WPA3 Downgrade attack

By admin4-way handshake, WPA3, WPA3 Downgrade

WLAN configured for WPA3 SAE with backward compatibility

Confirmation via airodump-ng

Confirmation via Wireshark

The client connected after going through the normal four-way handshake process

Client connected

Create a rouge access point that will broadcast an RSN IE of WPA2. The PSK is incorrect.

Verify the wireless interfaces

Contents of the script

Start airodump-ng before running the fake AP.

Start fake AP

Clients are already trying to auth against the fake AP

The fake AP does not know the correct PSK, but the client and AP will exchange a few frames. The four-way hand-shake was captured.

Verify frame exchange and beacon frames. We can see that the auth key management now displays PSK with AES.

  • The transaction between the AP and client CAN NOT move past key 2 as the AP does not have the correct PSK defined.

Attempt to retrieve the PSK via a dictionary attack.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.