WiFi Hacking 101: WPA/WPA2 Cracking, PMKID, and WPS (Part 2)

Table of contents

👋 Introduction

Hey everyone!

Welcome back. Part 1 covered the fundamentals: hardware, monitor mode, packet injection, deauth attacks, and basic Wireshark analysis. If you haven’t read it, start there first.

Now we get to the actual attacks against encrypted networks.

WPA/WPA2 is still the dominant standard in homes and small businesses worldwide. WPS is still enabled by default on millions of routers shipped today. WPA3 is the “secure” successor, and it has its own problems. This issue covers all of it.

Let’s keep breaking WiFi 👇

🤝 WPA/WPA2: The 4-Way Handshake

To understand why WPA/WPA2 cracking works, you need to understand the 4-way handshake. This is the authentication sequence that runs every time a client connects to a network.

Here’s what happens:

1. AP sends ANonce (random nonce generated by the access point)
2. Client generates SNonce, computes the PTK from the PMK (derived from the PSK + SSID via PBKDF2-SHA1), the ANonce, SNonce, and both MAC addresses. Sends back the SNonce with a MIC.
3. AP derives the same PTK, sends the Group Temporal Key (GTK) encrypted with the PTK, protected with a MIC.
4. Client acknowledges. Secure session established.

The critical detail is step 2. The PMK is derived from the PSK (your WiFi password) using PBKDF2-SHA1. If you capture the 4-way handshake, you have everything you need to run an offline dictionary attack. No rate limiting. No lockouts. Just you, a wordlist, and GPU time.

The security of WPA2-PSK is entirely dependent on passphrase strength.

Capturing the Handshake

You have two options: passive or active.

Passive capture: Start airodump-ng targeting the network and wait. When a client connects naturally, you capture the handshake. No interaction with the AP, no detection risk.

Active capture: Deauth a connected client, force them to reconnect, and capture the handshake. Faster, but the deauth frames may trigger a WIDS (Wireless Intrusion Detection System).

# Step 1: Identify the target network and channel
sudo airodump-ng wlan0mon

# Step 2: Start capturing, focused on target
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w handshake wlan0mon

# Step 3 (active): Deauth a connected client to force reconnect
# Run this in a second terminal while airodump-ng is still running
sudo aireplay-ng --deauth 10 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon

# When handshake is captured, airodump-ng shows:
# WPA handshake: AA:BB:CC:DD:EE:FF

Verify your capture before moving to cracking:

# Check if the capture contains a valid handshake
aircrack-ng handshake-01.cap

Offline Cracking

Two main options: aircrack-ng (CPU, slow) or hashcat (GPU, fast). Use hashcat. Your GPU is 10-100x faster than your CPU for this task.

Important: The old hashcat mode -m 2500 is deprecated. Modern captures use -m 22000, which handles both handshakes and PMKID in the same format.

# aircrack-ng (CPU, simpler)
aircrack-ng -w /path/to/wordlist.txt -b AA:BB:CC:DD:EE:FF handshake-01.cap

# Convert capture for hashcat (requires hcxtools)
hcxpcapngtool -o hashes.hc22000 handshake-01.cap

# hashcat (GPU, recommended)
hashcat -m 22000 -a 0 hashes.hc22000 /path/to/wordlist.txt

# With rules (much more effective than raw wordlist)
hashcat -m 22000 -a 0 hashes.hc22000 /path/to/wordlist.txt -r /usr/share/hashcat/rules/best64.rule

Good wordlists: rockyou.txt as a baseline, then domain-specific wordlists from SecLists. Target company names, location names, and years in your custom wordlists. Most people use variations of their company or address.

The Evil Twin Attack

If the password resists cracking, there’s another path. The Evil Twin attack sets up a fake AP with the same SSID, continuously deauths clients from the real AP, and presents a captive portal asking users to “re-enter their WiFi password.”

airgeddon automates this entirely. It handles the fake AP setup, DHCP, DNS, captive portal hosting, and continuous DoS against the legitimate network.

The key detail: airgeddon uses the captured handshake or PMKID to validate the password the victim enters in the portal. It only reports success when the submitted password matches the real one. No false positives.

This attack is social engineering via RF. It works especially well against users who see a “network update required” portal and don’t question it.

🎯 PMKID: Clientless WPA2 Cracking

In 2018, the Hashcat team disclosed a new attack. It changed WiFi cracking fundamentally.

The PMKID is a value computed by the AP during fast roaming:

PMKID = HMAC-SHA1-128(PMK, "PMK Name" || AP_MAC || STA_MAC)

The PMK is derived directly from the PSK (your password) and SSID. The AP MAC and STA MAC are known. If you can extract the PMKID, you have everything needed for an offline dictionary attack.

The game-changing part: you don’t need a client to be connected.

Classic handshake capture requires waiting for (or forcing) a client to connect. PMKID extraction triggers on the AP directly by sending an authentication packet. One packet out, PMKID back.

A quick caveat: PMKID extraction is not fully passive. You send one auth packet to the AP, which triggers it to include the PMKID in its response. Most networks with vulnerable implementations respond. It doesn’t require 802.11r/Fast Transition networks, despite what some guides claim. Many standard WPA/WPA2 APs expose PMKIDs regardless.

Capturing and Cracking PMKID

hcxdumptool is the tool for this. The commands below are for hcxdumptool >= 6.3.0.

# Step 1: Create a BPF filter to target a specific AP (optional but cleaner)
tcpdump -i wlan0mon wlan addr3 AA:BB:CC:DD:EE:FF -ddd > bpf_filter.bpf

# Step 2: Capture with hcxdumptool
# -c 6a = channel 6, 'a' = 2.4GHz band modifier
# --rds=1 = enable PMKID capture
hcxdumptool -i wlan0mon -c 6a --rds=1 --bpf=bpf_filter.bpf -w pmkid_capture.pcapng

# Let it run for 30-60 seconds, then Ctrl+C

# Step 3: Convert to hashcat format
hcxpcapngtool -o hashes.hc22000 pmkid_capture.pcapng

# Step 4: Crack with hashcat (same mode as handshake, -m 22000)
hashcat -m 22000 -a 0 hashes.hc22000 /path/to/wordlist.txt

To verify your capture contains a PMKID in Wireshark, use this filter:

wlan.rsn.ie.data_type == 4

You can also do a quick sanity check with aircrack-ng:

aircrack-ng pmkid_capture.pcapng
# Should show: "WPA (1 handshake, with PMKID)" or similar

Both handshakes and PMKIDs use -m 22000 in hashcat. hcxpcapngtool outputs both in the same file. One crack session handles everything.

The PMKID attack dramatically reduces the time needed on-site. In many assessments, you can walk past a network, trigger PMKID capture in under a minute, and crack the password at your desk later. No waiting for clients to connect. No noisy deauths.

🔓 WPS: Still Enabled, Still Broken

Wi-Fi Protected Setup was introduced in 2007 to make connecting devices easier. Instead of typing a complex password, users press a button or enter an 8-digit PIN.

The PIN method is broken by design. The 8-digit PIN isn’t validated as a single unit. The AP validates the first four digits and second four digits separately, and the last digit is a checksum. This reduces the brute-force space from 100,000,000 combinations to approximately 11,000.

Eleven thousand guesses. On a protocol with no lockout in many implementations.

Three Ways to Attack WPS

1. Pixie Dust

The most devastating WPS attack. Some AP implementations generate weak random numbers for the WPS exchange (specifically E-S1 and E-S2 nonces). Pixie Dust exploits this weak randomization to recover the PIN nearly instantly, without brute-forcing anything. Works offline once you capture a single WPS exchange attempt.

# Reaver with Pixie Dust
# Note: use legacy interface names (wlan0, wlan1) not PNIN names like wlx00c0ca9208dc
# Use -5 flag if target is on 5GHz band
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -c 6 -K 1 -N -vvv

If the chipset is vulnerable, you’ll have the PIN (and therefore the WPA password) in seconds.

2. Null PIN

Some vendor implementations have a bug where sending an empty PIN string causes the AP to disclose the WPA password. This is a code quality failure, not a protocol flaw.

# Reaver Null PIN attempt
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -c 6 -L -f -N -g 1 -d 2 -vvv -p ''

3. Brute-Force

Classic WPS PIN brute-force. With ~11,000 effective combinations and no lockout on vulnerable APs, this is feasible. It’s slow (several hours in the worst case) but reliable against targets where Pixie Dust doesn’t apply.

# Reaver brute-force
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -c 6 -L -f -N -d 2 -vvv

# Bully brute-force (alternative tool)
bully wlan0mon -b AA:BB:CC:DD:EE:FF -c 6 -S -L -F -B -v 2

4. Known PINs

Many routers ship with default or algorithmically predictable WPS PINs. 12345670 is a default on a surprising number of devices. Tools like Reaver can check known PINs before brute-forcing.

What to Check in an Assessment

WPS is often enabled by default and forgotten. Check every AP for WPS status:

# airodump-ng shows WPS in the output
sudo airodump-ng wlan0mon
# Look for "WPS" in the output columns

# Wash scans specifically for WPS-enabled networks
sudo wash -i wlan0mon

A note on tooling: Bully development has stalled. Reaver (t6x fork) is actively maintained. Use Reaver as your primary WPS tool.

One more note: Reaver requires legacy interface naming (wlan0, wlan1). If your system uses predictable network interface names like wlx00c0ca9208dc, you may need to rename the interface or configure your system for legacy names before Reaver works correctly.

🐉 WPA3: Better, Not Bulletproof

WPA3 launched in 2018 as the answer to WPA2’s weaknesses. The core improvement is SAE (Simultaneous Authentication of Equals), based on Dragonfly key exchange.

SAE solves the fundamental WPA2 problem: captured handshakes are useless for offline cracking. Each session derives a unique PMK. No handshake, no offline attack. This is proper forward secrecy.

WPA3 also enables Management Frame Protection by default, which kills deauth-based attacks against WPA3-only networks.

In 2019, Mathy Vanhoef and Eyal Ronen published the Dragonblood attacks. SAE had timing and cache-based side-channel vulnerabilities that allowed partial key recovery. Downgrade attacks could force clients back to WPA2. DoS attacks could crash or overwhelm APs.

Most of these were patched through firmware updates. Modern WPA3 implementations are significantly more hardened. But two attack paths remain relevant.

Dragon Drain: DoS Against WPA3

SAE authentication (the Dragonfly handshake) is computationally expensive. An attacker floods the AP with SAE commit messages, exhausting its processing resources. The AP slows down or becomes unavailable.

The original Dragon Drain PoC only works with Atheros chipsets. The airgeddon Dragon Drain plugin bypasses this limitation and works with any compatible chipset.

This attack takes several minutes before the impact becomes visible. On some devices, it triggers a reboot. It’s a useful DoS primitive in environments where you need to disrupt WPA3 connectivity without relying on deauth frames.

Online Dictionary Attack Against WPA3-SAE

SAE blocks offline cracking. But it doesn’t block online guessing.

You repeatedly initiate SAE authentication exchanges against the AP, trying one password per full exchange. It’s painfully slow, around 50 words per second. Compared to hashcat cracking WPA2 hashes at millions of attempts per second, this is a crawl.

But it works. On weak passwords, it works.

The Wacker script and the airgeddon WPA3 online dictionary plugin automate this. airgeddon ships a statically compiled patched wpa_supplicant for multiple architectures, so you don’t need to build it yourself.

# airgeddon handles the WPA3 online dictionary attack via its plugin system
# It ships a patched wpa_supplicant and manages the SAE exchange loop
# Launch airgeddon and navigate to the WPA3 attack menu
sudo bash airgeddon.sh

This attack is loud. One full authentication per guess means lots of traffic, detectable by any WIDS. It may trigger account lockouts on more sophisticated AP implementations. Use this against targets where you have reason to believe the password is in your wordlist, and where detection risk is acceptable.

The takeaway on WPA3: it’s meaningfully better than WPA2. Captured frames are useless for offline cracking. But “better” doesn’t mean “impervious.” Weak passwords are still crackable online. DoS attacks still work. And most networks aren’t running pure WPA3.

🔀 WPA2/3 Transitional: The Downgrade Problem

Here’s the real-world situation. Network admins want WPA3 security, but they also have legacy devices that only support WPA2. The solution is transitional (mixed) mode: the AP advertises both WPA2-PSK and WPA3-SAE simultaneously, and clients connect with whichever they support.

This sounds reasonable. In practice, it inherits every WPA2 weakness.

The attack: force a WPA3-capable victim to connect via WPA2.

How the downgrade works:

1. Identify a transitional network (supporting both WPA2 and WPA3).
2. Set up a fake AP advertising only WPA2, same SSID.
3. Perform DoS against the legitimate AP.
4. The victim’s device falls back to your fake WPA2 AP via its Preferred Network List (PNL).
5. Capture the WPA2 handshake. Even capturing half the handshake (messages 1 and 2 of 4) is sufficient for offline cracking.
6. Crack offline with hashcat as normal.

The downgrade succeeds if any WPA2 clients are visible on the network, or if WPA3 clients aren’t enforcing MFP (which is common in transitional mode for compatibility reasons).

Detecting transitional networks in Wireshark:

wlan.rsn.akms.type == 2 && wlan.rsn.akms.type == 8

This filter shows beacon frames that advertise both PSK (AKM type 2) and SAE (AKM type 8), which is the fingerprint of a transitional network.

The practical security posture of a transitional network is effectively WPA2. If you support WPA2, you’re vulnerable to WPA2 attacks. The WPA3 component provides no meaningful protection against a downgrade-capable adversary.

🎯 Key Takeaways

WPA/WPA2 handshake cracking is offline and uncapped. Capture once, crack forever. Security is entirely passphrase-dependent. Use GPU cracking with hashcat -m 22000. Apply rule-based attacks, not just raw wordlists.

PMKID changed the game in 2018. Clientless extraction, same cracking workflow. One auth packet, walk away with the hash. No waiting for clients, no deauth noise.

WPS is still everywhere. Check every AP. Pixie Dust is instant on vulnerable chipsets. Null PIN works on some implementations. Brute-force is feasible at ~11,000 combinations. Known PIN databases catch the rest. Always check WPS status during wireless assessments.

WPA3 solves the offline cracking problem. SAE-derived PMKs make captured handshakes useless. But online dictionary attacks work (slowly). Dragon Drain can DoS WPA3 APs. And most networks aren’t running pure WPA3.

Transitional networks reduce to WPA2. Downgrade attacks work when any WPA2 clients exist or when WPA3 clients don’t enforce MFP. Mixed-mode networks inherit mixed-mode attack surface.

---

That’s it for Part 2!

WPA2 is crackable if the password is weak. WPS is crackable in a lot of cases regardless of password strength. WPA3 raises the bar but doesn’t eliminate attack paths. And transitional networks give you WPA3’s branding with WPA2’s weaknesses.

This series has one more issue left. Part 3 covers enterprise networks: WPA2-Enterprise (802.1X/MGT), RADIUS, PEAP/EAP-TLS configurations, relay attacks, ESSID stripping, and how to attack certificate-based authentication. Enterprise WiFi has a very different attack surface, and it shows up in almost every corporate engagement.

Thanks for reading, and happy hunting!

— Ruben

Other Issues

Infrastructure Reconnaissance: Your First Steps in Network Pentesting

Previous Issue

WiFi Hacking 101: Exploiting Enterprise Networks (Part 3)

Next Issue