WPA3 / SAE Attacks

WPA3 fixes the offline-handshake-cracking weakness of WPA2 by replacing the 4-way PSK exchange with SAE (a Dragonfly-derived password-authenticated key exchange). The straightforward offline crack disappears — but transition-mode misconfigurations and the original SAE implementation's side-channel leaks open new paths.

Quick Workflow

1. Verify the target advertises WPA3 (RSN IE shows AKM SAE = 8)
2. Check for transition-mode (mixed WPA2 + WPA3) — easiest path
3. If pure WPA3, fingerprint the AP's hostapd version for Dragonblood applicability
4. Side-channel timing or cache attacks if reachable
5. Otherwise, accept that offline cracking isn't viable — pivot to other surfaces

Transition-Mode Downgrade

If the AP advertises both WPA2-PSK and WPA3-SAE (transition mode for mixed-client networks), older clients can be forced onto WPA2: