Field Reports
The Danger of PMKID
Field Report: The Danger of PMKID and Flat Wireless Networks
In this report, I detail a common case of an insecure wireless configuration combined with a major lack of network segmentation. The root cause isn’t just a weak Wi-Fi password; it’s the common but dangerous assumption that “Guest” or “Free” wireless networks are safely isolated from the corporate network. As this penetration test proved, all it takes is a quickly cracked pre-shared key for an attacker sitting outside the building to pivot directly into the internal corporate network.
The Entry Point: Capturing the PMKID
To kick off the engagement, I passed my USB wireless adapter through my Kali virtual machine to begin monitoring the airwaves outside the company’s building. The Wi-Fi adapter I used was the Panda PAU09. I targeted the Free Wi-Fi network to test for the WPA2-PSK PMKID vulnerability.
Unlike traditional WPA2 deauthentication attacks that require an active client to capture a 4-way handshake, the PMKID attack allows you to request the PMKID directly from the Access Point. I used Bettercap to capture the necessary frames.
sudo airmon-ng check kill #Fixes any problematic interference in monitor mode. sudo ip link set wlan0 down #Set wireless interface down sudo iw dev wlan0 set type monitor #Set monitor mode sudo ip link set wlan0 up #Set wireless interface up sudo bettercap -iface wlan0 wifi.recon on wifi.assoc All #Attack with a PMKID Attack wifi.assoc <target mac> #Attack with a PMKID Attack for a specific target
I successfully obtained the PMKID key in under five minutes. Because this attack is client-less, it is highly reliable and provides the exact cryptographic material needed to perform offline cracking.
Offline Cracking for Network Access
Having the PMKID capture file is effectively having the lock’s blueprint. I converted the .pcapng file into a hash format that Hashcat can understand using cap2hashcat.
haschat -m 22000 29021_1761727468.hc22000 /home/mrnobody/Hacking/CustomPasswords/common_custom.txt
The key was relatively weak, and I was able to successfully crack it during the engagement window. With the plaintext password in hand, I could access the company’s free Wi-Fi network.
The Real Danger: Lack of Segmentation
While gaining access to a free Wi-Fi network is a solid finding, the true impact materialised when I began auditing the network itself. I discovered that the compromised free Wi-Fi network was not isolated from the internal corporate network (10.100.248.0/24).
Using CrackMapExec, I scanned the internal subnet and noted that I could reach the internal Domain Controllers. CrackMapExec has been archived and is no longer maintained (I only had access to this on my Wi-Fi testing box). You can use NetExec to achieve the same results, and you can find a comprehensive cheat sheet on how to use the tool here.
crackmapexec smb 10.100.248.0/24
This lack of segmentation completely bypassed the physical security of the building, exposing the internal Active Directory infrastructure to anyone sitting in the parking lot with the cracked Wi-Fi password.
Final Objective: Escalating to Corporate Wi-Fi
To demonstrate the critical risk of internal network and Domain Controller communication from the guest network (possible from the parking lot), I performed a password brute-force attack against the Active Directory environment. I used a word list of potential users from OSINT before the engagement and passwords such as Summer2023, Summer2024 and Summer2025. The tool I used to perform the brute force is the popular Kerbrute tool.
.\kerbrute.exe passwordspray -d <domain name> .\users.txt Summer2023
Through this attack, I successfully compromised several Active Directory accounts. More importantly, I identified accounts that possessed corporate Wi-Fi access privileges. I used the Bloodhound tool to extract all the AD information. For a cheat sheet on using Bloodhound, click here.
Using these compromised credentials, I was able to disconnect from the “Free” network and authenticate directly to the secure corporate Wi-Fi network, giving me full internal access and bypassing all remaining external security controls. This was all done from the parking lot.
Remediation
As you can see, a weak pre-shared key on a public-facing access point that is susceptible to PMKID attacks can pose a critical risk to the entire domain if network segmentation is not strictly enforced. To secure your environment, strictly isolate “Free” or “Guest” Wi-Fi networks from the internal corporate environment. Use VLANs and firewall rules to drop any traffic originating from the guest network destined for internal subnets. Do not use WPA2-PSK for business-critical or corporate wireless networks. Migrate to WPA2/WPA3-Enterprise (802.1X) using certificate-based authentication. If WPA2-PSK must be used for legacy reasons, ensure the pre-shared key is complex, changed periodically, and disable roaming features (802.11r) on the access points to mitigate PMKID extraction.