Wi-Fi Penetration Testing

The Danger of PMKID

PMKID

Field Report: The Danger of PMKID and Flat Wireless Networks

In this report, I detail a common case of an insecure wireless configuration combined with a major lack of network segmentation. The root cause isn’t just a weak Wi-Fi password; it’s the common but dangerous assumption that “Guest” or “Free” wireless networks are safely isolated from the corporate network. As this penetration test proved, all it takes is a quickly cracked pre-shared key for an attacker sitting outside the building to pivot directly into the internal corporate network.

The Entry Point: Capturing the PMKID

To kick off the engagement, I passed my USB wireless adapter through my Kali virtual machine to begin monitoring the airwaves outside the company’s building. The Wi-Fi adapter I used was the Panda PAU09. I targeted the Free Wi-Fi network to test for the WPA2-PSK PMKID vulnerability.

Unlike traditional WPA2 deauthentication attacks that require an active client to capture a 4-way handshake, the PMKID attack allows you to request the PMKID directly from the Access Point. I used Bettercap to capture the necessary frames.

sudo airmon-ng check kill                    #Fixes any problematic interference in monitor mode.
sudo ip link set wlan0 down                  #Set wireless interface down
sudo iw dev wlan0 set type monitor           #Set monitor mode
sudo ip link set wlan0 up                    #Set wireless interface up

sudo bettercap -iface wlan0
wifi.recon on
wifi.assoc All                             #Attack with a PMKID Attack
wifi.assoc <target mac>                    #Attack with a PMKID Attack for a specific target

I successfully obtained the PMKID key in under five minutes. Because this attack is client-less, it is highly reliable and provides the exact cryptographic material needed to perform offline cracking.

PMKID Handshake Capture

Offline Cracking for Network Access

Having the PMKID capture file is effectively having the lock’s blueprint. I converted the .pcapng file into a hash format that Hashcat can understand using cap2hashcat.

haschat -m 22000 29021_1761727468.hc22000 /home/mrnobody/Hacking/CustomPasswords/common_custom.txt

The key was relatively weak, and I was able to successfully crack it during the engagement window. With the plaintext password in hand, I could access the company’s free Wi-Fi network.

Cracked Wi-Fi

The Real Danger: Lack of Segmentation

While gaining access to a free Wi-Fi network is a solid finding, the true impact materialised when I began auditing the network itself. I discovered that the compromised free Wi-Fi network was not isolated from the internal corporate network (10.100.248.0/24).

Using CrackMapExec, I scanned the internal subnet and noted that I could reach the internal Domain Controllers. CrackMapExec has been archived and is no longer maintained (I only had access to this on my Wi-Fi testing box). You can use NetExec to achieve the same results, and you can find a comprehensive cheat sheet on how to use the tool here.

crackmapexec smb 10.100.248.0/24

This lack of segmentation completely bypassed the physical security of the building, exposing the internal Active Directory infrastructure to anyone sitting in the parking lot with the cracked Wi-Fi password.

Wi-Fi Connected

Final Objective: Escalating to Corporate Wi-Fi

To demonstrate the critical risk of internal network and Domain Controller communication from the guest network (possible from the parking lot), I performed a password brute-force attack against the Active Directory environment. I used a word list of potential users from OSINT before the engagement and passwords such as Summer2023, Summer2024 and Summer2025. The tool I used to perform the brute force is the popular Kerbrute tool.

.\kerbrute.exe passwordspray -d <domain name> .\users.txt Summer2023
Kerbrute Wi-Fi

Through this attack, I successfully compromised several Active Directory accounts. More importantly, I identified accounts that possessed corporate Wi-Fi access privileges. I used the Bloodhound tool to extract all the AD information. For a cheat sheet on using Bloodhound, click here.

Using these compromised credentials, I was able to disconnect from the “Free” network and authenticate directly to the secure corporate Wi-Fi network, giving me full internal access and bypassing all remaining external security controls. This was all done from the parking lot.

Bloodhound

Remediation

As you can see, a weak pre-shared key on a public-facing access point that is susceptible to PMKID attacks can pose a critical risk to the entire domain if network segmentation is not strictly enforced. To secure your environment, strictly isolate “Free” or “Guest” Wi-Fi networks from the internal corporate environment. Use VLANs and firewall rules to drop any traffic originating from the guest network destined for internal subnets. Do not use WPA2-PSK for business-critical or corporate wireless networks. Migrate to WPA2/WPA3-Enterprise (802.1X) using certificate-based authentication. If WPA2-PSK must be used for legacy reasons, ensure the pre-shared key is complex, changed periodically, and disable roaming features (802.11r) on the access points to mitigate PMKID extraction.

Related Posts

PMKID

The Danger of PMKID

Field Report: The Danger of PMKID and Flat Wireless Networks In this report, I detail a common case of an insecure wireless configurat...
Continue reading