Understanding (and pwning) PMKID: What You Need to Know


1. PMKID: Protocol-Level Definition
The Pairwise Master Key Identifier (PMKID) is a 128-bit cryptographic construct defined in the IEEE 802.11i-2004 standard (WPA2). It is derived during the initial authentication handshake to enable PMKSA (Pairwise Master Key Security Association) caching, optimizing reauthentication for roaming clients.
Cryptographic Derivation
The PMKID is generated using the following inputs:
PMK (Pairwise Master Key): A 256-bit key derived from the PSK (Pre-Shared Key) using:
PMK = PBKDF2-SHA1(Passphrase, SSID, 4096, 256)
Authenticator MAC (AA): MAC address of the AP.
Supplicant MAC (SPA): MAC address of the client.
PMK Name: Static string
"PMK Name"
(16 bytes).
The final PMKID:
PMKID = HMAC-SHA1-128(PMK, AA || SPA || "PMK Name")
ℹ️ The HMAC-SHA1 truncation to 128 bits follows RFC 2104 guidelines.
Why was the PMKID created?
To speed up roaming. PMKID enables PMKSA caching (RFC 5217), allowing clients to skip full EAPOL authentication when rejoining a network. The AP stores the PMKID in its PMKSA cache, indexed by the client’s MAC address.
2. PMKID Harvesting: Exploitation Mechanics
The PMKID is exposed in:
RSN Information Element (IE): in Beacon frames
Probe Response frames: when clients actively probe the AP
Capturing the PMKID (Passive Sniffing)
Using hcxdumptool
to capture:
hcxdumptool -i wlan0mon -o pmkid.pcapng #with this command, you will capture EVERY pkmid near you
Then extract the hash with hcxpcaptool
:
hcxpcaptool -z pmkid_hash.txt pmkid.pcapng
Cracking the PMKID Offline
Using hashcat
(mode 22000):
hashcat -m 22000 pmkid_hash.txt rockyou.txt # -r if you use rules (recommended)
💡 With a strong GPU (e.g., RTX 4090), try the All-In-One password lists for higher success rates (and use some rules. I recommend this repository for “general purpose” cracking, while this one is “better” for Wi-Fi passwords).
Why does this attack work?
Because PMKID is directly derived from the PMK, which is derived from the PSK. Cracking the PMKID = obtaining the Wi-Fi password.
3. PMKID vs 4-Way Handshake Attacks
4-Way Handshake Recap
To derive PTK from a full handshake:
PTK = PRF(PMK, "Pairwise key expansion", AA || SPA || ANonce || SNonce)
Requires capturing all 4 EAPOL frames, including a valid MIC for offline cracking.
PMKID Advantages
No need to wait for a full handshake
No MIC to validate
Simpler cracking flow (PMKID → PSK directly)
Metric | PMKID | 4-Way Handshake |
Precomputation | None | PMK + PTK Derivation |
Hashcat Mode | 22000 | 2500 / 2501 |
Capture Required | Beacon/Probe Resp | All 4 EAPOL Frames |
MIC validition | ❌ | ✅ |
4. Exploitation FAQs
Can I force the AP to send a PMKID?
Yes. You can send directed probe requests:
iwlist wlan0 scan ap-force
This might trigger the AP to respond with a PMKID.
Are there any hardware requirements?
Required: Wi-Fi NIC supporting monitor mode (e.g., Atheros AR9271, RTL8812AU)
Recommended: GPU acceleration (e.g., RTX 4090 ~1.4M H/s)
What can I do after cracking the PSK?
A few nasty ideas:
Layer 2 Attacks: ARP spoofing, sniffing packets
MITM Setup: SSL stripping, rogue DNS/DHCP
Network pivoting: Internal reconnaissance, lateral movement
5. Mitigation Strategies
For Network Operators
Adopt WPA3: Use SAE (Simultaneous Authentication of Equals)
Disable PMKID (if stuck with WPA2):
Cisco IOS:
no dot11 pmkid
OpenWRT: In
/etc/config/wireless
:option pmkid 0
Force MAC Randomization: Prevents PMKSA caching
For Vendors
Apply CVE-2018-14526 patches
Suppress PMKID in Beacon/Probe frames by default
Promote WPA3 adoption via firmware defaults
6. Affected Devices
⚠️ The following list is not exhaustive. Any WPA2-PSK router with PMKID enabled is potentially vulnerable.
Vulnerable by default
Cisco Aironet 1850: IOS < 8.10.130.0
Aruba AP-325: ArubaOS < 8.6.0.18
Ubiquiti UniFi AP-AC-Pro: Firmware < 4.3.28
Patched or Immune
MikroTik hAP ac³: RouterOS 7.7+ (WPA3 required)
Ruckus R750: Unleashed 200.14+ (PMKID disabled by default)
7. Conclusion
The PMKID flaw is a perfect example of backward-compatible security gone wrong.
WPA3’s SAE protocol solves this with a more robust, zero-knowledge authentication method. But millions of WPA2 routers are still online and vulnerable.
If you're a red teamer: this is a clean, silent, and deadly way in.
If you're a blue teamer: patch, monitor, migrate. Start with:
Protocol Upgrades (WPA3-SAE)
Firmware Updates
Strong Passphrases (avoid anything in RockYou.txt, and use a very strong password)
Happy (ethical) hacking!
❗ LEGAL NOTICE
I do not support illegal access, intrusion, or surveillance.
All content in this article is for research, educational, and defense training.
Do not reproduce these actions in any real-world scenario unless you have explicit, written permission.
Further Reading
Subscribe to my newsletter
Read articles from proxydom directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by

proxydom
proxydom
Italian college student who loves cats, beer and ethical hacking.