How to Check if PMF (Protected Management Frames) is Enabled on a Wi-Fi Network

How to Check if PMF (Protected Management Frames) is Enabled on a Wi-Fi Network

Protected Management Frames (PMF) is a security feature defined in IEEE 802.11w that protects Wi-Fi management frames (e.g., deauthentication, disassociation) from forgery and eavesdropping. This prevents attacks like deauthentication attacks (e.g., using aireplay-ng).

---

Methods to Check PMF Status

1. Using Wireshark (Packet Capture Analysis)

• Capture Wi-Fi traffic in monitor mode (e.g., using airodump-ng or Wireshark).
• Look for Beacon frames or Association Response frames:
  • PMF Capable (802.11w): Indicates support.
  • PMF Required: Forces clients to use PMF (stronger security).

Steps:

1. Start capturing on the target Wi-Fi channel:

   airodump-ng -c <channel> --bssid <AP_MAC> -w pmf_check wlan0mon
   

2. Open the .pcap file in Wireshark.
3. Filter for wlan.fc.type_subtype == 0x08 (Beacon frames).
4. Check the RSN (Robust Security Network) Information Element:
   • If "Management Frame Protection Capable" is present → PMF is supported.
   • If "Management Frame Protection Required" is present → PMF is enforced.

---

2. Using iw Command (Linux)

If you are connected to the network (or have access to a Linux machine with Wi-Fi):

iw dev wlan0 scan | grep -A 10 "SSID Name" | grep "RSN" -A 5

• Look for Management Frame Protection: Yes or MFPC (Capable) / MFPR (Required).

Example Output:

RSN:     * Version: 1
     * Group cipher: CCMP
     * Pairwise ciphers: CCMP
     * Authentication suites: PSK
     * Capabilities: MFPC (PMF capable), MFPR (PMF required)

• MFPC (Capable) → PMF is optional (clients can connect without it).
• MFPR (Required) → PMF is mandatory (more secure).

---

3. Using Windows (netsh Command)

If connected to the network:

1. Open Command Prompt as Administrator.
2. Run:

   netsh wlan show networks mode=bssid
   

3. Look for your target SSID and check the "Security settings" section.
   • If "Management Frame Protection Supported" appears → PMF is enabled.

---

4. Using Android (Wi-Fi Analyzer Apps)

• Apps like Wi-Fi Analyzer or NetX may show 802.11w or PMF status in AP details.

---

Interpretation of Results

Status	Security Implication
PMF Disabled	Vulnerable to deauth attacks (aireplay-ng -0).
PMF Capable (MFPC)	Optional (some clients may not use it).
PMF Required (MFPR)	Best security (blocks deauth attacks).

---

5. Use wpa_cli (Linux)

For WPA2-Personal:

1. Run:

   wpa_cli -i wlan0
   

2. In the CLI, type scan_results and note the BSSID.
3. Type bssid <BSSID> and check the RSN flags:
   • [MFPC] → PMF Capable.
   • [MFPR] → PMF Required.

---

6. Check RADIUS Server Settings (White-Box)

• If you have insider access, verify if the RADIUS server (e.g., FreeRADIUS, NPS) enforces PMF:
  • Look for ieee80211w = 1 (PMF optional) or ieee80211w = 2 (PMF required) in the RADIUS client configuration.

---

7. Checking Access Point Configuration (White Box):

If you have been provided with access to the configuration interface of the wireless access point (as part of the white box testing), you can directly check the PMF settings.

• Steps:

  1. Log in to the access point's web interface or command-line interface.
  2. Navigate to the wireless settings for the specific SSID you are testing.
  3. Look for options related to security, WPA2/WPA3, and advanced settings.
  4. You should find a setting labeled something like:
     • Protected Management Frames (PMF)
     • Management Frame Protection (MFP)
     • 802.11w
     • Secure Management Frames
  5. The setting will likely have options like "Enabled," "Disabled," "Optional," or "Required."

• Interpreting the Results:

  • Enabled/Required: PMF is actively enforced. Clients that don't support PMF might not be able to connect.
  • Optional: PMF is supported, and clients that support it will use it, but clients that don't can still connect without it. This is less secure than "Enabled/Required."
  • Disabled: PMF is not enabled on the network

---

Key Notes for Both Networks

• WPA2 + PMF: PMF is optional in WPA2 (defined in 802.11w) but mandatory in WPA3.
• WPA3 Networks: PMF is always required, so this check is irrelevant for WPA3.

---

Example Scenarios

Scenario 1: PMF Disabled (Vulnerable)

• Attackers can use aireplay-ng to deauth clients:

  aireplay-ng -0 10 -a <AP_MAC> -c <Client_MAC> wlan0mon
  

• Clients will disconnect and may reveal handshakes for cracking (WPA2-Personal).

Scenario 2: PMF Enabled (Secure)

• Deauth attacks fail. You’ll see errors like:

  aireplay-ng: Got a deauth/disassoc packet. Is PMF enabled on the AP?
  

---

Recommendations

1. Enable PMF in "Required" mode for both WPA2-Enterprise and WPA2-Personal.
2. Migrate to WPA3 (PMF is enforced by default).