New attack on WPA/WPA2 using PMKID
If you mean, that we have two steps, you got it:
step1 = derivation of Plainmasterkey (PMK), for example by PBKFD2
step2 = derivation of Pairwise Transient Key (PTK) to get access to the network (EAPOL 4/4 handshake)

Let's take a look at SAE (sae4way.pcapng):
packet 4 and 5 contain the commit messages from client (4) and access point (5)
packet 6 and 7 contain the confirm messages from client (6) and access point (7)
the PMK is calculated from packet 6 and 7 (PMK = KDF-512(keyseed, "SAE KCK and PMK", *(commit-scalar + peer-commit-scalar) modulo r)) and used by the following EAPOL handshake (packet 10, 11, 12, 13)
packet 10 contain a PMKID calculated by PMKID = L((commit-scalar + peer-commit-scalar) modulo r, 0, 128)

Laboratoy environment:
$ hcxdumptool -I
wlan interfaces:
c83a35c24fbc wlp39s0f3u4u4 (rt2800usb) = SAE client
c83a35ce463f wlp39s0f3u4u1 (rt2800usb) = SAE access point
c83a35cc88c9 wlp3s0f0u1 (rt2800usb) = hcxdumptool

used adapters:
TENDA W311U+ (cheaper than ALFAs, less power consumption, driver well suported, and more... - I like them)

latest hcxdumptool is used to capture traffic:
.zip   sae4way.pcapng.zip (Size: 1.57 KB / Downloads: 16)

Latest hcxpcaptool is able to parse a SAE4way handshake to hashcat. So please use it for this example
$ hcxpcaptool -o saetest.hccapx -z saetest.16800 sae4way.pcapng
summary:
file name....................: sae4way.pcapng
file type....................: pcapng 1.0
file hardware information....: x86_64
file os information..........: Linux 4.18.16-arch1-1-ARCH
file application information.: hcxdumptool 5.0.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 15
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 0
beacons (with ESSID inside)..: 1
probe requests...............: 1
probe responses..............: 1
association requests.........: 1
association responses........: 1
authentications (SAE)........: 4
EAPOL packets................: 7
EAPOL PMKIDs.................: 1
best handshakes..............: 1 (ap-less: 0)

1 handshake(s) written to saetest.hccapx
1 PMKID(s) written to saetest.16800

The calculated PMK
(PMK = KDF-512(keyseed, "SAE KCK and PMK", *(commit-scalar + peer-commit-scalar) modulo r))
from the SAE authentication is:
3fff2ed5188624e83da421f68562f1f8271884c48ed7036269cbb76480eed19b
we store it in our wordlist (sae4way.pmkfile)

Let's verfify the PMK by hashcat using hashmode 2501:

$ hashcat -m 2501 saetest.hccapx sae4way.pmkfile
hashcat (v5.0.0-52-g2aff01b2) starting...
Session..........: hashcat
Status...........: Cracked
Hash.Type........: WPA-EAPOL-PMK
Hash.Target......: mynet (AP:c8:3a:35:ce:46:3f STA:c8:3a:35:c2:4f:bc)
Time.Started.....: Sat Nov 10 10:29:28 2018 (0 secs)
Time.Estimated...: Sat Nov 10 10:29:28 2018 (0 secs)
Guess.Base.......: File (sae4way.pmkfile)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     1603 H/s (0.00ms) @ Accel:512 Loops:1024 Thr:256 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: 3fff2ed5188624e83da421f68562f1f8271884c48ed7036269cbb76480eed19b -> 3fff2ed5188624e83da421f68562f1f8271884c48ed7036269cbb76480eed19b
Hardware.Mon.#1..: Temp: 44c Fan: 29% Util: 52% Core:1657MHz Mem:5005MHz Bus:16

c073532f1526da27c4c96b6f8031a027:c83a35ce463f:c83a35c24fbc:mynet:3fff2ed5188624e83da421f68562f1f8271884c48ed7036269cbb76480eed19b

hashcat verified the PMK, succefully!

Let's verify the PMKID by hashcat suing hashmode 16801 (we will fail epically...):

$ hashcat -m 16801 saetest.16800 sae4way.pmkfile
hashcat (v5.0.0-52-g2aff01b2) starting...
Session..........: hashcat                       
Status...........: Exhausted
Hash.Type........: WPA-PMKID-PMK
Hash.Target......: ea5aad4e27b22c46f883737ca5a058bd*c83a35ce463f*c83a3...6e6574
Time.Started.....: Sat Nov 10 10:28:12 2018 (1 sec)
Time.Estimated...: Sat Nov 10 10:28:13 2018 (0 secs)
Guess.Base.......: File (sae4way.pmkfile)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     2459 H/s (0.00ms) @ Accel:512 Loops:1024 Thr:256 Vec:1
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 1/1 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: 3fff2ed5188624e83da421f68562f1f8271884c48ed7036269cbb76480eed19b -> 3fff2ed5188624e83da421f68562f1f8271884c48ed7036269cbb76480eed19b
Hardware.Mon.#1..: Temp: 39c Fan: 29% Util:  1% Core:1911MHz Mem:5005MHz Bus:16

As expected, we failed to verify the PMKID, because it is not calculated by PMKID = HMAC-SHA1-128(PMK, "PMK Name" | MAC_AP | MAC_STA)

Keep in mind:
This example is not(!) a SAE crack!
This example is not(!) a WPA3 crack!


Messages In This Thread
New attack on WPA/WPA2 using PMKID - by atom - 08-04-2018, 06:50 PM
RE: New attack on WPA/WPA using PMKID - by hash93 - 08-04-2018, 09:18 PM
RE: New attack on WPA/WPA using PMKID - by ZerBea - 08-05-2018, 10:53 AM
RE: New attack on WPA/WPA2 using PMKID - by kcdtv - 08-05-2018, 11:41 PM
RE: New attack on WPA/WPA2 using PMKID - by lint - 08-06-2018, 06:09 PM
RE: New attack on WPA/WPA2 using PMKID - by lint - 11-07-2018, 07:05 PM
RE: New attack on WPA/WPA2 using PMKID - by atom - 08-08-2018, 11:16 AM
RE: New attack on WPA/WPA2 using PMKID - by atom - 08-08-2018, 11:55 AM
RE: New attack on WPA/WPA2 using PMKID - by kcdtv - 08-09-2018, 04:11 PM
RE: New attack on WPA/WPA2 using PMKID - by octf - 08-11-2018, 07:21 AM
RE: New attack on WPA/WPA2 using PMKID - by skan - 08-13-2018, 03:57 AM
RE: New attack on WPA/WPA2 using PMKID - by LoZio - 08-17-2018, 01:49 PM
RE: New attack on WPA/WPA2 using PMKID - by L3pus - 08-21-2018, 09:23 AM
RE: New attack on WPA/WPA2 using PMKID - by lint - 09-03-2018, 12:07 PM
RE: New attack on WPA/WPA2 using PMKID - by sao - 08-27-2018, 06:10 AM
RE: New attack on WPA/WPA2 using PMKID - by Mem5 - 08-27-2018, 07:24 PM
RE: New attack on WPA/WPA2 using PMKID - by JCas - 09-01-2018, 02:13 PM
RE: New attack on WPA/WPA2 using PMKID - by dafez - 09-03-2018, 04:40 PM
RE: New attack on WPA/WPA2 using PMKID - by dafez - 09-07-2018, 04:55 AM
RE: New attack on WPA/WPA2 using PMKID - by marcou3000 - 09-21-2018, 03:43 AM
RE: New attack on WPA/WPA2 using PMKID - by Mem5 - 09-21-2018, 09:39 AM
RE: New attack on WPA/WPA2 using PMKID - by marcou3000 - 09-21-2018, 12:51 PM
RE: New attack on WPA/WPA2 using PMKID - by marcou3000 - 09-22-2018, 01:49 AM
RE: New attack on WPA/WPA2 using PMKID - by marcou3000 - 09-22-2018, 04:50 PM
RE: New attack on WPA/WPA2 using PMKID - by marcou3000 - 09-22-2018, 10:22 PM
RE: New attack on WPA/WPA2 using PMKID - by Rit - 10-23-2018, 11:07 PM
RE: New attack on WPA/WPA2 using PMKID - by Rit - 10-27-2018, 06:29 PM
RE: New attack on WPA/WPA2 using PMKID - by Rit - 10-27-2018, 06:20 PM
RE: New attack on WPA/WPA2 using PMKID - by Rit - 10-27-2018, 06:31 PM
RE: New attack on WPA/WPA2 using PMKID - by lint - 11-07-2018, 07:10 PM
RE: New attack on WPA/WPA2 using PMKID - by ZerBea - 11-10-2018, 12:03 PM