WPA3 & Wi-Fi 6/6E

Attacking modern wireless standards including WPA3-SAE, OWE, and 6GHz networks.

WPA3-SAE (Simultaneous Authentication of Equals)

WPA3 replaces the traditional 4-way handshake with the Dragonfly key exchange (SAE). This protocol is designed to resist offline dictionary attacks by preventing an attacker from verifying a guessed password without interacting with the live network. However, it is still vulnerable to side-channel attacks (like Dragonblood) and downgrade attacks.

To capture the handshake, we use hcxdumptool to interact with the target AP.

hcxdumptool -i wlan0 --enable_status=1 -o dump.pcapng

Once captured, we can attempt to crack the password using hashcat mode 2500.

hashcat -m 2500 dump.hc22000 wordlist.txt

SAE-PK & Downgrade Attacks

Many networks operate in "Transition Mode" (WPA2/WPA3 mixed) to support older devices. An attacker can force a victim client to downgrade to WPA2 by jamming the WPA3 beacons or forging management frames, allowing for traditional WPA2 attacks.

OWE (Opportunistic Wireless Encryption)

OWE, or "Enhanced Open," provides encryption for open networks without authentication. It uses Diffie-Hellman key exchange to encrypt data traffic.

In OWE Transition Mode, the AP broadcasts a hidden OWE SSID and a visible Open SSID. Attackers can strip the OWE tag from the beacon frames, forcing clients to associate with the Open network without encryption, enabling Man-in-the-Middle attacks.

Wi-Fi 6E (6GHz) Scanning

Wi-Fi 6E introduces the 6GHz band, offering more channels and less interference. However, standard 2.4GHz/5GHz adapters cannot see these networks. You must use 6GHz-capable hardware like the Intel AX210 or MediaTek MT7921AU.

Scanning the 6GHz band requires specifying the correct frequencies.

iw dev wlan0 scan freq 5955 6115