How to Check if PMF (Protected Management Frames) is Enabled on a Wi-Fi Network
Protected Management Frames (PMF) is a security feature defined in IEEE 802.11w that protects Wi-Fi management frames (e.g., deauthentication, disassociation) from forgery and eavesdropping. This prevents attacks like deauthentication attacks (e.g., using aireplay-ng).  
Methods to Check PMF Status
1. Using Wireshark (Packet Capture Analysis)
- Capture Wi-Fi traffic in monitor mode (e.g., using airodump-ngorWireshark).
- Look for Beacon frames or Association Response frames:  - PMF Capable (802.11w): Indicates support.
- PMF Required: Forces clients to use PMF (stronger security).
 
Steps:
- Start capturing on the target Wi-Fi channel:  airodump-ng -c <channel> --bssid <AP_MAC> -w pmf_check wlan0mon
- Open the .pcapfile in Wireshark.
- Filter for wlan.fc.type_subtype == 0x08(Beacon frames).
- Check the RSN (Robust Security Network) Information Element:  - If "Management Frame Protection Capable" is present → PMF is supported.
- If "Management Frame Protection Required" is present → PMF is enforced.
 
2. Using iw Command (Linux)
If you are connected to the network (or have access to a Linux machine with Wi-Fi):
iw dev wlan0 scan | grep -A 10 "SSID Name" | grep "RSN" -A 5
- Look for Management Frame Protection: YesorMFPC(Capable) /MFPR(Required).
Example Output:
RSN:     * Version: 1
     * Group cipher: CCMP
     * Pairwise ciphers: CCMP
     * Authentication suites: PSK
     * Capabilities: MFPC (PMF capable), MFPR (PMF required)
- MFPC (Capable) → PMF is optional (clients can connect without it).
- MFPR (Required) → PMF is mandatory (more secure).
3. Using Windows (netsh Command)
If connected to the network:
- Open Command Prompt as Administrator.
- Run:  netsh wlan show networks mode=bssid
- Look for your target SSID and check the "Security settings" section.  - If "Management Frame Protection Supported" appears → PMF is enabled.
 
4. Using Android (Wi-Fi Analyzer Apps)
- Apps like Wi-Fi Analyzer or NetX may show 802.11w or PMF status in AP details.
Interpretation of Results
| Status | Security Implication | 
|---|---|
| PMF Disabled | Vulnerable to deauth attacks ( aireplay-ng -0). | 
| PMF Capable (MFPC) | Optional (some clients may not use it). | 
| PMF Required (MFPR) | Best security (blocks deauth attacks). | 
5. Use wpa_cli (Linux)
For WPA2-Personal:
- Run:  wpa_cli -i wlan0
- In the CLI, type scan_resultsand note the BSSID.
- Type bssid <BSSID>and check the RSN flags:- [MFPC]→ PMF Capable.
- [MFPR]→ PMF Required.
 
6. Check RADIUS Server Settings (White-Box)
- If you have insider access, verify if the RADIUS server (e.g., FreeRADIUS, NPS) enforces PMF:  - Look for ieee80211w = 1(PMF optional) orieee80211w = 2(PMF required) in the RADIUS client configuration.
 
- Look for 
7. Checking Access Point Configuration (White Box):
If you have been provided with access to the configuration interface of the wireless access point (as part of the white box testing), you can directly check the PMF settings.
- Steps: - Log in to the access point's web interface or command-line interface.
- Navigate to the wireless settings for the specific SSID you are testing.
- Look for options related to security, WPA2/WPA3, and advanced settings.
- You should find a setting labeled something like:- Protected Management Frames (PMF)
- Management Frame Protection (MFP)
- 802.11w
- Secure Management Frames
 
- The setting will likely have options like "Enabled," "Disabled," "Optional," or "Required."
 
- Interpreting the Results: - Enabled/Required: PMF is actively enforced. Clients that don't support PMF might not be able to connect.
- Optional: PMF is supported, and clients that support it will use it, but clients that don't can still connect without it. This is less secure than "Enabled/Required."
- Disabled: PMF is not enabled on the network
 
Key Notes for Both Networks
- WPA2 + PMF: PMF is optional in WPA2 (defined in 802.11w) but mandatory in WPA3.
- WPA3 Networks: PMF is always required, so this check is irrelevant for WPA3.
Example Scenarios
Scenario 1: PMF Disabled (Vulnerable)
- Attackers can use aireplay-ngto deauth clients:aireplay-ng -0 10 -a <AP_MAC> -c <Client_MAC> wlan0mon
- Clients will disconnect and may reveal handshakes for cracking (WPA2-Personal).
Scenario 2: PMF Enabled (Secure)
- Deauth attacks fail. You’ll see errors like:  aireplay-ng: Got a deauth/disassoc packet. Is PMF enabled on the AP?
Recommendations
- Enable PMF in "Required" mode for both WPA2-Enterprise and WPA2-Personal.
- Migrate to WPA3 (PMF is enforced by default).
