XII. PMKID Attacks Against WPA PSK and WPA2 PSK Networks

The PMKID attack is a new technique, released in August 2018 by Jens Steube, that can be used to breach WPA-PSK and WPA2-PSK networks. It can be used against 802.11i/p/q/r networks that have roaming functions enabled, which essentially amounts to most modern wireless routers. The PMKID attack offers several advantages over the traditional 4-way handshake captures:

• It's a client-less attack -- the attack is directed at the access point.
• It's fast (for several reason, see original post by Jens Steube)
• It works at longer ranges (lost EAPOL frames due to distance are no longer as much of a concern)

More information about how this attack works is available here:

• https://hashcat.net/forum/thread-7717.html

The PMKID attack can be executed using the --pmkid flag. To target a specific access point, use the --bssid flag as shown below:

./eaphammer --pmkid \
	--interface wlan0 \
	--bssid de:ad:13:37:be:ef 

Notice how in the command shown above, we don't have to specify a channel. That's because EAPHammer will actually locate the AP's channel for you.

With that said, if you want to specify the channel manually, you can do so using the --channel flag as follows:

./eaphammer --pmkid \
	--interface wlan0 \
	--bssid de:ad:13:37:be:ef \
	--channel 10

Alternatively, you can use the --essid flag to tell EAPHammer to target any access point that is part of a specific network. EAPHammer will automatically locate an in-scope access point and identify its BSSID and channel. To perform this style of attack, use the following command:

./eaphammer --pmkid \
	--interface wlan0 \
	--essid RED_WHEELBARROW