In this lab, you will use a wireless adapter in monitor mode to capture the SAE (Simultaneous Authentication of Equals) handshake of a WPA3 network. You will analyze the frames in Wireshark to identify the Commit and Confirm phases.
First, we must put the wireless card into monitor mode to capture traffic that isn't destined for our own MAC address.
๐ก Note the channel (CH 6). We must lock our adapter to this channel to capture the full handshake sequence.
Start a capture and trigger a client connection. We are looking for the unique SAE frames that replace the WPA2 authentication process.
Once you have the .pcap file, open it in Wireshark and inspect the authentication frames associated with the WPA3 connection.
Look for Authentication frames. In WPA3-SAE, you will see two key exchanges: the SAE Commit and SAE Confirm messages.
| Frame Type | WPA2 Equivalent | WPA3 Content | Security Goal |
|---|---|---|---|
| SAE Commit | Message 1/2 | Scalar + Element | Agree on Secret |
| SAE Confirm | Message 3/4 | Hash of Secret | Verify Password |
| 4-Way Handshake | Same Purpose | Session Keys | Final Encryption Setup |
Unlike WPA2-PSK, WPA3-SAE does not expose a reusable password-derived hash that can be captured and subjected to straightforward offline dictionary attacks. The exchange is based on elliptic-curve cryptography and password-authenticated key exchange.
Only capture traffic on networks you own or are explicitly authorized to test. Unauthorized wireless interception may violate laws or organizational policies.
Verify exercises to earn โ 200 XP and unlock next lab level.