Test WPA3 Network Defenses

Attack WPA3-SAE networks via downgrade-to-WPA2 transition-mode attacks or Dragonblood side-channel exploits

Red-team testing of WPA3-transitional deployments on older access points or research into SAE side-channel vulnerabilities.

• · Target ESSID/BSSID with WPA3 or WPA2/WPA3 transition mode
• · Wi-Fi adapter capable of spoofing Beacon frames (hostapd-based rogue AP)

• · Downgraded WPA2-PSK handshake (if transition mode vulnerable)
• · SAE password element side-channel timing data (Dragonblood research)
• · Cracked or exfiltrated PSK

• · hostapd (for RSN-only beacon spoofing to force WPA2 downgrade)
• · Dragonblood reference implementation (dragondrain.py, dragontime.py)
• · mdk4 (SAE auth-flood DoS)
• · Curve library for side-channel analysis (research use)

• · Target must support WPA2/WPA3 transition mode (downgrade possible) OR older hostapd (<2.10) with weak SAE curve diversification
• · Rogue AP capable of impersonating target SSID (adapter + hostapd)
• · Client software that allows WPA2 fallback when WPA3 beacon missing

• · Modern WPA3 (hostapd 2.10+) with strong curve diversification resists Dragonblood timing attacks
• · PMF mandatory on WPA3 blocks transition-mode fallback (cannot force WPA2 beacon acceptance)
• · Client enforces WPA3-only mode (no WPA2 fallback option)
• · SAE password element compression varies by implementation (not all vulnerable to timing leak)

• · Covers WPA3 transition-mode downgrade attack (practical against deployment misconfigurations)
• · Dragonblood (CVE-2019-9494/9495/13377) referenced with reference implementation links
• · Auth-flooding DoS documented as resource exhaustion technique against low-end APs