Exercise 33: Implementing and Testing WPA3 on Wi-Fi

Objective

Understand the benefits of WPA3 encryption by configuring and testing a wireless network, analyzing the handshake process, and comparing it to WPA2.

Scenario

As a network administrator, you are tasked with upgrading your organization’s Wi-Fi security from WPA2 to WPA3. This exercise involves setting up a wireless network with WPA3 encryption, verifying device connectivity, and analyzing the authentication handshake to understand the security improvements.

⚠️ Important: Perform this exercise in a legal and controlled lab environment. Unauthorized network access or monitoring is illegal and unethical.

Lab Instructions

Step 1: Set Up a Wireless Access Point with WPA3

a. Configure the Wireless Router/AP

1. Access the router’s admin panel (e.g., 192.168.1.1).
2. Navigate to Wireless Security Settings.
3. Select WPA3-Personal or WPA3-Enterprise as the security mode.
4. Set the SSID (e.g., SecureNetwork_WPA3).
5. Create a strong passphrase (e.g., StrongPass!2024).
6. Save and apply the configuration.

b. Verify WPA3 Support

• Ensure the router and client devices support WPA3.
• Update firmware/drivers if necessary.

Step 2: Connect a Device to the WPA3 Network

a. Verify Device Compatibility

• Use a modern device (laptop/smartphone) with WPA3 support.

b. Connect to the Network

1. Select the SecureNetwork_WPA3 SSID.
2. Enter the passphrase.
3. Verify a successful connection.

c. Confirm WPA3 Encryption

On Linux:

iw dev wlan0 link

Look for WPA3-SAE in the output.

On Windows:

netsh wlan show interfaces

Check if the authentication type is WPA3-Personal.

Step 3: Analyze the WPA3 Handshake

a. Install Airodump-ng

sudo apt update
sudo apt install aircrack-ng -y

b. Enable Monitor Mode

sudo ip link set wlan0 down
sudo iwconfig wlan0 mode monitor
sudo ip link set wlan0 up

c. Capture the WPA3 Handshake

sudo airodump-ng wlan0

• Identify the BSSID and channel of SecureNetwork_WPA3.
• Start targeted capture:

sudo airodump-ng -c <channel> --bssid <BSSID> -w wpa3_handshake wlan0

• Expected Result: WPA3 handshake data will not reveal keys due to the SAE (Simultaneous Authentication of Equals) protocol.

Step 4: Discuss WPA3 Advantages Over WPA2

a. Protection Against Brute-Force Attacks

• SAE replaces the pre-shared key (PSK) system, making offline dictionary attacks ineffective.

b. Forward Secrecy

• Each session uses unique encryption keys, protecting past communications even if credentials are compromised.

c. Enhanced Encryption

• 192-bit encryption support for enterprise environments.

d. Improved Open Network Security

• OWE (Opportunistic Wireless Encryption) encrypts data even on open networks.

Solution & Explanation

WPA3 vs. WPA2 Comparison

How SAE Works

• SAE uses a password-authenticated key exchange to prevent brute-force and dictionary attacks.
• Unlike WPA2, SAE does not rely on pre-shared keys.

Testing & Verification

1. Successful Connection: Ensure devices connect without errors.
2. Handshake Analysis: Confirm WPA3 handshake resists capture attacks.
3. Brute-Force Attempts: Verify that offline cracking tools cannot decipher captured handshakes.

Security Best Practices

1. Use WPA3: Enable WPA3 on all capable devices.
2. Strong Passphrases: Create high-entropy passwords.
3. Disable WPA2 Fallback: Prevent devices from downgrading to WPA2.
4. Firmware Updates: Regularly update routers and access points.

Additional Script (Optional)

Automate WPA3 network setup on Linux-based routers:

uci set wireless.@wifi-iface[0].encryption='sae'
uci set wireless.@wifi-iface[0].ssid='SecureNetwork_WPA3'
uci set wireless.@wifi-iface[0].key='StrongPass!2024'
uci commit wireless
wifi reload

Run the script:

chmod +x setup_wpa3.sh
sudo ./setup_wpa3.sh

Conclusion

In this exercise, you configured and tested a WPA3 wireless network, analyzed the handshake process using airodump-ng, and understood the security improvements over WPA2. WPA3 significantly strengthens Wi-Fi security by preventing brute-force attacks, enabling forward secrecy, and improving encryption standards.