Authentication Cracking: PMKID

Summary

The use of PMKID to speed up handoffs between access points, especially in enterprise networks, is discussed by CTO Dr. Brett Walkenhorst in the brief video below. It is described how misconfiguration or vendor implementations might allow PMKID to be exploited on home networks. Attackers can get around authentication and use offline dictionary attacks to break passphrases by intercepting PMK ID during the first four-way handshake.

While originally designed to improve efficiency, it inadvertently created a major security vulnerability in WPA/WPA2 wireless networks.

How the Attack Works

Unlike traditional Wi-Fi cracking, which requires an attacker to wait for a legitimate user to connect to the network to capture a full “4-way handshake,” a PMKID attack is clientless.

Direct Retrieval: An attacker sends a request to the Access Point (AP).

Instant Capture: The AP responds with a frame containing the PMKID, which is a hash derived from the network’s Pre-Shared Key (PSK).

Offline Cracking: Because the PMKID contains the necessary data to verify the password, the attacker can take this data offline and use dictionary or brute-force attacks to recover the plain-text Wi-Fi password without ever needing a user to be present on the network.

This method significantly lowers the barrier for attackers. By removing the need for an active client, it allows for “silent” data collection and makes home and enterprise networks vulnerable to compromise at any time.

Important Take-aways

No Client Needed: Attackers do not need to wait for or “de-authenticate” a user.

Widespread Vulnerability: Many modern routers have PMKID features enabled by default.

Mitigation: The primary defense against PMKID cracking is using long, complex passwords or transitioning to WPA3, which replaces the vulnerable PSK exchange with Simultaneous Authentication of Equals (SAE).

Citations & References

PKMID on GitHub: Module for the WiFi Pineapple platform which provides a UI for performing the PMKID attack against wireless networks / clients for educational purposes and threat penetration testing. It’s a valuable resource if you want to understand the way a PMKID attack works.

Video Transcript

Instead of waiting for a four way handshake, which, you know, requires a client that knows the password, I can leverage something that, quite frankly, shouldn't be there, but it is there because we wanted to make life easier for people roaming in a network with multiple access points where you need to hand off from one access point to the next.

So if I'm roaming from access point one to to access point two, access point two doesn't have any relationship with me except that it probably knows the pairwise master key. And it should from the radius server if it's an enterprise or if it's personal, it's a shared it's a shared secret, so it knows what it is.

So if I'm roaming over there, I still have to establish my credentials with that new access point, and I have to create a new transient key, a new session key. So as I'm roaming, this process in an enterprise network can take a long time. And by a long time, I mean, like, several seconds.

So I could I could lose connectivity to what I'm doing. If I'm on a video call, that video call might get dropped and or there's so much latency that it becomes unusable for a while. To get around that kind of latency, we created this PMK ID, which is a hashed version of the PMK.

Remember, this can come from different ways, but in a personal network, it comes ultimately from the passphrase. And this is a personal network attack. The problem is it was it was intended to ease handoffs in an enterprise network, but many vendors implemented it for both personal and enterprise.

So it turns out it's not useful for personal, but it's actually a little bit of a vulnerability because instead of having to wait for a four way handshake, if you send me the PMK ID in message one of the four way handshake, we don't have to go through the process of authentication that we would do in an enterprise.

But it turns out it doesn't help me in a personal network, but you're gonna send it to me anyway? Great. All I have to do is pose as the client. Now I'm the bad guy as a client. I don't have to wait for a legitimate client to come along.

I initiate a connection. You send me the PMK ID, and now I have the cryptographic information that I need to go run that offline dictionary attack. So I have the same kinds of stuff. It's not the same form, but I have what I need in order to crack the passphrase.