LabEx
Log InJoin Free

Capture a PMKID for Clientless WPA Attacks

Beginner
Practice Now

Introduction

In this lab, you will explore a modern technique for testing the security of WPA/WPA2 wireless networks. Specifically, you will learn how to capture a Pairwise Master Key Identifier (PMKID). The PMKID is part of the WPA protocol and can sometimes be requested from an Access Point (AP) without a client being connected. Capturing this PMKID allows for an offline brute-force attack to discover the Wi-Fi password, a method often referred to as a "clientless" attack.

We will use two primary tools: hcxdumptool for capturing the PMKID from network traffic and hcxtools for processing the captured data. By the end of this lab, you will have successfully captured a PMKID from a simulated access point and saved it for potential cracking.

Install hcxtools and hcxdumptool

In this step, we will install the necessary tools for our attack. hcxdumptool is a sophisticated tool designed to capture packets from Wi-Fi networks, specifically targeting information useful for attacks, like PMKIDs. hcxtools is a suite of utilities used to convert and manipulate the captured data into formats compatible with password cracking software like Hashcat.

We will use the apt-get package manager to install both tools. Open a terminal and execute the following command. You will need sudo privileges to install new packages on the system.

sudo apt-get install -y hcxtools hcxdumptool

After the command completes, the system will download and install both packages and their dependencies. You should see output indicating that the packages are being unpacked and set up.

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  hcxdumptool hcxtools
0 upgraded, 2 newly installed, 0 to remove and ...
...
Setting up hcxtools (6.2.7-2) ...
Setting up hcxdumptool (6.2.7-2) ...

With the tools installed, we are ready to start listening for network traffic.

Use hcxdumptool to Listen for AP Beacons on an Interface

In this step, we will use hcxdumptool to start capturing wireless packets. For this lab, a virtual wireless interface named mon0 has been created for you in monitor mode. Monitor mode allows the interface to capture all Wi-Fi traffic in the air, not just traffic addressed to it.

We will run hcxdumptool and point it to our monitor interface. We'll also enable a status display to see what the tool is doing in real-time.

Execute the following command in your terminal. The lab environment is already running a test Access Point named TestAP, which hcxdumptool will detect.

sudo hcxdumptool -i mon0 --enable_status=1
  • -i mon0: Specifies the interface to use for capturing.
  • --enable_status=1: Turns on the status display, which shows information about found networks and captured data.

Once you run the command, hcxdumptool will start scanning. You will see a table of detected access points and clients. Let it run for about 15-20 seconds.

start capturing (stop with ctrl+c)
INTERFACE:...............: mon0
FILTERLIST (MAC).........: 0 entries
FILTERLIST (ESSID).......: 0 entries
MAC ACCESS POINT.........: 2a:50:e4:4c:a8:75 (incremented on every new client)
MAC CLIENT...............: 2e:50:e4:4c:a8:75 (incremented on every new client)
REPLAYCOUNT..............: 64326
ANONCE...................: 2a5d171a2a5d171a2a5d171a2a5d171a2a5d171a2a5d171a2a5d171a

[21:12:30 - 001] [FOUND ACCESS POINT: 02:00:00:00:01:00 (TestAP)]
...

After a short while, you can stop the capture process by pressing Ctrl+C in the terminal.

Identify a PMKID Hash in the Tool's Output

In this step, you will learn to identify when a PMKID has been successfully captured. While hcxdumptool is running, it actively probes access points to see if they will respond with a PMKID. When it succeeds, it prints a clear message to the console.

If you let the command from the previous step run, you should have seen a line similar to the one below. This line is the confirmation that we have what we need.

[21:12:32 - 001] [FOUND PMKID] 02:00:00:00:01:00 -> 2e:50:e4:4c:a8:75

Let's break down this output:

  • [FOUND PMKID]: This is the key indicator. It means hcxdumptool successfully requested and received a PMKID.
  • 02:00:00:00:01:00: This is the BSSID (MAC address) of the Access Point (TestAP).
  • -> 2e:50:e4:4c:a8:75: This is the MAC address of the station (our virtual client) that hcxdumptool used to make the request.

Seeing this message means you have successfully captured the PMKID. You don't need to run any new commands in this step; the goal is to understand the output from the previous step.

Understand the Advantage of PMKID over Handshakes

In this step, we'll discuss why the PMKID attack is a significant advancement over traditional WPA/WPA2 cracking methods.

The classic method for cracking a Wi-Fi password involves capturing a full 4-way handshake. This handshake occurs when a client device (like a laptop or phone) successfully authenticates with an access point. To capture it, an attacker must wait for a device to connect or force a connected device to disconnect and then reconnect. This has a major drawback: it depends entirely on the presence and activity of a client device. If no devices are connected, or if they don't reconnect while you're listening, you cannot capture the handshake.

The PMKID attack overcomes this limitation. The PMKID is part of the initial association process, specifically within the Robust Security Network Information Element (RSN IE) that modern APs broadcast in their beacon frames. hcxdumptool can actively request this information from the AP without any legitimate client being present.

The key advantage is that this attack is clientless. We only need to be within range of the target AP. This makes the process of acquiring a crackable hash much faster and more reliable, as we are no longer passively waiting for a client to act.

Save the PMKID Hash to a File for Cracking

In this final step, we will run hcxdumptool again, but this time we will save the captured data containing the PMKID to a file. This file can then be used with other tools like hcxpcapngtool and hashcat for offline cracking.

We use the -o flag to specify an output file. The standard format for these captures is pcapng.

Run the following command. It will start capturing and save any findings to a file named captured_pmkid.pcapng in your current directory (~/project).

sudo hcxdumptool -i mon0 -o captured_pmkid.pcapng --enable_status=1

Let the tool run until you see the [FOUND PMKID] message again. Once you see it, you can stop the capture with Ctrl+C.

After stopping the tool, verify that the file has been created by listing the contents of the directory:

ls -l

You should see the captured_pmkid.pcapng file in the output:

total 8
-rw-r--r-- 1 root  root  1060 Dec 12 21:15 captured_pmkid.pcapng
-rw-r--r-- 1 labex labex  159 Dec 12 21:10 hostapd.conf

This file now contains the PMKID from the TestAP network. The next logical step in a real attack would be to convert this file into a hash format and use a password cracking tool to find the original password.

Summary

In this lab, you have successfully learned the fundamentals of the clientless WPA/WPA2 attack by capturing a PMKID.

You started by installing the essential hcxtools and hcxdumptool packages. You then used hcxdumptool to listen on a monitor-mode interface, identified the [FOUND PMKID] message confirming a successful capture, and understood the key theoretical advantage of this method over traditional handshake-based attacks. Finally, you saved the captured PMKID into a pcapng file, preparing it for the next stage of a security audit, which would be offline password cracking. This skill is a valuable addition to any wireless security tester's toolkit.