PMKID attack

The PMKID attack has been presented by Hashcat in 2018. This attack can be performed on WPA2-PSK wireless network to obtain the PMKID hash of the network. The PMKID attack takes advantage of the PMK Caching feature.

PMK Caching

PMK Caching is used to facilitate the connection of a device over multiple AP on a same network. In a large building it is common to have with multiple Access Points serving a same BSSID to cover all the perimeter. When someone is moving in the building, for example going from the second floor to the third floor, we want to avoid the burden of recalculating the PMK via EAP exchanges to each AP the client will connected to.

The PMK caching will keep in memory the PMK calculated once during the first authentication process and share it with others access points. In others words, some access points can keep the PMKID in it cache to decrease the latency when a client want to reconnect to a network. The PMK of a client is thus already known by others AP when a client will connect to it. This will speed up a lot the connection to each AP.

In the PMKID attack, an attacker would want to retrieved the PMKID cached by an AP and retrieved the clear text passphrase associated to the network.

Conditions

  • The network need to have the roaming feature enable.

Advantages

  • Do not require to deauthenticate users.

  • No device need to be connected to the access point.

The PMKID is made of 4 elements

  • The PMK

  • The PMK name which is a string associated with the SSID

  • The MAC address of the access point

  • The MAC address of the targeted device

PMKID = HMAC-SHA1-128(PMK, "PMK Name" | MAC_AP | MAC_STA)

The hcxdumptool tool can be used to perform the PMKID attack.

PreviousCracking the keysNextPassword spray

Last updated