"Also I know nothing about WPA3 protocol, but how is it possible that there are no handshakes using it? I mean, client and AP should exchange information in order to reach authentication somehow."
Please take a look this flowchart:
https://www.researchgate.net/figure/WPA3..._344529445
Purpose of the AUTHENTICATION frames is to exchange a PMK (it is not done via PBKDF2 like WPA1, WPA2, WPA2kv3).
This PMK is used in the following 4way handshake to get access to the NETWORK.
Wireshark (wpa3.pcapng) will show you all frames which are mandatory for a successful ASSOCIATION:
"So with this, you're saying that even if a AP is using WPA3 there is a way to let a client to try to use WPA2, capturing the corresponding handshakes as if the AP is using WPA2 normally?"
Yes and no!
In detail:
"So with this, you're saying that even if a AP is using WPA3 there is a way to let a client to try to use WPA2,"
Yes. https://typeset.io/questions/downgrade-a...2yxv64p2g6
"capturing the corresponding handshakes as if the AP is using WPA2 normally?"
No. It is mandatory to attack the CLIENT and not the AP!
Setup an AP that is announcing WPA2 encryption. Use the same ESSID as the target WPA3 AP.
If the CLIENT connects to this ROGUE AP, capture its EAPOL M2.
Together with the EAPOL M1 from your ROGUE AP, you can calculate a valid EAPOL MESSAGEPAIR hashcat can work on. This requires an interactive attack.
Running such a successful(!) attack is not witchcraft.
https://wpa-sec.stanev.org/?search=8ce748cdd663
But it can't be done by passive dump tools!
More (basic) information is here:
https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2
Please take a look this flowchart:
https://www.researchgate.net/figure/WPA3..._344529445
Purpose of the AUTHENTICATION frames is to exchange a PMK (it is not done via PBKDF2 like WPA1, WPA2, WPA2kv3).
This PMK is used in the following 4way handshake to get access to the NETWORK.
Wireshark (wpa3.pcapng) will show you all frames which are mandatory for a successful ASSOCIATION:
Code:
AUTHENTICATION packet 80 (SAE COMMIT)
AUTHENTICATION packet 82 (SAE COMMIT)
AUTHENTICATION packet 84 (SAE CONFIRM)
AUTHENTICATION packet 86 (SAE CONFIRM)
ASSOCIATIONREQUEST packet 88
ASSOCIATIONRESPONSE packet 90
EAPOL M1 packet 92
EAPOL M2 packet 94
EAPOL M3 packet 96
EAPOL M4 packet 98"So with this, you're saying that even if a AP is using WPA3 there is a way to let a client to try to use WPA2, capturing the corresponding handshakes as if the AP is using WPA2 normally?"
Yes and no!
In detail:
"So with this, you're saying that even if a AP is using WPA3 there is a way to let a client to try to use WPA2,"
Yes. https://typeset.io/questions/downgrade-a...2yxv64p2g6
"capturing the corresponding handshakes as if the AP is using WPA2 normally?"
No. It is mandatory to attack the CLIENT and not the AP!
Setup an AP that is announcing WPA2 encryption. Use the same ESSID as the target WPA3 AP.
If the CLIENT connects to this ROGUE AP, capture its EAPOL M2.
Together with the EAPOL M1 from your ROGUE AP, you can calculate a valid EAPOL MESSAGEPAIR hashcat can work on. This requires an interactive attack.
Running such a successful(!) attack is not witchcraft.
https://wpa-sec.stanev.org/?search=8ce748cdd663
But it can't be done by passive dump tools!
More (basic) information is here:
https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2