographic material seamlessly.
Whether the input is a 16-byte PMKID hash or a complete EAPOL exchange containing a valid Message Integrity Code, the underlying mathematical objective remains the same: systematically deriving the Pairwise Master Key (PMK) from a dictionary of password candidates and comparing the cryptographic output against the intercepted values.
Because the target Access Point in this execution was patched and no valid PMKID could be extracted, the practical demonstration of hash extraction (using hcxpcapngtool) and dictionary attack execution is omitted in this chapter. For a simple cracking-aproach using a dictionary attack via hashcat, refer to Section 6 in Part 3 of this series.
7. Remediation / Blue Team
Defending against the clientless PMKID attack requires addressing both the specific protocol implementation flaw (proactive caching) and the underlying cryptographic vulnerability (weak passphrases). The following remediation strategies are recommended to secure WPA2-Personal networks against this vector.
7.1 Firmware Patch Management
The primary defense against this specific attack vector is maintaining up-to-date firmware on all network infrastructure. As demonstrated in the execution phase, the vulnerability stems from a specific historical implementation of the 802.11i standard. Modern firmware updates (released post-2018) actively prevent the Authenticator from transmitting the RSN Information Element containing the PMKID in EAPOL Message 1 by default.
7.2 Disabling Fast BSS Transition (802.11r)
If the network topology consists of a single Access Point, or if seamless roaming is not a strict operational requirement, the IEEE 802.11r (Fast BSS Transition) feature should be explicitly disabled in the router's administrative interface. When active, 802.11r mandates the transmission of PMKIDs to facilitate fast roaming, effectively re-opening this attack surface even on patched devices.
7.3 Enforcing Passphrase Complexity
If an Access Point cannot be patched due to legacy constraints and a PMKID is successfully extracted, the network's security relies entirely on the mathematical entropy of the Pre-Shared Key. Because the attack is executed offline, traditional account lockout and rate-limiting defenses are bypassed entirely. A highly complex, pseudo-random passphrase (minimum 16 to 20 characters) must be enforced to render dictionary and brute-force attacks computationally unfeasible within a practical timeframe.
7.4 Protocol Migration (WPA3)
Where hardware permits, migrating the infrastructure to the WPA3 standard provides the ultimate mitigation. WPA3 replaces the WPA2 4-Way Handshake and the PMK derivation process with the Simultaneous Authentication of Equals (SAE) protocol. SAE is inherently resistant to offline dictionary attacks; even if an attacker successfully captures the initial handshake frames, the offline recovery of the password is cryptographically prevented.