Part 4: WPA2/3-Mixed Mode (Downgrade & Rogue Access Point)
1. Executive Summary
Although WPA3 effectively mitigates the offline dictionary attacks that troubled its predecessor, modern enterprise and home network infrastructures still rely on backward compatibility. To accommodate legacy hardware, most access points utilize the WPA2/WPA3-Mixed Mode (Transition Mode). This architectural compromise harbors a critical vulnerability. This technical write-up demonstrates how an attacker can exploit Transition Mode by deploying a targeted Rogue Access Point and coercing a modern, WPA3-capable client to actively downgrade its connection to the deprecated WPA2 protocol.
Business Impact: By forcing the target infrastructure into downgrading the encryption standard, an attacker completely bypasses the cryptographic improvements of WPA3. The capture of the resulting WPA2 4-Way Handshake reactivates the viability of highly efficient offline dictionary attacks, exposing the network perimeter to total compromise without triggering WPA3 intrusion detection heuristics.
2. Lab Architecture (RoE)
Target (Authenticator): TP-Link Archer C6 in WPA2/WPA3-Personal Transition Mode (1.14.30 Build 250729 Rel.74228n(4555))
Target (Supplicant): iPhone 13
Attacker Infrastructure: Virtualbox Kali Linux 2025.4 (RTL8812AU)
3. Protocol Theory: The End of Offline Cracking
To understand the necessity of the protocol downgrade attack, one must first analyze why the methods showcased in Part 3 of this series fail against pure WPA3. WPA3 completely replaces the vulnerable Pre-Shared Key (PSK) paradigm with a new authentication mechanism: Simultaneous Authentication of Equals (SAE).
3.1 SAE and the Dragonfly Key Exchange
Unlike the WPA2 4-Way Handshake, where the PSK is utilized to derive mathematically verifiable hashes transmitted over the air in EAPOL frames, SAE employs the Dragonfly Key Exchange. This mechanism acts as a Password-Authenticated Key Agreement (PAKA) based on zero-knowledge proofs.
Interactive Zero-Knowledge Proof: During the SAE commit and confirm phases, the supplicant and authenticator interactively negotiate a shared secret (the Pairwise Master Key, PMK) based on the passphrase. Crucially, the mathematical parameters transmitted over the air do not contain sufficient cryptographic material to reconstruct, hash, or verify the password offline.
Forward Secrecy: SAE structurally guarantees forward secrecy. Because the session keys are generated dynamically and independently of the static passphrase, even if an attacker compromises the Wi-Fi password at a later date, they remain mathematically incapable of decrypting previously captured post-handshake traffic.
Mitigation of Dictionary Attacks: Because capturing an SAE handshake for offline cracking is structurally impossible, an attacker is forced into executing an online brute-force attack directly against the Access Point. This is heavily mitigated by the AP's inherent rate-limiting and anti-clogging mechanisms.
3.2 Attacking Pure WPA3
If a network architecture strictly enforces a "WPA3-Only" environment, the WPA2 framework is completely deprecated. By IEEE 802.11 standard mandates, a pure WPA3 network must enforce Protected Management Frames (PMF / 802.11w) as Required. Because Management Frames (such as Deauthentication packets) are cryptographically signed under strict PMF, the active frame injection techniques utilized in Part 3 are completely neutralized. The target client will securely drop forged Deauthentication frames because they lack the valid cryptographic signature of the Authenticator.
Faced with a pure WPA3 environment, the traditional Layer 2 attack surface is dead. A Red Teamer must pivot their operational vectors:
Layer 1 (Physical / RF): Utilizing specialized Wi-Fi transceivers to execute Channel Utilization Attacks (e.g., CTS-to-Self flooding) or localized RF jamming, forcing a hard denial of service.
Layer 7 (Social Engineering): Deploying an Evil Twin combined with a Captive Portal, coercing the human operator into voluntarily surrendering the WPA3 passphrase under the guise of an MDM update.
4. The Exploitable Reality: Transition Mode
The operational reality is that corporate and private environments cannot instantly deprecate functional legacy hardware (e.g., warehouse scanners, VoIP phones, older IoT devices) that lack the capability to process the SAE Dragonfly exchange. To solve this dilemma, vendors implemented the WPA2/WPA3 Transition Mode.
In this state, the Access Point broadcasts a single Beacon frame advertising support for both SAE (WPA3) and PSK (WPA2) concurrently. To enable legacy WPA2 devices to connect, the Access Point cannot mandate signed management frames globally; PMF must be set to Optional.
However, while WPA2-only clients remain vulnerable to standard Layer 2 Deauthentication attacks, WPA3-capable clients are protected. The 802.11 standard dictates that if a client connects via SAE, PMF must be negotiated and strictly enforced for that specific session. Consequently, the WPA3 client's kernel will identify unsigned deauthentication packets as spoofing attempts and silently drop them. To successfully disconnect a WPA3 client and trigger a roaming process in a Transition Mode network, an attacker must bypass Layer 2 entirely and pivot to Layer 1 (Physical) disruption tactics.
5. Execution: The Downgrade Attack
The objective is to physically disrupt the legitimate WPA3 connection and manipulate the client's internal roaming logic into voluntarily executing a WPA2 handshake against an attacker-controlled infrastructure.
5.1 Confirming Transition Mode
First, raw Beacon frames from the target Access Point are captured using a dedicated monitoring interface:
sudo airodump-ng wlan0 --bssid 8C:90:2D:48:2C:9F -c 3 --beacons --write sae
Note: While terminal interfaces like airodump-ng are excellent for real-time monitoring, they often summarize the AUTH column to display only the highest supported security protocol (e.g., displaying only SAE instead of SAE/PSK). Relying solely on the CLI output can lead to false negatives regarding network vulnerability!
To ensure complete accuracy, the resulting .cap file should be analyzed to examine the Cipher Suite broadcasted in the Beacon frames:
Verification Criteria in Wireshark:
Auth Key Management (AKM) List: The capture must reveal an AKM Suite Count of 2 or more, listing both
PSK (00:0f:ac:2)andSAE (00:0f:ac:8).RSN Capabilities: The hex value
0x0080must be present, translating to Bit 7 (MFPC) enabled and Bit 6 (MFPR) disabled. This confirms PMF is Optional.
5.2 Rogue Access Point Deployment
The attacker deploys a Rogue Access Point (Evil Twin) designed solely to broadcast a deceptive Beacon frame. To avoid RF interference with the legitimate AP on Channel 3, the Rogue AP is strategically placed on a non-overlapping channel (e.g., Channel 11).
The hostapd-downgrade.conf is explicitly restricted to WPA2-CCMP to force the downgrade:
interface=wlp3s0mon
ssid=TP-Link-FV
hw_mode=g
channel=11
macaddr_acl=0
auth_algs=1
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
rsn_pairwise=CCMP
wpa_passphrase=password123
The Rogue AP is initialized in the terminal:
sudo hostapd hostapd-downgrade.conf
Note: The wpa_passphrase defined in this configuration is deliberately arbitrary. The attacker does not need to know the true network password to capture the handshake. The goal is merely to coerce the client into initiating the authentication sequence and transmitting its cryptographic response (Message 2).
Once the rogue AP is up (on a different device in this case), it can be discovered using airodump-ng, revealing the duplicated TP-Link-FV network providing the weaker WPA2 PSK security instead of the more secure WPA3 SAE of the legitimate Authenticator.
5.3 Active Disruption (Layer 1 Pivot)
Since the WPA3 client strictly ignores spoofed Layer 2 Deauthentication frames, the attacker severs the connection at Layer 1. In a real-world scenario, this is achieved through targeted Radio Frequency (RF) jamming to saturate the legitimate AP's channel with noise. In a controlled laboratory environment, this disruption is simulated by temporarily disabling the legitimate Access Point's wireless transmission.
5.4 Protocol Downgrade and Interception
To capture the downgraded half handshake, a separate airodump-ng instance is launched, monitoring the Rogue AP's specific channel (Channel 11) and writing the output to a new .cap file:
sudo airodump-ng wlan1 -c 11 --write downgrade_capture
Once the physical connection to the legitimate AP drops, the victim's operating system is governed entirely by its internal roaming algorithms. The attack successfully exploits three fundamental principles of client OS design:
SSID Trust (Preferred Network List): The OS immediately transmits Probe Requests seeking trusted SSIDs. Because the Rogue AP broadcasts the exact target SSID (
TP-Link-FV), it bypasses the user-consent barrier.SNR Prioritization (Availability): Roaming algorithms maximize network availability. The client overwhelmingly prioritizes the Rogue AP on the clean channel over the jammed/dead legitimate channel due to its superior Signal-to-Noise Ratio (SNR).
Connectivity over Security: Although fully WPA3-capable, the OS detects only WPA2 capabilities on the Rogue AP. Programmed to ensure the user remains connected, the algorithm gracefully falls back to the older supported standard.
Satisfying these roaming criteria, the client silently accepts the security downgrade and initiates the legacy 4-Way Handshake against the attacker's infrastructure:
Message 1 (Attacker to Victim): The Rogue AP transmits its ANonce.
Message 2 (Victim to Attacker): The victim calculates the Pairwise Transient Key (PTK) using the true, locally stored Wi-Fi password. It transmits Message 2, containing its SNonce and the critical Message Integrity Code (MIC).
The monitoring interface successfully intercepts this exchange. Because Message 2 contains a MIC derived from the real network password, the attacker immediately gracefully shuts down the Rogue AP and transitions to an offline Hashcat dictionary attack to crack the intercepted MIC, utilizing the exact methodology documented in Part 3. The WPA3 architecture has been successfully circumvented.
Note: The success of this roaming coercion heavily depends on the absence or circumvention of the WPA3 'Transition Disable Indication' (TDI). Modern OS implementations (like iOS 14+) cache the security capabilities of a network. If TDI is enforced by the legitimate AP, the target device may pin the WPA3 requirement for this SSID and outright refuse the silent downgrade to WPA2.
6. Remediation / Blue Team
Mitigating downgrade attacks requires strict architectural enforcement and the deliberate removal of backward compatibility where possible. The vulnerability stems not from WPA3 cryptography, but from the operational compromises made to accommodate legacy hardware.
6.1 Deactivating Transition Mode
The definitive remediation is the complete deactivation of WPA2/WPA3-Mixed Mode. Corporate networks must be configured exclusively as WPA3-SAE. This implicitly forces Management Frame Protection (PMF) to Required, cryptographically immunizing the network against localized Deauthentication and ensuring clients never negotiate downgraded sessions.
6.2 VLAN Segregation for Legacy Hardware
Organizations burdened with legacy hardware must embrace strict network segmentation. Devices incapable of SAE authentication should be physically and logically isolated into a dedicated IoT/Legacy VLAN. This network should broadcast a hidden SSID, utilize a separate, highly complex 20+ character WPA2 PSK, and be firewalled from the primary corporate infrastructure.
6.3 Client-Side Hardening
Network administrators managing corporate endpoints via Mobile Device Management (MDM) or Group Policy Objects (GPO) should configure wireless profiles to explicitly demand WPA3 for corporate SSIDs. By hardcoding the required security standard directly on the endpoint, the OS is actively prevented from accepting a downgraded WPA2 connection, even if lured by a Rogue AP presenting a stronger signal.