PMKID Attack
What is PMKID Attack?
PMKID AttackAn offline WPA/WPA2-PSK cracking method that derives the passphrase from a single PMKID field captured from an access point, no client needed.
The PMKID attack was published in August 2018 by Jens Steube, lead developer of hashcat. It targets the optional RSN PMKID element that 802.11i access points send in the first EAPOL message when roaming is supported. The PMKID is computed as HMAC-SHA1(PMK, 'PMK Name' | BSSID | client MAC), so once an attacker captures a single PMKID from a beacon-driven association attempt, they can run a hashcat -m 22000 dictionary or mask attack offline. Unlike the classic four-way-handshake capture, no legitimate client needs to be present. Mitigations: disable PMKID where unused, deploy WPA3-SAE, and use long random passphrases or 802.1X enterprise authentication.
● Examples
- 01
Using hcxdumptool to grab a PMKID from a router and cracking it offline with hashcat -m 22000.
- 02
Recovering a weak '12345678' passphrase from a single PMKID frame.
● Frequently asked questions
What is PMKID Attack?
An offline WPA/WPA2-PSK cracking method that derives the passphrase from a single PMKID field captured from an access point, no client needed. It belongs to the Attacks & Threats category of cybersecurity.
What does PMKID Attack mean?
An offline WPA/WPA2-PSK cracking method that derives the passphrase from a single PMKID field captured from an access point, no client needed.
How does PMKID Attack work?
The PMKID attack was published in August 2018 by Jens Steube, lead developer of hashcat. It targets the optional RSN PMKID element that 802.11i access points send in the first EAPOL message when roaming is supported. The PMKID is computed as HMAC-SHA1(PMK, 'PMK Name' | BSSID | client MAC), so once an attacker captures a single PMKID from a beacon-driven association attempt, they can run a hashcat -m 22000 dictionary or mask attack offline. Unlike the classic four-way-handshake capture, no legitimate client needs to be present. Mitigations: disable PMKID where unused, deploy WPA3-SAE, and use long random passphrases or 802.1X enterprise authentication.
How do you defend against PMKID Attack?
Defences for PMKID Attack typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for PMKID Attack?
Common alternative names include: RSN PMKID attack, Hashcat WPA attack.
● Related terms
- network-security№ 1249
WPA2
The second generation of Wi-Fi Protected Access, based on AES-CCMP and IEEE 802.11i, that has been the de facto Wi-Fi security standard since 2004.
- network-security№ 1250
WPA3
The third generation of Wi-Fi Protected Access, introducing SAE-based authentication, forward secrecy, and stronger protections for personal and enterprise Wi-Fi.
- attacks№ 595
KRACK Attack
A key reinstallation attack against WPA2 that forces nonce reuse in the four-way handshake, letting an attacker decrypt or replay Wi-Fi traffic.
- attacks№ 358
Dragonblood
A family of side-channel and downgrade attacks against WPA3 SAE (Dragonfly) that can leak the Wi-Fi password to a nearby attacker.
- attacks№ 1251
WPS Attack
An online brute-force attack on the eight-digit Wi-Fi Protected Setup PIN that recovers the WPA/WPA2 passphrase in hours.
● See also
- № 828Pixie Dust Attack
- № 579KARMA Attack
- № 1223Wardriving