BIPI
BIPI

WiFi Pentesting in 2023: PMKID Attack, WPA2/3 Handshake Capture, Hashcat Cracking

Cybersecurity

A working operator playbook for wireless network assessments. We walk through PMKID extraction with hcxdumptool, classic four-way handshake capture, WPA3 SAE downgrade tests, and how to drive hashcat with the right modes so that cracking runs hit GPU saturation without burning a week on bad wordlists.

By Arjun Raghavan, Security & Systems Lead, BIPI · November 2, 2023 · 11 min read

#wifi#wpa2#wpa3#hashcat#pentest

Why WiFi still pays the bills

Most red team engagements still find at least one weak PSK, one rogue AP, or one misconfigured WPA2-Enterprise realm. WiFi sits at the boundary of physical and network testing, and clients rarely instrument it well. A clean methodology, run against authorised SSIDs only, surfaces real risk fast.

Recon: channel sweep and target selection

  • airodump-ng wlan0mon to enumerate SSIDs, BSSIDs, channel, encryption, and client counts.
  • kismet for a longer baseline, including hidden SSIDs and probe requests from roaming clients.
  • Filter to in-scope ESSIDs by BSSID prefix, never by name alone, neighbours often share names.

PMKID capture with hcxdumptool

PMKID attacks dropped the requirement of a connected client. hcxdumptool requests the first message of the four-way handshake and pulls the PMKID from the RSN IE. Convert with hcxpcapngtool to hashcat 22000 format and you are cracking within minutes.

Four-way handshake fallback

  • Use aireplay-ng deauth sparingly, modern clients log it and MFP blocks it.
  • Prefer passive capture during natural roam events, especially morning login windows.
  • Validate the EAPOL pair with tshark before wasting GPU time.

Hashcat modes that matter

  • 22000 for WPA-PBKDF2-PMKID+EAPOL, the unified hash mode.
  • 22001 for offline PMK testing when you already have the PMK.
  • Rule files like best64.rule and OneRuleToRuleThemAll for targeted dictionaries.

WPA3 and Dragonblood

WPA3-SAE is not magic. Dragonblood showed side channel and downgrade weaknesses in early implementations, and transition mode networks still expose a WPA2 PSK. Test for transition disable, MFP required, and group cipher consistency. If the AP accepts WPA2 association on the same SSID, you have a downgrade target.

WPA2-Enterprise: the real prize

  • Stand up a rogue RADIUS with hostapd-wpe to capture MSCHAPv2 challenge response pairs.
  • Crack with asleap or hashcat mode 5500, then replay credentials against VPN and mail.
  • Check for missing server certificate validation on clients, the root cause of most enterprise WiFi compromise.

GPU planning

A single RTX 4090 handles roughly 2.4 million WPA2 hashes per second. Plan wordlists accordingly. Crackstation, rockyou2021, and targeted permutations of the company name and year cover most real PSKs. Skip brute force above eight characters unless you have a cluster.

Detection your client should run

  • WIDS alerts on deauth floods and rogue BSSID with matching ESSID.
  • RADIUS log review for unusual EAP outer identities and failed inner methods.
  • Client posture checks that enforce server certificate pinning.

Remediation, ranked by impact

  1. Enforce WPA3-Enterprise with 192-bit suite where hardware allows.
  2. Require Management Frame Protection across all SSIDs.
  3. Pin RADIUS server certificate in MDM profiles for every managed endpoint.
  4. Rotate guest PSKs on a schedule and segment guest VLAN at L3.
62%
PSK cracks under 24h
48%
Clients without cert pinning
71%
Transition-mode WPA3 SSIDs
If your WPA3 deployment still answers to WPA2 on the same SSID, you do not have WPA3, you have marketing.

Reporting that lands

Tie every finding to a business risk. A cracked guest PSK is a low risk unless guest VLAN egresses to the corporate subnet. A cracked corporate PSK with flat L2 is critical. Show the path, not just the hash.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.