Recovering WPA-3 Network Password by Bypassing the Simultaneous Authentication of Equals Handshake using Social Engineering Captive Portal

TL;DR

This paper demonstrates a method to bypass WPA3 security by exploiting social engineering and man-in-the-middle attacks, revealing vulnerabilities in WPA3 transition mode and captive portals, especially when certain protections are not implemented.

Contribution

It introduces a novel attack combining social engineering and MITM techniques to recover WPA3 passwords via captive portals, highlighting security flaws in WPA3 transition mode.

Findings

WPA3 passwords can be recovered through social engineering attacks.

Devices not supporting Protected Management Frames are vulnerable.

WPA3 transition mode has security flaws allowing password capture.

Abstract

Wi-Fi Protected Access 3 (WPA3) is the accepted standard for next generation wireless security. WPA3 comes with exciting new features that allows for increased security of Wi-Fi networks. One such feature is the Simultaneous Authentication of Equals (SAE) which is a protocol whereby passphrases are hashed using a Password Authenticated Key Exchange with keys from both the Access Point and the Client making the password resistant to offline dictionary attacks. (Harkins, Dan. 2019) This objective of this research paper seeks to bypass WPA3-SAE to acquire network password via Man-in-the-Middle attack and Social Engineering. This method can prove to be useful given that majority of network attacks stem from social engineering. For this research we would be looking at the security of WPA3 personal transition mode and capture the network password via a captive portal. Breaching the WPA3 network can be possible by building on various security flaws that was disclosed on WPA3 in 2021. Due to the discovery of Dragonblood downgrade attacks disclosed in 2019, identified that WPA2/3Handshakes could be acquired. A Man in the Middle attack proposed set up is carried out by using race conditions to deauthentication WPA3 network and then using a Raspberry Pi to spawn a rouge WPA3 network. As such, the handshake acquired can then be utilized as to verify the password that would be entered in the captive portal of the rouge WPA3 network. This research identified that the Password was able to be recovered from Social Engineering Captive Portal when Protected Management Frames are not implemented. This research also indicates that some devices are not able to connect to a WPA 3 transition network which is contradicting the Wi-Fi Alliance claim that it is backwards compatible with WPA2.