WPA3 ====== .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow Topics in this section, * :ref:`Learnings in this section <80211ng_wpa3_1>` * :ref:`Version Info <80211ng_wpa3_2>` * :ref:`Packet flow in WPA3 mode <80211ng_wpa3_3>` * :ref:`Connection steps in wpa3 mode <80211ng_wpa3_4>` * :ref:`STEP 1: Bring up AP <80211ng_wpa3_5>` * :ref:`STEP 2: Bring up STA <80211ng_wpa3_6>` * :ref:`Wireshark capture <80211ng_wpa3_7>` * :ref:`Decrypting WPA3 Frames in Wireshark <80211ng_wpa3_8>` * :ref:`Wireshark capture Analysis <80211ng_wpa3_9>` .. _80211ng_wpa3_1: .. tab-set:: .. tab-item:: Learnings in this section * In this section, you are going to learn .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow * How to run wpa_supplicant and hostapd in wpa3 mode .. _80211ng_wpa3_2: .. tab-set:: .. tab-item:: Version Info =============================== ======================================= # Version =============================== ======================================= Supplicant wpa_supplicant 2.10 Hostapd hostapd 2.10 =============================== ======================================= .. _80211ng_wpa3_3: .. tab-set:: .. tab-item:: Packet flow in WPA3 mode .. plantuml:: :scale: 130 % == Scanning == STA -> AP: **Probe Request** AP -> STA: **Probe Response** == Authentication == STA -> AP: **Authentication Request (Commit)** AP --> STA: ACK AP -> STA: **Authentication Response (Commit)** STA --> AP: ACK STA -> AP: **Authentication Request (Confirm)** AP --> STA: ACK AP -> STA: **Authentication Response (Confirm)** STA --> AP: ACK == Association == STA -> AP: **Association Request** AP --> STA: ACK AP -> STA: **Association Response** STA --> AP: ACK == EAPOL 4 way handshake == AP -> STA: **M1** STA --> AP: ACK STA -> AP: **M2** AP --> STA: ACK AP -> STA: **M3** STA --> AP: ACK STA -> AP: **M4** AP --> STA: ACK == PING AP from STA == STA -> AP: **ARP Request** AP --> STA: ACK AP -> STA: **ARP Reply** STA --> AP: ACK STA -> AP: **ICMP Echo Request** AP --> STA: ACK AP -> STA: **ICMP Echo Reply** STA --> AP: ACK STA -> AP: **ICMP Echo Request** AP --> STA: ACK AP -> STA: **ICMP Echo Reply** STA --> AP: ACK STA -> AP: **ICMP Echo Request** AP --> STA: ACK AP -> STA: **ICMP Echo Reply** STA --> AP: ACK .. _80211ng_wpa3_4: .. tab-set:: .. tab-item:: Connection steps in wpa3 mode .. _80211ng_wpa3_5: .. tab-set:: .. tab-item:: STEP 1: Bring up AP using hostapd .. csv-table:: :file: ./wpa3/wpa3_ap_hostapd.csv :class: tight-table .. _80211ng_wpa3_6: .. tab-set:: .. tab-item:: STEP 2: Bring up STA using supplicant .. csv-table:: :file: ./wpa3/wpa3_station.csv :class: tight-table .. _80211ng_wpa3_7: .. tab-set:: .. tab-item:: Wireshark capture * Download file to check wireshark output :download:`Packet capture in WPA3 mode <./wpa3/802.11ng_WPA3_ping.pcapng>` .. _80211ng_wpa3_8: .. tab-set:: .. tab-item:: Decrypting WPA3-Encrypted Frames in Wireshark * In this section — You will learn how to **decrypt WPA3-encrypted frames** in an **802.11ng (802.11n + 802.11g)** mixed-mode wireless network. * 802.11ng networks combine **High Throughput (HT)** features of 802.11n with **legacy compatibility** for 802.11g devices. * Unlike WPA2, **WPA3** uses **SAE (Simultaneous Authentication of Equals)** for authentication, which provides **forward secrecy** and eliminates the use of a pre-shared key (PSK) handshake. * Decryption of WPA3 frames is only possible if you have access to the **derived session key (TK or PTK)** captured during the connection. * This key allows Wireshark to decrypt frames protected using **AES-CCMP-128 or GCMP-128** encryption algorithms. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Decrypting WPA2-Encrypted Frames in Wireshark** 1. **Open the Capture File** * Launch Wireshark and open your `.pcap` or `.pcapng` file containing the captured 802.11 frames. * Ensure your capture includes the **4-Way Handshake frames** between STA and AP — these are essential for deriving the **PTK (Pairwise Transient Key)** * Without these, Wireshark cannot derive the encryption key for decryption. 2. **Enable Decryption** * Go to **Edit → Preferences → Protocols → IEEE 802.11**. * Check **“Enable decryption”**. * Click **“Edit”** under **Decryption Keys**. .. image:: ./wpa3/decryption/decrypt_1.png :alt: Decryption1 in Wireshark :scale: 95 % 3. **Add the WPA3 Temporal Key (TK)** * In the **Decryption Keys** dialog: * Click **“+”** to add a new key. * Choose **Key type: tk** * Enter the **TK** key directly in hexadecimal format. .. image:: ./wpa3/decryption/decrypt_2.png :alt: Decryption2 in Wireshark :scale: 95 % 4. **Apply the Key and Refresh** * Click **OK** to save the key. * Wireshark will automatically decrypt frames that match the key. * You should now see **decrypted data frames**, including **ARP, ICMP, and IP payloads**, in plain text. * Decrypted frames show **“Protected flag: False”** in the IEEE 802.11 header section. .. _80211ng_wpa3_9: .. tab-set:: .. tab-item:: Wireshark capture Analysis * In this section, you will verify connectivity and frame exchange using the Wireshark capture. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Beacon Packet Analysis** 1. Check if AP is Beaconing * The Beacon Frame is periodically broadcast by the AP (every ~100 ms) to announce the presence of a network. * In **WPA3 mode**, the Beacon contains the **RSN (Robust Security Network) Information Element (Tag Number: 48)**, specifying **SAE** as the authentication method. * This indicates that the AP requires encryption and authentication for client associations. 2. Verify the **Beacon Interval** (100 ms). * Indicates how frequently the AP transmits Beacon frames (typically 100 TU ≈ 102.4 ms). * Consistent Beacon intervals confirm stable AP operation. .. image:: ./wpa3/802.11ng_wpa3_beacon/beacon_1.png :alt: Beacon interval (100ms) in Wireshark :scale: 95 % 3. Check the **Subtype** field in the Beacon frame. * The Subtype identifies the frame as a **Beacon** (Subtype = 8). * Correct Subtype ensures Wireshark is recognizing the management frame correctly. .. image:: ./wpa3/802.11ng_wpa3_beacon/beacon_2.png :alt: Subtype check in Wireshark :scale: 95 % 4. Verify that the **Data Rate** includes **1 Mbps** (mandatory for 802.11ng). * 802.11ng requires at least 1 Mbps support for legacy devices. * If 1 Mbps is missing, some STAs may fail to connect. .. image:: ./wpa3/802.11ng_wpa3_beacon/beacon_3.png :alt: Beacon frame data rate check in Wireshark :scale: 95 % 5. Check if the **Receiver Address (RA)** is **Broadcast address**. * Beacon frames are sent to the broadcast address **FF:FF:FF:FF:FF:FF** so that all nearby STAs can receive them. * This confirms that the beacon is not targeted to a specific STA but intended for all devices in range. * **No ACK is sent** for Beacon frames because they are broadcast. .. image:: ./wpa3/802.11ng_wpa3_beacon/beacon_4.png :alt: Receiver address in Beacon frame :scale: 95 % 6. **Capability Information** * Capability Info = **0x0411** * Bit-level breakdown: - **ESS:** 1 → Transmitter is an AP - **Privacy:** 1 → Encryption enabled (WPA3 active) - **Short Slot Time:** 1 → 9 µs slot duration for higher efficiency - **QoS:** 0 → QoS not indicated in this frame * Confirms the AP supports WPA3 with short slot time enabled for 802.11g/n mixed mode. .. image:: ./wpa3/802.11ng_wpa3_beacon/beacon_5.png :alt: Capability Information field in 802.11ng :scale: 95 % 7. Verify **Supported Rates**. * Tag: Supported Rates = **1(B), 2(B), 5.5(B), 11(B), 6, 9, 12, 18 Mbps** * Indicates both **802.11b (DSSS)** and **802.11g (OFDM)** rate support. * Ensures AP compatibility with both 802.11b and 802.11ng clients. .. image:: ./wpa3/802.11ng_wpa3_beacon/beacon_6.png :alt: Supported rates in Beacon frame :scale: 95 % 8. Check the **DS Parameter Set (Channel Information)** * The DS Parameter Set indicates the channel number (e.g., Channel 6 at 2437 MHz). * Ensures that both AP and STA operate on the same frequency band. .. image:: ./wpa3/802.11ng_wpa3_beacon/beacon_7.png :alt: DS Parameter Set in Beacon frame :scale: 95 % 9. Check the **SSID Tag** * The SSID field must match the configured network name(e.g., “test_wpa3_ng”). * Ensures the AP is broadcasting the correct SSID and the STA can identify it. .. image:: ./wpa3/802.11ng_wpa3_beacon/beacon_8.png :alt: SSID Parameter in Beacon frame :scale: 95 % 10. **TIM (Traffic Indication Map)** * TIM → **DTIM 0 of 2 bitmap** * Indicates **DTIM Period = 2**, meaning every second beacon includes delivery information for multicast/broadcast frames. .. image:: ./wpa3/802.11ng_wpa3_beacon/beacon_9.png :alt: TIM field in Beacon frame :scale: 95 % 11. Check the **ERP Information Element**. * ERP Info: **0x04** * Bit breakdown: - **Non-ERP Present:** 0 → No 802.11b-only devices detected - **Use Protection:** 0 → No RTS/CTS needed - **Barker Preamble:** 1 → Compatibility for older stations * Confirms efficient coexistence in mixed 802.11b/g/n environments. .. image:: ./wpa3/802.11ng_wpa3_beacon/beacon_10.png :alt: ERP Information element in Beacon frame :scale: 95 % 12. Check **Extended Supported Rates**. * Tag: Extended Supported Rates → **24, 36, 48, 54 Mbps** * Confirms support for higher OFDM data rates. * Completes the 802.11ng data rate range. .. image:: ./wpa3/802.11ng_wpa3_beacon/beacon_11.png :alt: Extended supported rates in 802.11ng Beacon :scale: 95 % 13. Inspect the **RSN (Robust Security Network) Information Element** * Tag: RSN Information (Tag Number: 48), Length: 20 * Defines WPA3 security configuration: - **RSN Version:** 1 - **Group Cipher Suite:** 00:0f:ac → **AES (CCMP)** - **Pairwise Cipher Suite Count:** 1 → **AES (CCM)** - **Auth Key Management (AKM) Suite Count:** 1 → 00:0f:ac → **SAE (SHA-256)** - **RSN Capabilities: 0x000c** → Indicates modern WPA3-SAE support with no PMF requirement in this beacon. * Confirms WPA3-SAE as the security mechanism using AES-CCMP encryption. .. image:: ./wpa3/802.11ng_wpa3_beacon/beacon_12.png :alt: RSN Information Element in Beacon :scale: 95 % 14. **Check Supported Operating Classes** * Operating Class: **81 (2.407 GHz, Channels 1–13, 25 MHz spacing)** * Defines regulatory operation within the 2.4 GHz band. .. image:: ./wpa3/802.11ng_wpa3_beacon/beacon_13.png :alt: Supported Operating Classes field :scale: 95 % 15. **HT Capabilities (802.11n)** * Tag Number: 45, Length: 26 * Highlights: - **Channel Width:** 20 MHz - **Short GI:** Supported - **A-MPDU Parameters:** 0x17 → Aggregation supported - **Rx MCS Set:** Indicates supported Modulation and Coding Schemes * Confirms High Throughput (HT) operation with 802.11n features. .. image:: ./wpa3/802.11ng_wpa3_beacon/beacon_14.png :alt: HT Capabilities IE :scale: 95 % 16. **HT Information Element** * Tag Number: 61, Length: 22 * Defines HT operation parameters: - **Primary Channel:** 6 - **Secondary Channel Offset:** None - **HT Protection:** Enabled - **Operating Mode:** Mixed (b/g/n coexistence) * Ensures proper interworking between legacy and HT stations. .. image:: ./wpa3/802.11ng_wpa3_beacon/beacon_15.png :alt: HT Information element in 802.11ng Beacon :scale: 95 % 17. **Check Extended Capabilities** * Tag Number: 127, Length: 8 * Contains optional features for advanced management and coexistence. * Indicates support for **20/40 MHz coexistence** and other WNM features. .. image:: ./wpa3/802.11ng_wpa3_beacon/beacon_16.png :alt: Extended Capabilities field :scale: 95 % 18. **Vendor Specific (WMM/WME Parameter Element)** * Tag: Vendor Specific (Microsoft OUI: 00:50:f2), Type: **WMM/WME Parameter Element** * Defines Quality of Service (QoS) parameters for different traffic categories: - **AC_BE (Best Effort)** - **AC_BK (Background)** - **AC_VI (Video)** - **AC_VO (Voice)** * Confirms **Wi-Fi Multimedia (WMM)** is enabled — crucial for real-time performance in 802.11n. .. image:: ./wpa3/802.11ng_wpa3_beacon/beacon_17.png :alt: Vendor Specific WMM/WME element :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Probe Request Packet Analysis** 1. Check if STA is sending Probe Request packet * A Probe Request frame is sent by the STA to actively discover available networks. * It advertises the STA’s supported data rates, security capabilities, and other features. * APs that match the SSID (or accept broadcast requests) respond with **Probe Response** frames. 2. Check the **Frame Subtype** to confirm it is a **Probe Request**. * In Wireshark, the Frame Control field indicates the subtype. * Probe Request frames should have subtype **0x0004**. .. image:: ./wpa3/802.11ng_wpa3_probe_req/probe_req_1.png :alt: Probe Request subtype in Wireshark :scale: 95 % 3. Verify the **Source Address** in the Probe Request. * Source Address should match the STA’s MAC address. * This ensures the frame is indeed coming from the correct STA. .. image:: ./wpa3/802.11ng_wpa3_probe_req/probe_req_2.png :alt: Probe Request source address :scale: 95 % 4. Verify the **Receiver Address** in the Probe Request. * Receiver Address should be the **broadcast address** (FF:FF:FF:FF:FF:FF). * This allows all APs on the channel to receive the request. * **No ACK is expected** for broadcast Probe Requests. .. image:: ./wpa3/802.11ng_wpa3_probe_req/probe_req_3.png :alt: Probe Request receiver address :scale: 95 % 5. Check the **SSID field** in the Probe Request. * For general network discovery, SSID should be set to **Wildcard SSID(empty)**. * A specific SSID can limit scanning to only that AP. .. image:: ./wpa3/802.11ng_wpa3_probe_req/probe_req_4.png :alt: Probe Request SSID field :scale: 95 % 6. Verify **Supported Rates**. * **Tag Number:** 1 * **Supported Rates:** 6, 9, 12, 18, 24, 36, 48, 54 Mbps * Indicates the STA supports **OFDM modulation** rates (802.11a/g/n). * Legacy 1–11 Mbps rates are not included, confirming the STA prefers **ERP-OFDM operation**. .. image:: ./wpa3/802.11ng_wpa3_probe_req/probe_req_5.png :alt: Supported Rates in Probe Request :scale: 95 % 7. Check **HT Capabilities (802.11n)** field. * **Tag Number:** 45 * **Tag Length:** 26 bytes * This field advertises High Throughput (HT) features supported by the STA. - **HT Capabilities Info:** 0x19ef * Short GI for 20 MHz * Greenfield Mode capable * STBC (Space-Time Block Coding) supported * L-SIG TXOP protection supported - **A-MPDU Parameters:** 0x13 → Aggregation supported, maximum length & spacing defined. - **Rx Supported MCS Set:** MCS 0–7 (up to 150 Mbps in 20 MHz mode). - **HT Extended Capabilities:** 0x0000 - **Tx Beamforming Capabilities:** 0x00000000 (none supported). - **Antenna Selection (ASEL):** 0x00 * Confirms the STA supports **802.11n High Throughput** operation in WPA3 mode. .. image:: ./wpa3/802.11ng_wpa3_probe_req/probe_req_6.png :alt: HT Capabilities in Probe Request :scale: 95 % 8. Inspect the **Extended Capabilities** tag. * Contains optional flags for QoS, coexistence, and advanced features. * **Tag Number:** 127 * **Tag Length:** 11 bytes * Defines optional advanced capabilities at the MAC layer. * Example octets: - 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x40, 0x0040, 0x00, 0x20 * Indicates: - Support for **QoS Management and U-APSD** - **20/40 MHz Coexistence** mechanisms (for 2.4 GHz HT operation) - **Interworking and Extended Security options** for WPA3 networks - **Management Frame Protection (PMF)** readiness (important for WPA3 compliance) .. image:: ./wpa3/802.11ng_wpa3_probe_req/probe_req_7.png :alt: Extended Capabilities field :scale: 95 % 9. VHT Capabilities (802.11ac) * Optional, but some 802.11ng devices include VHT info for backward compatibility. * **Tag Number:** 191 * **Tag Length:** 12 bytes * Present even though the frame belongs to an **802.11ng** (HT) STA — used for **cross-standard compatibility**. - **VHT Capabilities Info:** 0x03d071b2 - **VHT Supported MCS Set:** Indicates 1 spatial stream and support for **256-QAM**. * Confirms the STA can interoperate with **802.11ac (VHT)** APs, offering higher efficiency and modulation support. .. image:: ./wpa3/802.11ng_wpa3_probe_req/probe_req_8.png :alt: VHT Capabilities in Probe Request :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Probe Response Packet Analysis** 1. Check if AP is sending Probe Response packet * The AP responds to a STA’s Probe Request with its SSID, channel, and supported capabilities. * The 802.11ng (802.11n + 802.11g compatibility) standard includes **High Throughput (HT)** features while maintaining legacy compatibility. * In WPA3, the **Authentication and Key Management (AKM)** is **SAE (Simultaneous Authentication of Equals)**, replacing PSK for better security. * The following analysis details all key fields and Information Elements (IEs) from the Probe Response frame. 2. Check the **Frame Subtype** to confirm it is a **Probe Response**. * Subtype identifies the frame as a **Probe Response** (Subtype = 5). * Ensures Wireshark is correctly capturing AP responses. .. image:: ./wpa3/802.11ng_wpa3_probe_resp/probe_resp_1.png :alt: Probe Response subtype in Wireshark :scale: 95 % 3. Verify the **Source Address** in the Probe Response. * Source Address should be the MAC of the AP. * Confirms the frame is coming from the correct AP. .. image:: ./wpa3/802.11ng_wpa3_probe_resp/probe_resp_2.png :alt: Source address in Probe Response :scale: 95 % 4. Verify the **Receiver Address** in the Probe Response. * Receiver Address should be the MAC of the requesting STA. * Confirms the response is unicast and directed to the correct STA. * Probe Responses are **unicast to the requesting STA**, so an ACK is expected from the STA. .. image:: ./wpa3/802.11ng_wpa3_probe_resp/probe_resp_3.png :alt: Receiver address in Probe Response :scale: 95 % 5. Check the **SSID field** in the Probe Response. * SSID must match the AP configuration. * Confirms the AP is broadcasting the expected network name. .. image:: ./wpa3/802.11ng_wpa3_probe_resp/probe_resp_4.png :alt: SSID in Probe Response :scale: 95 % 6. Check **Capability Information** field for **ESS=1** in the Probe Response. * ESS bit indicates the AP is part of an infrastructure BSS. * Must be set to 1 for proper STA-AP communication. .. image:: ./wpa3/802.11ng_wpa3_probe_resp/probe_resp_5.png :alt: ESS bit in Capability Information in Probe Response :scale: 95 % 7. Check **Capability Information** field for **Privacy=1** in the Probe Response. * Privacy bit (bit 4) = 1 indicates WPA3 is enabled on this AP. * Confirms that security is configured at the AP level. .. image:: ./wpa3/802.11ng_wpa3_probe_resp/probe_resp_6.png :alt: Privacy bit in Capability Information in Probe Response :scale: 95 % 8. Check **Capability Information** field for **Short Slot Time = 1 and QoS field** in the Probe Response. * Short Slot Time = 1 → Enabled for 802.11ng high-rate operation. * **QoS = 0** → QoS support not signaled in Capability Info but provided via WMM tag. .. image:: ./wpa3/802.11ng_wpa3_probe_resp/probe_resp_7.png :alt: Short slot time in Capability Information in Probe Response :scale: 95 % 9. Verify **Supported Rates** in the Probe Response. * Rates: 1(B), 2(B), 5.5(B), 11(B), 6, 9, 12, 18 Mbps * Shows backward compatibility with **802.11b/g** clients. .. image:: ./wpa3/802.11ng_wpa3_probe_resp/probe_resp_8.png :alt: Supported Rates in Probe Response :scale: 95 % 10. Verify **DS Parameter Set** (channel assignment) in the Probe Response. * DS Parameter indicates the AP’s operating channel. * Confirms the STA knows which channel to use to associate with the AP. .. image:: ./wpa3/802.11ng_wpa3_probe_resp/probe_resp_9.png :alt: DS Parameter Set (channel) in Probe Response :scale: 95 % 11. **Check ERP Information (New in 802.11ng)** * The **ERP Information element** is unique to 802.11ng and ensures **backward compatibility** with 802.11b/g. * It includes: * **Non-ERP Present bit** – Indicates if older 802.11b/g devices are in the network. * **Use Protection bit** – Enables CTS-to-Self or RTS/CTS when 802.11b/g stations are active. * **Barker Preamble bit** – Shows whether the AP supports short preamble. .. image:: ./wpa3/802.11ng_wpa3_probe_resp/probe_resp_10.png :alt: ERP Information in Probe Response :scale: 95 % 12. **Check Extended Supported Rates** * Extended Rates: 24, 36, 48, 54 Mbps. * Confirms full-rate support up to 54 Mbps (OFDM-based 802.11ng operation). .. image:: ./wpa3/802.11ng_wpa3_probe_resp/probe_resp_11.png :alt: Extended Supported Rates in Probe Response :scale: 95 % 13. Check the **RSN (Robust Security Network) Information Element**. * Defines WPA3 encryption and authentication settings. * **Tag Number:** 48 * **RSN Version:** 1 * **Group Cipher Suite:** AES (CCMP) * **Pairwise Cipher Suite:** AES (CCMP) * **Auth Key Management (AKM):** SAE (Simultaneous Authentication of Equals) * **RSN Capabilities:** 0x000c → Management Frame Protection (optional). * Indicates WPA3-Personal (SAE) mode — provides resistance against offline dictionary attacks. * SAE replaces PSK with a **password-authenticated key exchange**. .. image:: ./wpa3/802.11ng_wpa3_probe_resp/probe_resp_12.png :alt: RSN Information Element (WPA2) :scale: 95 % 14. **Supported Operating Classes** * **Operating Class:** 81 → 2.4 GHz channels 1–13, 25 MHz spacing. * Used for regulatory and channel control purposes. .. image:: ./wpa3/802.11ng_wpa3_probe_resp/probe_resp_13.png :alt: Supported Operating Classes :scale: 95 % 15. HT Capabilities (802.11n) * **Tag Number:** 45 * **Tag Length:** 26 * **HT Capabilities Info:** 0x000c → 20 MHz channel width, short GI support. * **A-MPDU Parameters:** 0x17 → max A-MPDU length and spacing. * **Rx Supported MCS Set:** MCS 0–7 (single spatial stream). * Confirms **802.11n High Throughput support**. .. image:: ./wpa3/802.11ng_wpa3_probe_resp/probe_resp_14.png :alt: HT Capabilities in Probe Response :scale: 95 % 16. HT Information (802.11n) * **Primary Channel:** 6 * **Secondary Channel Offset:** 0 (20 MHz channel width). * **HT Protection:** None → no legacy devices detected. * Confirms AP’s operational HT parameters. .. image:: ./wpa3/802.11ng_wpa3_probe_resp/probe_resp_15.png :alt: HT Information field :scale: 95 % 17. **Check Extended Capabilities** * 8 octets total (0x04 ... 0x40) * Indicates optional features such as **BSS transition**, **QoS enhancements**, and **Spectrum Management**. * Enhances 802.11n functionality beyond base rates. .. image:: ./wpa3/802.11ng_wpa3_probe_resp/probe_resp_16.png :alt: Extended Capabilities field :scale: 95 % 18. WMM (Wi-Fi Multimedia) Parameter Element * **Tag Number:** 221 (Vendor Specific) * **OUI:** 00:50:f2 (Microsoft Corp.) * **Type:** WMM/WME (0x02) * **Version:** 1 * **QoS Info:** 0x01 → WMM enabled. * **Access Categories:** BE, BK, VI, VO each with unique AIFSN, CWmin/max, TXOP values. * Confirms **QoS prioritization** for real-time multimedia traffic (802.11e). * Critical for maintaining low latency in WPA3-enabled HT environments. .. image:: ./wpa3/802.11ng_wpa3_probe_resp/probe_resp_17.png :alt: WMM Parameter Element in Probe Response :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after Probe Response Packet Analysis** * After the **AP sends a Probe Response**, the **STA must acknowledge** it with an **Acknowledgement frame**. * This ACK confirms successful reception of the Probe Response. * The ACK is a **Control frame** (not Management or Data). * It is transmitted **immediately after a SIFS (Short Interframe Space)** interval. 1. Check the Acknowledgement - Frame Subtype * When the AP sends a unicast Probe Response, the STA sends an **ACK frame** * ACK frames have **Subtype = 13** in 802.11. .. image:: ./wpa3/802.11ng_wpa3_probe_resp/probe_resp_18.png :alt: ACK frame subtype in Wireshark :scale: 95 % 2. Check the Acknowledgement - Receiver Address * Receiver Address of the ACK is the **AP’s MAC address** (i.e., the source of the Probe Response). * Confirms that the ACK is directed to the correct transmitting AP. .. image:: ./wpa3/802.11ng_wpa3_probe_resp/probe_resp_19.png :alt: ACK receiver address in Wireshark :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Authentication 1 Packet Analysis (WPA3 - 802.11ng)** * In this section — We analyze the **first Authentication frame (Commit message)** exchanged in a **WPA3-SAE (Simultaneous Authentication of Equals)** handshake within an **802.11ng** network. * Unlike WPA2, WPA3 uses the **SAE handshake** to achieve **mutual authentication** and **forward secrecy**, replacing the pre-shared key (PSK) exchange. * This first message (Commit) is sent **from STA → AP**, containing elliptic curve parameters, scalar, and finite field element values that contribute to the Diffie–Hellman key exchange. 1. Check if STA is sending **Authentication Request** 2 * The **Station (STA)** initiates the authentication process by sending this **Authentication frame** to the Access Point (AP). * The frame uses the **Simultaneous Authentication of Equals (SAE)** algorithm. * This is the **first of four authentication frames** in WPA3. * Unlike WPA2, SAE performs an **elliptic curve Diffie–Hellman (ECDH) exchange** to establish a unique Pairwise Master Key (PMK). 2. Check the **Frame Subtype** * The Subtype identifies the frame as an **Authentication** frame (**Subtype = 11**). * Confirms that this packet is part of the authentication management exchange. .. image:: ./wpa3/802.11ng_wpa3_auth_req_1/auth_req_1_1.png :alt: Authentication 1 frame subtype :scale: 95 % 3. Verify the **Source Address** in the Authentication Request packet. * The Source Address should be the **STA’s MAC address**. * Confirms the authentication initiation is coming from the STA. .. image:: ./wpa3/802.11ng_wpa3_auth_req_1/auth_req_1_2.png :alt: Authentication 1 source address :scale: 95 % 4. Verify the **Receiver Address** in the Authentication Request packet. * The Receiver Address should be the **AP’s MAC address**. * This confirms the STA is directly targeting the AP for authentication. .. image:: ./wpa3/802.11ng_wpa3_auth_req_1/auth_req_1_3.png :alt: Authentication 1 receiver address :scale: 95 % 5. Check the **Authentication Algorithm** field in the Authentication Request packet. * **Authentication Algorithm = 3 (Simultaneous Authentication of Equals, SAE)**. * SAE replaces the **Open System Authentication (Algorithm 0)** used in WPA2. * SAE provides: - Mutual authentication without requiring a shared password in plaintext. - Protection against offline dictionary attacks. - Forward secrecy by generating a **unique PMK** for each session. .. image:: ./wpa3/802.11ng_wpa3_auth_req_1/auth_req_1_4.png :alt: Authentication Algorithm in Authentication Request :scale: 95 % 6. Check the **Authentication Sequence Number** in the Authentication Request packet. * **Authentication Sequence = 1** * Indicates this is the **Commit Message** (first step) in the SAE handshake. * The next message (Sequence = 2) will be the **Commit Response** from the AP. .. image:: ./wpa3/802.11ng_wpa3_auth_req_1/auth_req_1_5.png :alt: Authentication sequence number in Wireshark :scale: 95 % 7. Verify the **Status Code** in the Authentication Request packet. * The **Status Code** field in the Authentication Request is usually **0** or **not used**. * It is meaningful mainly in **responses**, but Wireshark may still display it as **0 (Successful)** by default. * This ensures that the STA is initiating authentication without reporting an error. .. image:: ./wpa3/802.11ng_wpa3_auth_req_1/auth_req_1_6.png :alt: Authentication status code :scale: 95 % 8. **SAE Message Type and Group Information** * **SAE Message Type:** Commit (1) * **Group ID:** 19 → 256-bit random Elliptic Curve (ECP group). * This defines the **Elliptic Curve group** used for the Diffie–Hellman exchange. * Curve 19 corresponds to **NIST P-256**, providing 128-bit security strength. .. image:: ./wpa3/802.11ng_wpa3_auth_req_1/auth_req_1_7.png :alt: SAE message type and group ID in WPA3 :scale: 95 % 9. **Scalar and Finite Field Element** * The **Scalar** and **Finite Field Element** are public components of the ECDH key exchange. * These values are generated randomly by the STA for each session and are used by the AP to compute the shared secret. * Scalar: `f82910fe911d854dfde4673abe5fd8c54f74e1e47b5ba8bec89af7222ed6b8c0` * Finite Field Element: `c920b612a489bf6b4c8e74b1da252fea8daeecb030a67eb35bcbf885d0197ac2ee43106176cf38abceffb9fa25d38376365d4ba9055cc5a90f24863b7b9d1f12` * Together, these enable both STA and AP to compute the **shared key (K)** securely. .. image:: ./wpa3/802.11ng_wpa3_auth_req_1/auth_req_1_8.png :alt: SAE scalar and finite field element in WPA3 Commit :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after Authentication Packet 1 Analysis** * After the **STA sends an Authentication 1**, the **AP must acknowledge** it with an **ACK frame**. * This ACK confirms successful reception of the Authentication 1 before the AP sends the **Authentication 2**. * The ACK is a **Control frame** (not Management or Data). * It is transmitted **immediately after a SIFS (Short Interframe Space)** interval. 1. Check the **ACK Frame Subtype**. * Since the Authentication 1 is **unicast**, the AP responds with an **ACK frame**. * The ACK has **Subtype = 13** in 802.11. * Confirms that the AP successfully received the Authentication 1. .. image:: ./wpa3/802.11ng_wpa3_auth_req_1/auth_req_1_9.png :alt: ACK frame subtype for Authentication 1 :scale: 95 % 2. Verify the **ACK Receiver Address**. * The ACK frame’s **Receiver Address** should match the **STA’s MAC address** (the source of the Authentication 1). * Confirms the AP has acknowledged the STA correctly. .. image:: ./wpa3/802.11ng_wpa3_auth_req_1/auth_req_1_10.png :alt: ACK receiver address for Authentication 1 :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Authentication 2 Packet Analysis (WPA3 Mode)** 1. Check if AP is sending Authentication 2 * This frame is the **second message** in the **Simultaneous Authentication of Equals (SAE)** exchange — part of WPA3’s initial handshake. * It represents the **AP’s SAE Commit Response** to the STA’s first Commit message. * SAE replaces the WPA2 4-Way Pre-Shared Key exchange with a **more secure password-based key exchange** using elliptic curve cryptography (ECC). * This process ensures **forward secrecy** and protection against offline dictionary attacks. 2. Check the **Frame Subtype** * The **Subtype field = 11** indicates it is an **Authentication frame**. * Ensures that the AP has correctly responded to the STA’s authentication attempt. .. image:: ./wpa3/802.11ng_wpa3_auth_req_2/auth_req_2_1.png :alt: Authentication 2 frame subtype :scale: 95 % 3. **Verify Source Address** * The **Source Address** should be the **AP’s MAC address**. * Confirms the Authentication 2 is sent by the Access Point. .. image:: ./wpa3/802.11ng_wpa3_auth_req_2/auth_req_2_2.png :alt: Source address of Authentication 2 :scale: 95 % 4. Check the **Receiver Address** * The **Receiver Address** should be the **STA’s MAC address** (the device being authenticated). * Confirms that the AP is addressing the correct station. .. image:: ./wpa3/802.11ng_wpa3_auth_req_2/auth_req_2_3.png :alt: Receiver address of Authentication 2 :scale: 95 % 5. Check the **BSSID Field** * The **BSSID** must match the **AP’s MAC address**. * Confirms that this frame belongs to the correct Basic Service Set (BSS). * Useful when multiple APs operate on the same channel. .. image:: ./wpa3/802.11ng_wpa3_auth_req_2/auth_req_2_4.png :alt: BSSID in Authentication 2 :scale: 95 % 6. Check the **Authentication Algorithm Number** * **Authentication Algorithm = 3 (Simultaneous Authentication of Equals - SAE)** * SAE replaces Open System Authentication used in WPA2. * This confirms the transition from WPA2 to WPA3 security. .. image:: ./wpa3/802.11ng_wpa3_auth_req_2/auth_req_2_5.png :alt: Authentication Algorithm field :scale: 95 % 7. Check the **Authentication Sequence Number** * **Authentication SEQ = 0x0001** * Both STA and AP use sequence number **1** in their Commit messages. * The sequence helps Wireshark distinguish Commit/Confirm messages. .. image:: ./wpa3/802.11ng_wpa3_auth_req_2/auth_req_2_6.png :alt: Authentication Sequence Number field :scale: 95 % 8. **SAE Message Type and Group ID** * **SAE Message Type: Commit (1)** → This is a **Commit Response** from AP. * **Group ID: 19** → Indicates **256-bit random ECP group (NIST P-256 curve)**. * This ECC group defines the mathematical domain used for the key exchange. .. image:: ./wpa3/802.11ng_wpa3_auth_req_2/auth_req_2_7.png :alt: SAE message type and group id WPA3 :scale: 95 % 9. **Scalar and Finite Field Element** * **Scalar:** `7e70c8df80051a44cd31d041c942f6dc5fe8845ba322c36a10437854e4d9b2c0` * **Finite Field Element:** `250049d6787f2a43a2d89e938485337939e8c39fca60a42c09abfc959bf35a40b8386b62eb4b7657c3d7a14713a43378131ebe1dae2398f48fdaffb2a087139c` * Together, these values form the **elliptic curve point** that contributes to the **shared secret computation**. * Each side generates a random scalar and computes a finite field element using the selected ECC group. .. image:: ./wpa3/802.11ng_wpa3_auth_req_2/auth_req_2_8.png :alt: SAE scalar and finite field WPA3 :scale: 95 % 10. Check the **Status Code** * The **Status Code** field indicates the success or failure of the authentication step. * For this challenge response, the **Status Code = 0 (Successful)**, as the AP is providing the challenge. * Non-zero codes indicate an error or failure. .. image:: ./wpa3/802.11ng_wpa3_auth_req_2/auth_req_2_9.png :alt: Authentication 2 Status Code :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after Authentication Packet 2 Analysis** * Once the **AP sends the Authentication 2**, the **STA acknowledges** it using an **ACK frame**. * This ensures reliable delivery of the Authentication 2 before moving on to the Authentication 3. 1. Check the **ACK Frame Subtype**. * The ACK frame has **Subtype = 13**, identifying it as an acknowledgment. * Confirms the STA received the Authentication 2 correctly. .. image:: ./wpa3/802.11ng_wpa3_auth_req_2/auth_req_2_10.png :alt: ACK subtype after Authentication 2 :scale: 95 % 2. Verify the **ACK Receiver Address**. * The **Receiver Address** should be the **AP’s MAC address** (source of the Authentication 2). * Confirms that the STA is acknowledging the correct transmitter. .. image:: ./wpa3/802.11ng_wpa3_auth_req_2/auth_req_2_11.png :alt: Receiver address of ACK after Authentication 2 :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Authentication 3 Packet Analysis (WPA3 - 802.11ng)** 1. Check if STA is sending **Authentication 3** packet * This frame is the **third message** in the **Simultaneous Authentication of Equals (SAE)** handshake used in **WPA3**. * It is the **Confirm message** sent by the **STA** to the **AP**, verifying the shared secret computed from the earlier **Commit exchange**. * The successful verification indicates that both parties derived the same cryptographic keys without revealing the password. 2. Check the **Frame Subtype** * The Subtype identifies the frame as an **Authentication** frame (**Subtype = 11**). * Confirms that this packet is part of the authentication management exchange. .. image:: ./wpa3/802.11ng_wpa3_auth_req_3/auth_req_3_1.png :alt: Authentication 3 frame subtype :scale: 95 % 3. Verify the **Source Address** in the Authentication 3 packet. * The Source Address should be the **STA’s MAC address**. * Confirms the authentication initiation is coming from the STA. .. image:: ./wpa3/802.11ng_wpa3_auth_req_3/auth_req_3_2.png :alt: Authentication 3 source address :scale: 95 % 4. Verify the **Receiver Address** in the Authentication 3 packet. * The Receiver Address should be the **AP’s MAC address**. * This confirms the STA is directly targeting the AP for authentication. .. image:: ./wpa3/802.11ng_wpa3_auth_req_3/auth_req_3_3.png :alt: Authentication 3 receiver address :scale: 95 % 5. Check the **Authentication Algorithm** field in the Authentication 3 packet. * **Authentication Algorithm = 3 (Simultaneous Authentication of Equals, SAE)**. * Confirms this frame is part of WPA3’s SAE handshake. * SAE is used instead of WPA2’s PSK-based 4-Way handshake initiation. .. image:: ./wpa3/802.11ng_wpa3_auth_req_3/auth_req_3_4.png :alt: Authentication Algorithm in Authentication 3 :scale: 95 % 6. Check the **Authentication Sequence Number** in the Authentication 3 packet. * **Authentication SEQ = 0x0002** * Sequence number **2** indicates this is the **Confirm message** in the SAE exchange. * Follows the Commit message pair (SEQ = 1 from both STA and AP). .. image:: ./wpa3/802.11ng_wpa3_auth_req_3/auth_req_3_5.png :alt: Authentication sequence number in Wireshark :scale: 95 % 7. **SAE Message Type and Send-Confirm Field** * **SAE Message Type = 2 (Confirm)** * **Send-Confirm = 1** → Indicates the first confirm attempt from STA. * This value is incremented if retransmissions occur. * The **Confirm message** proves that the STA computed the same session key as the AP using its scalar and element values from the Commit phase. .. image:: ./wpa3/802.11ng_wpa3_auth_req_3/auth_req_3_6.png :alt: SAE message type confirm WPA3 :scale: 95 % 8. **Confirm Field (Cryptographic Proof)** * **Confirm:** `db25ba37c40eaef9746d95106ba25bbeca114327b3bf0a1d61aecb1e1846acfd` * This is a **HMAC-based cryptographic token** that authenticates the computed shared secret. * It proves possession of the password-derived key without exposing the password itself. * If this value matches the AP’s expected confirm value, authentication proceeds successfully. .. image:: ./wpa3/802.11ng_wpa3_auth_req_3/auth_req_3_7.png :alt: SAE confirm hash WPA3 :scale: 95 % 9. Verify the **Status Code** in the Authentication 3 packet. * The **Status Code** field in the Authentication 3 is usually **0** or **not used**. * It is meaningful mainly in **responses**, but Wireshark may still display it as **0 (Successful)** by default. * This ensures that the STA is initiating authentication without reporting an error. .. image:: ./wpa3/802.11ng_wpa3_auth_req_3/auth_req_3_8.png :alt: Authentication status code :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after Authentication Packet 3 Analysis** * After the **STA sends an Authentication 3**, the **AP must acknowledge** it with an **ACK frame**. * This ACK confirms successful reception of the Authentication 3 before the AP sends the **Authentication 4**. * The ACK is a **Control frame** (not Management or Data). * It is transmitted **immediately after a SIFS (Short Interframe Space)** interval. 1. Check the **ACK Frame Subtype**. * Since the Authentication 3 is **unicast**, the AP responds with an **ACK frame**. * The ACK has **Subtype = 13** in 802.11. * Confirms that the AP successfully received the Authentication 3. .. image:: ./wpa3/802.11ng_wpa3_auth_req_3/auth_req_3_9.png :alt: ACK frame subtype for Authentication 3 :scale: 95 % 2. Verify the **ACK Receiver Address**. * The ACK frame’s **Receiver Address** should match the **STA’s MAC address** (the source of the Authentication 3). * Confirms the AP has acknowledged the STA correctly. .. image:: ./wpa3/802.11ng_wpa3_auth_req_3/auth_req_3_10.png :alt: ACK receiver address for Authentication 3 :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Authentication 4 Packet Analysis (WPA3 Mode)** 1. Check if AP is sending Authentication 4 * This frame is the **fourth and final message** of the **Simultaneous Authentication of Equals (SAE)** process. * It is sent by the **Access Point (AP)** to the **Station (STA)** to confirm mutual authentication. * Upon successful verification, both devices derive the **Pairwise Master Key (PMK)** and proceed to the **4-Way Handshake** to establish encryption keys. 2. Check the **Frame Subtype** * The **Subtype field = 11** indicates it is an **Authentication frame**. * Ensures that the AP has correctly responded to the STA’s authentication attempt. .. image:: ./wpa3/802.11ng_wpa3_auth_req_4/auth_req_4_1.png :alt: Authentication 4 frame subtype :scale: 95 % 3. **Verify Source Address** * The **Source Address** should be the **AP’s MAC address**. * Confirms the Authentication 4 is sent by the Access Point. .. image:: ./wpa3/802.11ng_wpa3_auth_req_4/auth_req_4_2.png :alt: Source address of Authentication 4 :scale: 95 % 4. Check the **Receiver Address** * The **Receiver Address** should be the **STA’s MAC address** (the device being authenticated). * Confirms that the AP is addressing the correct station. .. image:: ./wpa3/802.11ng_wpa3_auth_req_4/auth_req_4_3.png :alt: Receiver address of Authentication 4 :scale: 95 % 5. Check the **BSSID Field** * The **BSSID** must match the **AP’s MAC address**. * Confirms that this frame belongs to the correct Basic Service Set (BSS). * Useful when multiple APs operate on the same channel. .. image:: ./wpa3/802.11ng_wpa3_auth_req_4/auth_req_4_4.png :alt: BSSID in Authentication 4 :scale: 95 % 6. Check the **Authentication Algorithm Number** * **Authentication Algorithm = 3 (SAE - Simultaneous Authentication of Equals)** * Verifies that this frame belongs to the WPA3 SAE key exchange. * SAE replaces WPA2’s pre-shared key (PSK) authentication for improved resistance against offline dictionary attacks. .. image:: ./wpa3/802.11ng_wpa3_auth_req_4/auth_req_4_5.png :alt: Authentication Algorithm field :scale: 95 % 7. Check the **Authentication Sequence Number** * **Authentication SEQ = 0x0002** * Sequence number **2** again indicates a **Confirm message**, but this time from the **AP**. * It corresponds to the STA’s earlier Confirm (also SEQ = 2), forming a matched exchange pair. .. image:: ./wpa3/802.11ng_wpa3_auth_req_4/auth_req_4_6.png :alt: Authentication Sequence Number field :scale: 95 % 8. **SAE Message Type and Send-Confirm Field** * **SAE Message Type = 2 (Confirm)** * **Send-Confirm = 1** — indicates the first confirm attempt by the AP. * Confirms that the AP also computed the same password-derived key as the STA during the Commit phase. * This mutual confirmation step ensures both sides derived identical cryptographic material. .. image:: ./wpa3/802.11ng_wpa3_auth_req_4/auth_req_4_7.png :alt: SAE message type and send-Confirm WPA3 :scale: 95 % 9. **Confirm Field (Cryptographic Proof)** * **Confirm:** `536939a73f4b42b7db33d62c934dd454f24c5dc1649cb11700fea7dd7e0a1a33` * This value is a **cryptographic hash** computed from both the scalar and finite field element values exchanged earlier. * The AP uses this to prove possession of the same key without exposing the password. * The STA validates this value before proceeding to the association phase. .. image:: ./wpa3/802.11ng_wpa3_auth_req_4/auth_req_4_8.png :alt: SAE confirm hash WPA3 from AP :scale: 95 % 10. Check the **Status Code** * The **Status Code** field indicates the success or failure of the authentication step. * For this challenge response, the **Status Code = 0 (Successful)**, as the AP is providing the challenge. * Non-zero codes indicate an error or failure. .. image:: ./wpa3/802.11ng_wpa3_auth_req_4/auth_req_4_9.png :alt: Authentication 4 Status Code :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after Authentication Packet4 Analysis** * Once the **AP sends the Authentication 4**, the **STA acknowledges** it using an **ACK frame**. * This ensures reliable delivery of the Authentication 4 before moving on to the Association request. 1. Check the **ACK Frame Subtype**. * The ACK frame has **Subtype = 13**, identifying it as an acknowledgment. * Confirms the STA received the Authentication 4 correctly. .. image:: ./wpa3/802.11ng_wpa3_auth_req_4/auth_req_4_10.png :alt: ACK subtype after Authentication 4 :scale: 95 % 2. Verify the **ACK Receiver Address**. * The **Receiver Address** should be the **AP’s MAC address** (source of the Authentication 4). * Confirms that the STA is acknowledging the correct transmitter. .. image:: ./wpa3/802.11ng_wpa3_auth_req_4/auth_req_4_11.png :alt: Receiver address of ACK after Authentication 4 :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Association Request Packet Analysis** 1. Check if STA is sending Association Request * After completing the **SAE authentication exchange**, the **STA** sends an **Association Request** frame to the AP. * This frame advertises STA capabilities such as **802.11n HT support**, **QoS**, and **WPA3 SAE parameters**. * Being a **Management frame (Subtype = 0)** and **unicast**, the AP acknowledges it immediately. 2. Check the **Frame Subtype** * Subtype = 0 identifies the frame as an **Association Request**. * Ensures Wireshark captures the correct management frame. .. image:: ./wpa3/802.11ng_wpa3_assoc_req/assoc_req_1.png :alt: Association Request Subtype :scale: 95 % 3. Verify **Source Address** * Source Address = STA MAC address. * Confirms the frame is sent by the correct STA. .. image:: ./wpa3/802.11ng_wpa3_assoc_req/assoc_req_2.png :alt: Source address in Association Request :scale: 95 % 4. Check the **Receiver Address** * Receiver Address = AP MAC address. * Ensures the frame is targeted to the correct AP. .. image:: ./wpa3/802.11ng_wpa3_assoc_req/assoc_req_3.png :alt: Receiver address in Association Request :scale: 95 % 5. Verify **BSSID** * BSSID = AP MAC address. * Confirms the frame is part of the correct Basic Service Set. .. image:: ./wpa3/802.11ng_wpa3_assoc_req/assoc_req_4.png :alt: BSSID in Association Request :scale: 95 % 6. Check the **Capability Information – Privacy bit** * Privacy bit = 1 indicates WPA3 encryption is enabled. * This confirms that the STA supports encrypted data exchange after association .. image:: ./wpa3/802.11ng_wpa3_assoc_req/assoc_req_5.png :alt: Privacy bit in Capability Information :scale: 95 % 7. Verify **Capability Information – Short Preamble bit** * Short Preamble bit indicates whether STA supports short preamble. * Helps verify compatibility with AP preamble configuration. .. image:: ./wpa3/802.11ng_wpa3_assoc_req/assoc_req_6.png :alt: Short Preamble bit in Capability Information :scale: 95 % 8. Check the **Listen Interval** * Listen Interval defines how often the STA wakes to check for buffered frames at the AP. * Ensures power-saving and proper timing for STA-AP communication. .. image:: ./wpa3/802.11ng_wpa3_assoc_req/assoc_req_7.png :alt: Listen Interval in Association Request :scale: 95 % 9. Verify **SSID Field** * SSID must match the AP’s network name. * Confirms that the STA is associating with the correct BSS. .. image:: ./wpa3/802.11ng_wpa3_assoc_req/assoc_req_8.png :alt: SSID in Association Request :scale: 95 % 10. Check the **Supported Rates** and **Extended Supported Rates** * **Supported Rates:** 1, 2, 5.5, 11, 6, 9, 12, 18 Mbps * Indicates backward compatibility with both **802.11b/g PHY rates**. * **Extended Supported Rates:** 24, 36, 48, 54 Mbps * Enables higher data throughput compatible with OFDM operation. .. image:: ./wpa3/802.11ng_wpa3_assoc_req/assoc_req_9.png :alt: Supported Rates in Association Request :scale: 95 % 11. **RSN Information Element (WPA3 Security)** * Tag Number = 48 → RSN IE * Group Cipher Suite: AES (CCM) * Pairwise Cipher Suite: AES (CCM) * AKM Suite: SAE (SHA256) * Confirms WPA3 SAE operation with AES encryption. .. image:: ./wpa3/802.11ng_wpa3_assoc_req/assoc_req_10.png :alt: RSN Information Element in 802.11ng Association Request :scale: 95 % 12. **HT Capabilities (802.11n High Throughput)** * Tag Number = 45 → HT Capabilities IE * Key parameters: - HT Capabilities Info = 0x19ef - A-MPDU Parameters = 0x13 - Rx MCS Set - TxBF = 0x00000000 * Confirms STA supports 802.11n high throughput. .. image:: ./wpa3/802.11ng_wpa3_assoc_req/assoc_req_11.png :alt: HT Capabilities field in 802.11n Association Request :scale: 95 % 13. **Extended Capabilities** * **Tag Number = 127**, length = 11 bytes. * Indicates advanced STA features like coexistence, QoS, and extended channel support. .. image:: ./wpa3/802.11ng_wpa3_assoc_req/assoc_req_12.png :alt: Extended Capabilities in 802.11n Association Request :scale: 95 % 14. **Supported Operating Classes** * **Tag Number = 59**, length = 21. * Frequency bands and channels STA can operate on. * Current Operating Class = 81 → 2.4 GHz, Channels 1–13. .. image:: ./wpa3/802.11ng_wpa3_assoc_req/assoc_req_13.png :alt: Supported Operating Classes in 802.11n Association Request :scale: 95 % 15. **Vendor-Specific: WMM/WME Information Element** * **Tag Number = 221**, OUI = 00:50:f2 (Microsoft). * Type = 2, Subtype = 0, Version = 1, QoS Info = 0x00 * Confirms QoS support for prioritized traffic in 802.11n. .. image:: ./wpa3/802.11ng_wpa3_assoc_req/assoc_req_14.png :alt: WMM/WME Information Element in 802.11n Association Request :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after Association Request Packet Analysis** * Since the **Association Request** is a **unicast frame** from the STA to the AP,the AP responds with an **ACK frame** to confirm successful reception. * The ACK is a **Control frame** (Subtype = 13) and ensures reliable MAC-layer delivery. * This ACK is sent **immediately after a SIFS interval**. 1. Check the **ACK Frame Subtype**. * Subtype = 13 identifies the frame as an **ACK**. * Confirms the AP received the Association Request correctly. .. image:: ./wpa3/802.11ng_wpa3_assoc_req/assoc_req_15.png :alt: ACK subtype after Association Request :scale: 95 % 2. Verify the **ACK Receiver Address**. * The Receiver Address of the ACK should be the **STA’s MAC address** (source of the Association Request). * Confirms that the AP is acknowledging the correct station. .. image:: ./wpa3/802.11ng_wpa3_assoc_req/assoc_req_16.png :alt: Receiver address of ACK after Association Request :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Association Response Packet Analysis** 1. Check if AP is sending Association Response * After receiving a valid Association Request from the STA, the **AP** responds with an **Association Response** frame. * Confirms successful connection setup before starting the **WPA3 SAE key exchange**. * Frame Type = **Management (Type 0)** Subtype = **Association Response (1)** * Sent **unicast** from AP → STA, acknowledged by STA. 2. Check the **Frame Subtype** * Subtype = 1 identifies the frame as an **Association Response**. * Confirms that the AP has acknowledged the STA’s request to join the BSS. .. image:: ./wpa3/802.11ng_wpa3_assoc_resp/assoc_resp_1.png :alt: Association Response Subtype :scale: 95 % 3. Verify **Source Address** * Source Address = AP MAC address. * Confirms the frame is transmitted from the AP. .. image:: ./wpa3/802.11ng_wpa3_assoc_resp/assoc_resp_2.png :alt: Source address in Association Response :scale: 95 % 4. Check the **Receiver Address** * Receiver Address = STA MAC address. * Ensures the response is directed to the correct STA. .. image:: ./wpa3/802.11ng_wpa3_assoc_resp/assoc_resp_3.png :alt: Receiver address in Association Response :scale: 95 % 5. Verify **BSSID** * BSSID = AP MAC address (same as Source). * Confirms that the response is part of the same BSS. .. image:: ./wpa3/802.11ng_wpa3_assoc_resp/assoc_resp_4.png :alt: BSSID in Association Response :scale: 95 % 6. Check the **Capability Information – Privacy bit** * Privacy bit = 1 → indicates WPA3 SAE encryption is enabled. * Confirms that subsequent data frames will use WPA3 protection. .. image:: ./wpa3/802.11ng_wpa3_assoc_resp/assoc_resp_5.png :alt: Privacy bit in Association Response :scale: 95 % 7. Verify **Capability Information – Short Preamble bit** * Short Preamble bit indicates AP supports short preamble operation. * Confirms compatibility with STA’s preamble capabilities. .. image:: ./wpa3/802.11ng_wpa3_assoc_resp/assoc_resp_6.png :alt: Short Preamble bit in Association Response :scale: 95 % 8. Check the **Status Code** * Status Code = 0 indicates **Successful Association**. * Other values indicate rejection (e.g., unsupported authentication or cipher). * Confirms that the STA is now allowed to proceed with WPA3 4-way handshake. .. image:: ./wpa3/802.11ng_wpa3_assoc_resp/assoc_resp_7.png :alt: Status code in Association Response :scale: 95 % 9. Verify **Association ID (AID)** * AID uniquely identifies the STA within the BSS. * Typically a small integer (e.g., 1, 2, 3) assigned by the AP. * Confirms successful registration of the STA in the AP’s association table. * Used for managing buffered frames and identifying the STA in power-save mode. .. image:: ./wpa3/802.11ng_wpa3_assoc_resp/assoc_resp_8.png :alt: Association ID in Association Response :scale: 95 % 10. Check the **Supported Rates ,Extended Supported Rates** * Lists data rates supported for backward compatibility (802.11b/g). * Supported Rates: 1, 2, 5.5, 11, 6, 9, 12, 18 Mbps * Extended Supported Rates: 24, 36, 48, 54 Mbps * Confirms coexistence with legacy devices. .. image:: ./wpa3/802.11ng_wpa3_assoc_resp/assoc_resp_9.png :alt: Supported Rates in Association Response :scale: 95 % 11. **HT Capabilities (802.11n)** * **Tag Number: 45**, length: 26 bytes * Key fields: - **HT Capabilities Info (0x000C):** Indicates 20/40 MHz support, short GI (guard interval), MIMO capability. - **A-MPDU Parameters = 0x17:** Aggregation support - **MCS Set:** Lists supported Modulation and Coding Schemes (up to MCS7 per spatial stream). - TxBF = 0x00000000 → No beamforming * Confirms that STA and AP support **HT (High Throughput) mode**, enabling up to 300 Mbps PHY rates. .. image:: ./wpa3/802.11ng_wpa3_assoc_resp/assoc_resp_10.png :alt: HT Capabilities in Association Response :scale: 95 % 12. **HT Information (802.11n)** * **Tag Number: 61**, length: 22 bytes * Describes HT channel usage and MCS set for operation. * Key fields: Primary channel = 6, HT Info Subsets 1–3, Basic MCS set. .. image:: ./wpa3/802.11ng_wpa3_assoc_resp/assoc_resp_11.png :alt: HT Information Element in Association Response :scale: 95 % 13. Verify **Extended Capabilities** * Tag Number: 127, Length = 8 octets * Includes optional higher-layer capabilities like coexistence management, QoS support, and operating class awareness. .. image:: ./wpa3/802.11ng_wpa3_assoc_resp/assoc_resp_12.png :alt: Extended Capabilities in Association Response :scale: 95 % 14. **WMM/WME Parameter Element (QoS)** * Tag Number: 221 (Vendor Specific, Microsoft OUI 00:50:f2) * Type = 2, Subtype = Parameter Element (1), Version = 1 * QoS parameters for 4 Access Categories: - AC_BE: AIFSN=3, CWmin/max=15/1023, TXOP=0 - AC_BK: AIFSN=7, CWmin/max=15/1023, TXOP=0 - AC_VI: AIFSN=2, CWmin/max=7/15, TXOP=94 - AC_VO: AIFSN=2, CWmin/max=3/7, TXOP=47 * WME QoS Info = 0x01 → QoS enabled on AP. .. image:: ./wpa3/802.11ng_wpa3_assoc_resp/assoc_resp_13.png :alt: WMM/WME QoS Parameters in Association Response :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after Association Response Packet Analysis** * The **Association Response** is a **unicast frame**, so the STA replies with an **ACK**. * This ensures the AP knows the STA successfully received its association confirmation. * The ACK is a **Control frame (Subtype = 13)** and follows a **SIFS interval (~10 µs)**. 1. Check the **ACK Frame Subtype**. * Subtype = 13 identifies the frame as an **ACK**. * Indicates successful MAC-layer acknowledgment from STA to AP. .. image:: ./wpa3/802.11ng_wpa3_assoc_resp/assoc_resp_14.png :alt: ACK subtype after Association Response :scale: 95 % 2. Verify the **ACK Receiver Address**. * Receiver Address = AP MAC address (sender of the Association Response). * Confirms ACK is directed to the correct device. .. image:: ./wpa3/802.11ng_wpa3_assoc_resp/assoc_resp_15.png :alt: Receiver address of ACK after Association Response :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Message 1 of 4 – EAPOL Key from AP to STA** 1. Check if AP is sending Message 1 of 4 – EAPOL Key * After successful **authentication** and **association**, the **4-Way Handshake** begins. * WPA3 uses **SAE (Simultaneous Authentication of Equals)** to derive encryption keys securely. * Message 1 is sent by the **AP** to the **STA**, containing the **ANonce / SAE Commit parameters**. * STA uses this ANonce + SNonce + PMK to compute the PTK. * Keys involved: - **PMK (Pairwise Master Key):** Derived from SAE handshake. - **PTK (Pairwise Transient Key):** Derived using PMK + ANonce + SNonce + MACs. - **GTK (Group Temporal Key):** For broadcast/multicast traffic. * 802.11n adds **QoS (Quality of Service)** and **HT (High Throughput)** features. 2. Check the **Frame Subtype** * Type = 2 → Data frame * Subtype = 0 → Standard Data * Flags = 0x02 → Indicates **Protected Frame**, meaning payload is encrypted under WPA2. .. image:: ./wpa3/802.11ng_wpa3_message_1/message_1_1.png :alt: Message 1 Subtype :scale: 95 % 3. Verify **Source Address** * Source Address = AP MAC address. * Confirms the frame is transmitted from the AP. .. image:: ./wpa3/802.11ng_wpa3_message_1/message_1_2.png :alt: Source address in Message 1 :scale: 95 % 4. Check the **Receiver Address** * Receiver Address = STA MAC address. * Ensures the response is directed to the correct STA. .. image:: ./wpa3/802.11ng_wpa3_message_1/message_1_3.png :alt: Receiver address in Message 1 :scale: 95 % 5. Verify **BSSID** * BSSID = AP MAC address (same as Source). * Confirms that the response is part of the same BSS. .. image:: ./wpa3/802.11ng_wpa3_message_1/message_1_4.png :alt: BSSID in Message 1 :scale: 95 % 6. **QoS Control Field** * **QoS Control = 0x0007** * Important bits: - **TID (Traffic Identifier):** 7 → Voice Access Category (highest priority). - **EOSP (End of Service Period):** 0 (no service period end). - **Ack Policy:** Normal ACK. * Indicates the frame belongs to a voice-priority traffic queue. .. image:: ./wpa3/802.11ng_wpa3_message_1/message_1_5.png :alt: QoS Control Field :scale: 95 % 7. Check the **EAPOL Version and Type** * Version = 802.1X-2004 (2) * Type = Key (3) → Indicates that this is an EAPOL-Key frame used for key management. .. image:: ./wpa3/802.11ng_wpa3_message_1/message_1_6.png :alt: EAPOL version and type in Message 1 :scale: 95 % 8. Verify the **Key Descriptor Type** * Value = 2 → EAPOL RSN Key (WPA3/SAE). * Confirms that WPA3 key exchange is being performed. .. image:: ./wpa3/802.11ng_wpa3_message_1/message_1_7.png :alt: Key Descriptor Type in Message 1 :scale: 95 % 9. Check the **Key Information Field** * **Key Descriptor Version:** 2 → Uses AES, HMAC-SHA256 MIC (WPA3) * **Key Type:** Pairwise → The key is for one STA, not for broadcast. * **Install:** Not set → STA should not install PTK yet. * **Key ACK:** Set → AP expects acknowledgment from STA. * **Key MIC:** Not set → No MIC because PTK not yet derived. * Secure = Not set .. image:: ./wpa3/802.11ng_wpa3_message_1/message_1_8.png :alt: Key Information field in Message 1 :scale: 95 % 10. Verify the **Replay Counter** * Value = 1 → Used to prevent replay attacks. Must increase with each new handshake message. .. image:: ./wpa3/802.11ng_wpa3_message_1/message_1_9.png :alt: Replay counter in Message 1 :scale: 95 % 11. Check the **ANonce (Authenticator Nonce)/ SAE Commit** * Random 32-byte number generated by the AP. * Contains **SAE commit parameters** for password-authenticated key exchange. .. image:: ./wpa3/802.11ng_wpa3_message_1/message_1_10.png :alt: ANonce in Message 1 :scale: 95 % 12. Verify the **Key Data Length** * Contains SAE commit parameters (non-zero length). .. image:: ./wpa3/802.11ng_wpa3_message_1/message_1_11.png :alt: Key Data Length in Message 1 :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after Message 1 Packet Analysis** * The STA immediately sends an **ACK frame** after receiving Message 1. * Confirms correct reception of ANonce by STA. * ACK frames are control frames with **no payload**. * Ensures reliable delivery before next message is sent. 1. Check the **ACK Frame Subtype**. * Subtype = 13 identifies the frame as an **ACK**. * Indicates successful MAC-layer acknowledgment from STA to AP. .. image:: ./wpa3/802.11ng_wpa3_message_1/message_1_12.png :alt: ACK subtype after Message 1 :scale: 95 % 2. Verify the **ACK Receiver Address**. * Receiver Address = AP MAC address (sender of the Association Response). * Confirms ACK is directed to the correct device. .. image:: ./wpa3/802.11ng_wpa3_message_1/message_1_13.png :alt: Receiver address of ACK after Message 1 :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Message 2 of 4 – EAPOL Key from STA to AP** 1. Check if STA is sending Message 2 of 4 – EAPOL Key * STA responds to Message 1 with **Message 2** of the WPA3 4-Way Handshake. * It provides **SNonce** and **MIC** for the AP to verify PTK derivation. * Ensures STA participates in key derivation and confirms shared key material. * Keys involved: - **PTK (Pairwise Transient Key):** Derived using PMK + ANonce + SNonce + MACs. - **MIC:** Proves integrity and authenticity of STA’s response. - **Key Data :** Contains SAE confirm or group parameters. 2. Check the **Frame Subtype** * Type = 2 → Data frame * Subtype = 0 → Standard Data * Flags = 0x02 → Indicates **Protected Frame**, meaning payload is encrypted under WPA2. .. image:: ./wpa3/802.11ng_wpa3_message_2/message_2_1.png :alt: Message 2 Subtype :scale: 95 % 3. Verify **Source Address** * Source Address = STA MAC address. * Confirms the frame is transmitted from the STA. .. image:: ./wpa3/802.11ng_wpa3_message_2/message_2_2.png :alt: Source address in Message 2 :scale: 95 % 4. Check the **Receiver Address** * Receiver Address = AP MAC address. * Ensures the response is directed to the correct AP. .. image:: ./wpa3/802.11ng_wpa3_message_2/message_2_3.png :alt: Receiver address in Message 2 :scale: 95 % 5. Verify **BSSID** * BSSID = AP MAC address. * Confirms that the response is part of the same BSS. .. image:: ./wpa3/802.11ng_wpa3_message_2/message_2_4.png :alt: BSSID in Message 2 :scale: 95 % 6. **QoS Control Field** * **QoS Control = 0x0007** * TID = 7 → Highest priority (Voice/Network Control). * Ack Policy = Normal ACK. * TXOP Duration = 0 → No TXOP requested. .. image:: ./wpa3/802.11ng_wpa3_message_2/message_2_5.png :alt: QoS Control Field :scale: 95 % 7. Check the **EAPOL Version and Type** * Version = 802.1X-2001 (1) * Type = Key (3) * Indicates that this is an EAPOL-Key frame used for key management. .. image:: ./wpa3/802.11ng_wpa3_message_2/message_2_6.png :alt: EAPOL version and type in Message 2 :scale: 95 % 7. Verify the **Key Descriptor Type** * Value = 3 → **RSN Key for WPA3 / SAE** .. image:: ./wpa3/802.11ng_wpa3_message_2/message_2_7.png :alt: Key Descriptor Type in Message 2 :scale: 95 % 8. Check the **Key Information Field** * **Key Descriptor Version:** 2 → Uses AES Cipher, HMAC-SHA256 MIC * **Key Type:** Pairwise → The key is for one STA, not for broadcast. * **Install:** Not set → STA should not install PTK yet. * **Key ACK:** Not Set → since STA does not expect acknowledgment * **Key MIC:** set → STA includes MIC for message integrity check. * Secure = Not set .. image:: ./wpa3/802.11ng_wpa3_message_2/message_2_8.png :alt: Key Information field in Message 2 :scale: 95 % 9. Verify the **Replay Counter** * Value = 1 * Matches Message 1 counter. * Ensures synchronization between AP and STA. .. image:: ./wpa3/802.11ng_wpa3_message_2/message_2_9.png :alt: Replay counter in Message 2 :scale: 95 % 10. Check the **SNonce (Supplicant Nonce)** * Random 32-byte number generated by the STA. * Used along with ANonce, MAC addresses, and PMK to derive PTK. .. image:: ./wpa3/802.11ng_wpa3_message_2/message_2_10.png :alt: SNonce in Message 2 :scale: 95 % 11. Verify the **MIC Field** * Message Integrity Code generated using the derived PTK. * Proves STA has successfully calculated the PTK and knows the correct PSK. .. image:: ./wpa3/802.11ng_wpa3_message_2/message_2_11.png :alt: MIC verification in Message 2 :scale: 95 % 12. Check the **Key Data (WPA3 Information Element)** * Contains SAE confirm data, group ID, or supported ciphers * AP uses this to verify the STA’s SAE commitment .. image:: ./wpa3/802.11ng_wpa3_message_2/message_2_12.png :alt: WPA3 Key Data in Message 2 :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after Message 2 Packet Analysis** * The AP sends an **ACK** confirming successful reception of STA’s response. * ACK ensures reliable exchange before sending Message 3. 1. Check the **ACK Frame Subtype**. * Subtype = 13 identifies the frame as an **ACK**. * Indicates successful MAC-layer acknowledgment from STA to AP. .. image:: ./wpa3/802.11ng_wpa3_message_2/message_2_13.png :alt: ACK subtype after Message 2 :scale: 95 % 2. Verify the **ACK Receiver Address**. * Receiver Address = AP MAC address (sender of the Association Response). * Confirms ACK is directed to the correct device. .. image:: ./wpa3/802.11ng_wpa3_message_2/message_2_14.png :alt: Receiver address of ACK after Message 2 :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Message 3 of 4 – EAPOL Key from AP to STA** 1. Check if AP is sending Message 3 of 4 – EAPOL Key * AP instructs STA to install PTK and provides GTK for group traffic. * STA will install PTK and GTK, then respond with Message 4 to complete the handshake. 2. Check the **Frame Subtype** * Type = 2 → Data frame * Subtype = 0 → Standard Data * Flags = 0x02 → Indicates **Protected Frame**, meaning payload is encrypted under WPA2. .. image:: ./wpa3/802.11ng_wpa3_message_3/message_3_1.png :alt: Message 3 Subtype :scale: 95 % 3. Verify **Source Address** * Source Address = AP MAC address. * Confirms the frame is transmitted from the AP. .. image:: ./wpa3/802.11ng_wpa3_message_3/message_3_2.png :alt: Source address in Message 3 :scale: 95 % 4. Check the **Receiver Address** * Receiver Address = STA MAC address. * Ensures the response is directed to the correct STA. .. image:: ./wpa3/802.11ng_wpa3_message_3/message_3_3.png :alt: Receiver address in Message 3 :scale: 95 % 5. Verify **BSSID** * BSSID = AP MAC address (same as Source). * Confirms that the response is part of the same BSS. .. image:: ./wpa3/802.11ng_wpa3_message_3/message_3_4.png :alt: BSSID in Message 3 :scale: 95 % 6. **QoS Control Field** * **QoS Control = 0x0007** * TID = 7 → Highest priority (Voice / Network Control) * Ack Policy = Normal ACK * EOSP = Service period for QoS flow .. image:: ./wpa3/802.11ng_wpa3_message_3/message_3_5.png :alt: QoS Control Field :scale: 95 % 7. Check the **EAPOL Version and Type** * Version = 802.1X-2004 (2) * Type = Key (3) * Indicates that this is an EAPOL-Key frame used for key management. .. image:: ./wpa3/802.11ng_wpa3_message_3/message_3_6.png :alt: EAPOL version and type in Message 3 :scale: 95 % 8. Verify the **Key Descriptor Type** * Value = 3 → RSN Key (SAE / WPA3) .. image:: ./wpa3/802.11ng_wpa3_message_3/message_3_7.png :alt: Key Descriptor Type in Message 3 :scale: 95 % 9. Check the **Key Information Field** * **Key Descriptor Version:** 2 → Uses AES-256 / HMAC-SHA256 MIC * **Key Type:** Pairwise → The key is for one STA, not for broadcast. * **Install:** set → STA should install PTK now. * **Key ACK:** Set → AP expects acknowledgment. * **Key MIC:** set → STA includes MIC for message integrity check. * Secure = Set → Key Data is encrypted (GTK included) .. image:: ./wpa3/802.11ng_wpa3_message_3/message_3_8.png :alt: Key Information field in Message 3 :scale: 95 % 10. Verify the **Replay Counter** * Value = 2 * Increments from previous message. .. image:: ./wpa3/802.11ng_wpa3_message_3/message_3_9.png :alt: Replay counter in Message 3 :scale: 95 % 11. verify the **ANonce** * Same ANonce as in Message 1 → Confirms handshake continuity. * Used again for PTK confirmation. .. image:: ./wpa3/802.11ng_wpa3_message_3/message_3_10.png :alt: SNonce in Message 3 :scale: 95 % 12. Verify the **MIC Field** * Ensures the message is authentic and not altered. * AP computes MIC using PTK and includes it here. .. image:: ./wpa3/802.11ng_wpa3_message_3/message_3_11.png :alt: MIC verification in Message 3 :scale: 95 % 13. Check the **Key Data Field** * Contains **GTK for group traffic**, SAE group parameters, RSN Information Element * Data is encrypted (Secure bit set) .. image:: ./wpa3/802.11ng_wpa3_message_3/message_3_12.png :alt: WPA3 Key Data in Message 3 :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after Message 3 Packet Analysis** * STA sends **ACK** confirming receipt of the GTK and installation instruction. * Confirms that STA has installed the PTK successfully. 1. Check the **ACK Frame Subtype**. * Subtype = 13 identifies the frame as an **ACK**. * Indicates successful MAC-layer acknowledgment from STA to AP. .. image:: ./wpa3/802.11ng_wpa3_message_3/message_3_13.png :alt: ACK subtype after Message 3 :scale: 95 % 2. Verify the **ACK Receiver Address**. * Receiver Address = AP MAC address (sender of the Association Response). * Confirms ACK is directed to the correct device. .. image:: ./wpa3/802.11ng_wpa3_message_3/message_3_14.png :alt: Receiver address of ACK after Message 3 :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Message 4 of 4 – EAPOL Key from STA to AP** 1. Check if STA is sending Message 4 of 4 – EAPOL Key * STA confirms successful installation of PTK and GTK. * The 4-way handshake is complete, and encrypted data transfer can now begin. 2. Check the **Frame Subtype** * Type = 2 → Data frame * Subtype = 0 → Standard Data * Flags = 0x02 → Indicates **Protected Frame**, meaning payload is encrypted under WPA2/WPA2. .. image:: ./wpa3/802.11ng_wpa3_message_4/message_4_1.png :alt: Message 4 Subtype :scale: 95 % 3. Verify **Source Address** * Source Address = STA MAC address. * Confirms the frame is transmitted from the STA. .. image:: ./wpa3/802.11ng_wpa3_message_4/message_4_2.png :alt: Source address in Message 4 :scale: 95 % 4. Check the **Receiver Address** * Receiver Address = AP MAC address. * Ensures the response is directed to the correct AP. .. image:: ./wpa3/802.11ng_wpa3_message_4/message_4_3.png :alt: Receiver address in Message 4 :scale: 95 % 5. Verify **BSSID** * BSSID = AP MAC address. * Confirms that the response is part of the same BSS. .. image:: ./wpa3/802.11ng_wpa3_message_4/message_4_4.png :alt: BSSID in Message 4 :scale: 95 % 6. **QoS Control Field** * **QoS Control = 0x0007** * TID = 7 → Highest priority (Voice / Network Control) * Ack Policy = Normal ACK .. image:: ./wpa3/802.11ng_wpa3_message_4/message_4_5.png :alt: QoS Control Field :scale: 95 % 7. Check the **EAPOL Version and Type** * Version = 802.1X-2001 (1) * Type = Key (3) * Indicates that this is an EAPOL-Key frame used for key management. .. image:: ./wpa3/802.11ng_wpa3_message_4/message_4_6.png :alt: EAPOL version and type in Message 4 :scale: 95 % 8. Verify the **Key Descriptor Type** * Value = 2 → Identifies this as a EAPOL RSN Key (WPA2) * Confirms that WPA3 key exchange is being performed. .. image:: ./wpa3/802.11ng_wpa3_message_4/message_4_7.png :alt: Key Descriptor Type in Message 4 :scale: 95 % 9. Check the **Key Information Field** * **Key Descriptor Version:** 2 → Uses AES Cipher, HMAC-SHA1 MIC * **Key Type:** Pairwise → The key is for one STA, not for broadcast. * **Install:** Not set → STA should not install PTK yet. * **Key ACK:** Not Set → since STA does not expect acknowledgment * **Key MIC:** set → STA includes MIC for message integrity check. * Secure = Set → Confirms encryption of Key Data (if present) .. image:: ./wpa3/802.11ng_wpa3_message_4/message_4_8.png :alt: Key Information field in Message 4 :scale: 95 % 10. Verify the **Replay Counter** * Value = 2 * Matches Message 3 counter. * Ensures synchronization between AP and STA. .. image:: ./wpa3/802.11ng_wpa3_message_4/message_4_9.png :alt: Replay counter in Message 4 :scale: 95 % 11. Verify the **MIC Field** * Confirms the final message is valid and unmodified. * Proves the STA successfully installed the PTK and GTK. .. image:: ./wpa3/802.11ng_wpa3_message_4/message_4_10.png :alt: MIC verification in Message 4 :scale: 95 % 12. Check the **Key Data Length** * Value = 0 → No additional key data included. * Confirms this message is only an acknowledgment. .. image:: ./wpa3/802.11ng_wpa3_message_4/message_4_11.png :alt: WPA3 Key Data in Message 4 :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after Message 4 Packet Analysis** * AP sends **ACK** confirming the final EAPOL message. * Both devices now share the same PTK and GTK, and can begin encrypted communication. 1. Check the **ACK Frame Subtype**. * Subtype = 13 identifies the frame as an **ACK**. * Indicates successful MAC-layer acknowledgment from STA to AP. .. image:: ./wpa3/802.11ng_wpa3_message_4/message_4_12.png :alt: ACK subtype after Message 4 :scale: 95 % 2. Verify the **ACK Receiver Address**. * Receiver Address = AP MAC address (sender of the Association Response). * Confirms ACK is directed to the correct device. .. image:: ./wpa3/802.11ng_wpa3_message_4/message_4_13.png :alt: Receiver address of ACK after Message 4 :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **ARP Request Packet Analysis** * The ARP Reply in WPA3 mode is sent inside an 802.11 **Data frame** protected using **CCMP (AES-256, HMAC-SHA256)**. * It may involve two flows: 1. STA → AP (STA initiates request) 2. AP → Broadcast (AP forwards to all stations) * Used by devices to discover the MAC address corresponding to a target IP. 1. Check if STA is sending ARP Request * STA sends an ARP Request encapsulated inside a **QoS Data frame** (Subtype = 8). * Destination is broadcast (`ff:ff:ff:ff:ff:ff`), intended for AP and BSS. 1.1. Check the **Source Address** * MAC of the STA sending the ARP Request. * Identifies which device initiated the request. .. image:: ./wpa3/802.11ng_wpa3_arp_req/arp_req_1.png :alt: STA to AP ARP Source Address :scale: 95 % 1.2. Verify **Destination Address** * Broadcast MAC: ff:ff:ff:ff:ff:ff * Data frame is intended for all devices in BSS to eventually deliver ARP. .. image:: ./wpa3/802.11ng_wpa3_arp_req/arp_req_2.png :alt: STA to AP ARP Destination Address :scale: 95 % 1.3. Verify **Receiver Address** * Receiver = AP MAC .. image:: ./wpa3/802.11ng_wpa3_arp_req/arp_req_3.png :alt: STA to AP ARP Receiver Address :scale: 95 % 1.4. Verify **Transmitter Address** * Transmitter = STA MAC. * Indicates who physically transmitted the frame on the medium. .. image:: ./wpa3/802.11ng_wpa3_arp_req/arp_req_4.png :alt: STA to AP ARP Transmitter Address :scale: 95 % 1.5. **QoS Control Field** * QoS Control: 0x0007 - TID: 7 → Network Control / Voice - Priority: Highest - Ack Policy: Normal ACK - TXOP Duration Requested: 0 - Payload Type: MSDU * Confirms QoS parameters used in this ARP Request frame. .. image:: ./wpa3/802.11ng_wpa3_arp_req/arp_req_5.png :alt: STA to AP ARP QoS Control Field :scale: 95 % 1.6. **CCMP Encryption Parameters** * CCMP Ext. IV included * Key Index = 0 * Encryption uses TK (Temporal Key) derived from WPA3 SAE handshake * Confirms ARP Request is sent securely over WPA2. .. image:: ./wpa3/802.11ng_wpa3_arp_req/arp_req_6.png :alt: CCMP Encryption Parameters :scale: 95 % 1.7. Verify **Sender IP and MAC** * IP/MAC of the STA initiating the request * Identifies which device’s IP is being used to query the target. .. image:: ./wpa3/802.11ng_wpa3_arp_req/arp_req_7.png :alt: STA to AP ARP Sender IP and MAC :scale: 95 % 1.8. Verify **Target IP and Target MAC** * IP of the device STA wants to reach. * Target MAC is unknown (00:00:00:00:00:00) in initial ARP Requests. .. image:: ./wpa3/802.11ng_wpa3_arp_req/arp_req_8.png :alt: STA to AP ARP Target IP and MAC :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **ARP Reply Packet Analysis** 1. Check if AP is sending ARP Reply * After the STA sends an ARP Request, the device owning the target IP responds with an ARP Reply. * This is usually unicast from the AP to the STA. * The reply provides the MAC address corresponding to the target IP so the STA can update its ARP table. 2. Verify **Source Address** * AP MAC (BSSID) — the sender of the ARP Reply. * Identifies which device owns the requested IP (192.168.1.10). .. image:: ./wpa3/802.11ng_wpa3_arp_resp/arp_resp_1.png :alt: AP to STA ARP Reply Source Address :scale: 95 % 3. Verify **Destination Address** * STA MAC — unicast to the requesting STA. * Ensures only the requesting device receives this ARP Reply. .. image:: ./wpa3/802.11ng_wpa3_arp_resp/arp_resp_2.png :alt: AP to STA ARP Reply Destination Address :scale: 95 % 4. Verify **Receiver Address** * STA MAC — confirms the intended recipient at the link layer. .. image:: ./wpa3/802.11ng_wpa3_arp_resp/arp_resp_3.png :alt: AP to STA ARP Reply Receiver Address :scale: 95 % 5. Verify **Transmitter Address** * AP MAC — indicates who physically transmitted the frame. .. image:: ./wpa3/802.11ng_wpa3_arp_resp/arp_resp_4.png :alt: AP to STA ARP Reply Transmitter Address :scale: 95 % 6. **Verify WPA3 CCMP Parameters** * CCMP Ext. Initialization Vector ensures per-frame uniqueness. * Key Index: 0 * TK derived from SAE handshake (AES-256, HMAC-SHA256) * MIC validates integrity and authenticity. .. image:: ./wpa3/802.11ng_wpa3_arp_resp/arp_resp_5.png :alt: WPA3 CCMP Parameters :scale: 95 % 7. Verify **Sender IP and MAC** * IP: Target IP (AP's IP) * MAC: AP’s MAC * Provides the requested mapping for the STA’s ARP table. .. image:: ./wpa3/802.11ng_wpa3_arp_resp/arp_resp_6.png :alt: AP to STA ARP Reply Sender IP and MAC :scale: 95 % 8. Verify **Target IP and MAC** * IP: STA IP * MAC: STA MAC * Confirms the reply is directed to the original requester. .. image:: ./wpa3/802.11ng_wpa3_arp_resp/arp_resp_7.png :alt: AP to STA ARP Reply Target IP and MAC :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after ARP Reply Packet Analysis** * The **ARP Reply** is a **unicast frame**, so the STA replies with an **ACK**. * This ensures the AP knows the STA successfully received its Reply packet. * The ACK is a **Control frame (Subtype = 13)** and follows a **SIFS interval (~10 µs)**. 1. Check the **ACK Frame Subtype**. * Subtype = 13 identifies the frame as an **ACK**. * Confirms the STA received the ARP Reply successfully. .. image:: ./wpa3/802.11ng_wpa3_arp_resp/arp_resp_8.png :alt: ARP Reply ACK Subtype :scale: 95 % 2. Verify the **ACK Receiver Address**. * Receiver Address = AP MAC address * Confirms the acknowledgment is directed to the AP. .. image:: ./wpa3/802.11ng_wpa3_arp_resp/arp_resp_9.png :alt: ARP Reply ACK Receiver Address :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **ICMP Request Packet Analysis** 1. Check if STA is sending ICMP Echo (Ping) Request * The ICMP Echo Request is sent by the STA to the AP to test connectivity. * It is encapsulated inside an 802.11 Data frame and protected using **WPA3 AES-256 CCMP** * usually sent unicast to the AP. * This frame allows the STA to verify reachability and latency. 2. Verify **Data Rate** * Data Rate indicates the PHY rate used by the STA (e.g., 24 Mbps or 36 Mbps). * Confirms the speed of transmission for the ping request. .. image:: ./wpa3/802.11ng_wpa3_icmp_req/icmp_req_1.png :alt: Data Rate in ICMP Echo Request :scale: 95 % 3. Verify **Channel** * Channel used for transmission (e.g., Channel 6 / 2437 MHz). * Ensures the ping uses the correct RF channel. .. image:: ./wpa3/802.11ng_wpa3_icmp_req/icmp_req_2.png :alt: Channel in ICMP Echo Request :scale: 95 % 4. Verify **Source MAC** * STA MAC address (e.g., e8:6f:38:71:f1:e3). * Confirms the correct STA is sending the ping. .. image:: ./wpa3/802.11ng_wpa3_icmp_req/icmp_req_3.png :alt: Source MAC in ICMP Echo Request :scale: 95 % 5. Verify **Receiver MAC** * AP MAC address. * Confirms the frame is directed to the correct AP. .. image:: ./wpa3/802.11ng_wpa3_icmp_req/icmp_req_4.png :alt: Receiver MAC in ICMP Echo Request :scale: 95 % 6. Verify **Source and Destination IP** * Source IP: STA IP (e.g., 192.168.1.1) * Destination IP: AP IP (e.g., 192.168.1.10) * Ensures correct layer-3 addressing for ICMP. .. image:: ./wpa3/802.11ng_wpa3_icmp_req/icmp_req_5.png :alt: Source and Destination IP in ICMP Echo Request :scale: 95 % 7. Verify **WPA3 CCMP Parameters** * CCMP Ext. Initialization Vector (PN) for frame uniqueness * Key Index: 0 * Temporal Key (TK) derived from SAE handshake (AES-256, HMAC-SHA256) * MIC validates integrity and authenticity .. image:: ./wpa3/802.11ng_wpa3_icmp_req/icmp_req_6.png :alt: WPA3 Parameters :scale: 95 % 8. Verify **Protocol** * Protocol = ICMP (0x01). * Confirms the packet is an ICMP message. .. image:: ./wpa3/802.11ng_wpa3_icmp_req/icmp_req_7.png :alt: Protocol field in ICMP Echo Request :scale: 95 % 9. Verify **Type** * ICMP Type = 8 (Echo Request). * Identifies the frame as a ping request. .. image:: ./wpa3/802.11ng_wpa3_icmp_req/icmp_req_8.png :alt: ICMP Type in Echo Request :scale: 95 % 10. Verify **IP Version** * Version = 4 (IPv4). * Confirms the ICMP packet uses IPv4. .. image:: ./wpa3/802.11ng_wpa3_icmp_req/icmp_req_9.png :alt: IP Version in ICMP Echo Request :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after ICMP Echo Request Packet Analysis** * The **ICMP Request** is a **unicast frame**, so the AP replies with an **ACK**. * This ensures the STA knows the AP successfully received its Request packet. * The ACK is a **Control frame (Subtype = 13)** and follows a **SIFS interval (~10 µs)**. 1. Check the **ACK Frame Subtype**. * Subtype = 13 identifies the frame as an **ACK**. * Confirms the AP received the ICMP Request successfully. .. image:: ./wpa3/802.11ng_wpa3_icmp_req/icmp_req_10.png :alt: ACK Subtype after ICMP Echo Request :scale: 95 % 2. Verify the **ACK Receiver Address**. * Receiver MAC = STA MAC. * Confirms that the acknowledgment is sent back to the STA. .. image:: ./wpa3/802.11ng_wpa3_icmp_req/icmp_req_11.png :alt: ACK Receiver Address after ICMP Echo Request :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **ICMP Reply Packet Analysis** 1. Check if AP is sending ICMP Echo (Ping) Reply * The ICMP Echo Reply is sent by the AP back to the STA in response to the Echo Request. * Encapsulated inside an 802.11 Data frame with **AES-256 CCMP** and typically sent unicast. * Confirms that the AP is reachable and the network path is functioning correctly. 2. Verify **Data Rate** * Data Rate indicates the PHY rate used by the AP (e.g., 36 Mbps). * Confirms the speed of transmission for the ping reply. .. image:: ./wpa3/802.11ng_wpa3_icmp_resp/icmp_resp_1.png :alt: Data Rate in ICMP Echo Reply :scale: 95 % 3. Verify **Channel** * Channel used for transmission (e.g., Channel 6 / 2437 MHz). * Ensures the reply uses the correct RF channel. .. image:: ./wpa3/802.11ng_wpa3_icmp_resp/icmp_resp_2.png :alt: Channel in ICMP Echo Reply :scale: 95 % 4. Verify **Source MAC** * AP MAC address (e.g., 0c:9a:3c:9f:17:71). * Confirms the reply originates from the correct AP. .. image:: ./wpa3/802.11ng_wpa3_icmp_resp/icmp_resp_3.png :alt: Source MAC in ICMP Echo Reply :scale: 95 % 5. Verify **Receiver MAC** * STA MAC address. * Confirms the reply is delivered to the requesting STA. .. image:: ./wpa3/802.11ng_wpa3_icmp_resp/icmp_resp_4.png :alt: Receiver MAC in ICMP Echo Reply :scale: 95 % 6. Verify **Source and Destination IP** * Source IP: AP IP (e.g., 192.168.1.10) * Destination IP: STA IP (e.g., 192.168.1.1) * Confirms correct layer-3 addressing for the ICMP reply. .. image:: ./wpa3/802.11ng_wpa3_icmp_resp/icmp_resp_5.png :alt: Source and Destination IP in ICMP Echo Reply :scale: 95 % 7. Verify **WPA3 Encryption Parameters** * CCMP Ext. Initialization Vector (PN) for per-frame uniqueness * Key Index: 0 * Temporal Key (TK) derived from **SAE handshake** (AES-256, HMAC-SHA256) * MIC ensures integrity and authenticity of payload .. image:: ./wpa3/802.11ng_wpa3_icmp_resp/icmp_resp_6.png :alt: WPA3 Parameters :scale: 95 % 8. Verify **Protocol** * Protocol = ICMP (0x01). * Confirms that the packet is an ICMP message. .. image:: ./wpa3/802.11ng_wpa3_icmp_resp/icmp_resp_7.png :alt: Protocol in ICMP Echo Reply :scale: 95 % 9. Verify **IP Version** * Version = 4 (IPv4). * Confirms the ICMP packet uses IPv4. .. image:: ./wpa3/802.11ng_wpa3_icmp_resp/icmp_resp_8.png :alt: IP Version in ICMP Echo Reply :scale: 95 % 10. Verify **Type** * ICMP Type = 0 (Echo Reply). * Identifies the frame as a ping reply. .. image:: ./wpa3/802.11ng_wpa3_icmp_resp/icmp_resp_9.png :alt: ICMP Type in Echo Reply :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after ICMP Echo Reply Packet Analysis** * The **ICMP Reply** is a **unicast frame**, so the STA replies with an **ACK**. * This ensures the AP knows the STA successfully received its Reply packet. * The ACK is a **Control frame (Subtype = 13)** and follows a **SIFS interval (~10 µs)**. 1. Check the **ACK Frame Subtype**. * Subtype = 13 identifies the frame as an **ACK**. * Confirms the STA received the ICMP Reply successfully. .. image:: ./wpa3/802.11ng_wpa3_icmp_resp/icmp_resp_10.png :alt: ACK Subtype after ICMP Echo Reply :scale: 95 % 2. Verify the **ACK Receiver Address**. * Receiver MAC = AP MAC. * Confirms that the acknowledgment is sent back to the AP. .. image:: ./wpa3/802.11ng_wpa3_icmp_resp/icmp_resp_11.png :alt: ACK Receiver Address after ICMP Echo Reply :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Deauthentication Packet Analysis** 1. Check if STA is sending Deauthentication Frame * Deauthentication is a management frame sent by either the AP or STA to terminate an existing connection. * It contains information about why the device is being deauthenticated. * The frame is unicast and will be acknowledged by the recipient. 2. Verify **Frame Subtype** * Subtype = 12 identifies the frame as Deauthentication. * Ensures Wireshark captures the correct management frame. .. image:: ./wpa3/802.11ng_wpa3_deauth/deauth_1.png :alt: Deauthentication Subtype :scale: 95 % 3. Verify **Source MAC Address** * MAC address of the device sending the deauthentication frame (AP or STA). * Confirms which device initiated the deauthentication. .. image:: ./wpa3/802.11ng_wpa3_deauth/deauth_2.png :alt: Source MAC in Deauthentication :scale: 95 % 4. Verify **Receiver MAC Address** * MAC address of the recipient device. * Ensures the frame is targeted to the correct station or AP. .. image:: ./wpa3/802.11ng_wpa3_deauth/deauth_3.png :alt: Receiver MAC in Deauthentication :scale: 95 % 5. Verify **Fixed Parameters** * Includes Reason Code (e.g., 0x0001: Unspecified reason). * Helps determine why the deauthentication occurred. .. image:: ./wpa3/802.11ng_wpa3_deauth/deauth_4.png :alt: Fixed Parameters in Deauthentication :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after Deauthentication Packet Analysis** * The **Deauthentication** is a **unicast frame**, so the AP replies with an **ACK**. * This ensures the STA knows the AP successfully received its Reply packet. * The ACK is a **Control frame (Subtype = 13)** and follows a **SIFS interval (~10 µs)**. 1. Check the **ACK Frame Subtype**. * Subtype = 13 identifies the frame as an **ACK**. * Confirms the recipient received the deauthentication frame. .. image:: ./wpa3/802.11ng_wpa3_deauth/deauth_5.png :alt: ACK Subtype after Deauthentication :scale: 95 % 2. Verify the **ACK Receiver Address**. * Destination MAC = sender of the deauthentication frame. * Confirms the acknowledgment is directed back to the sender. .. image:: ./wpa3/802.11ng_wpa3_deauth/deauth_6.png :alt: ACK Receiver Address after Deauthentication :scale: 95 %