WIR-101 Lab 7 — WPA3-SAE Capture and BLE Sniffing

Prerequisites: Weeks 6-7 lectures; WPA3-capable AP available; nRF52840 dongle or BLE PCAP file; bleak installed Duration: ~90 min Points: 100

Authorization

• Lab Authorization Form signed
• Wi-Fi targets: VCA-WIR101-LAB-WPA3 (authorized) only
• BLE target: instructor-provided lab BLE device only
• No pairing or writing to BLE characteristics in Part A (read-only GATT enumeration)

Objective

Capture a WPA3-SAE handshake and compare it to a WPA2-PSK capture at the frame level. Then perform passive BLE sniffing and GATT enumeration on a lab device.

Part A — WPA3-SAE Frame Analysis (40 min)

Setup

The instructor has configured VCA-WIR101-LAB-WPA3 as a WPA3-SAE-only AP (WPA3 Personal, not Transition Mode). Your Alfa AWUS036ACM supports WPA3-SAE in managed mode.

Step 1: Enable monitor mode and lock to the WPA3 AP channel

sudo airmon-ng check kill
sudo airmon-ng start wlan0
sudo airodump-ng wlan0mon

Locate VCA-WIR101-LAB-WPA3. Record the channel. Lock:

sudo airodump-ng -c CHANNEL --bssid WPA3_BSSID -w wpa3_capture --output-format pcap wlan0mon

Step 2: Associate and trigger a SAE exchange

From a second machine or your host (with wlan1 in managed mode), attempt to connect to the WPA3 AP:

wpa_supplicant -Dnl80211 -iwlan1 -c wpa3_client.conf -d 2>&1 | tee wpa3_debug.log

Where wpa3_client.conf:

network={
    ssid="VCA-WIR101-LAB-WPA3"
    psk="lab-passphrase-wpa3"
    key_mgmt=SAE
    ieee80211w=2
}

The debug output (-d) will show the SAE Commit and Confirm messages being exchanged.

Step 3: WPA3-SAE vs WPA2-PSK frame comparison

Open the wpa3_capture-01.cap in Wireshark.

Filter for SAE frames: wlan.rsn.akms.type == 8

Find:

• The SAE Authentication Commit frames (two of them: AP→STA and STA→AP)
• The SAE Authentication Confirm frames (two of them)

Open the Lab 4 WPA2 capture in a second Wireshark window.

Step 4: Complete the comparison table

Deliverable A

The completed comparison table + Wireshark screenshots of one SAE Commit frame (fully expanded) and one WPA2 EAPOL Message 1 frame (fully expanded).

Step 5: Attack attempt (observation only)

Run hcxdumptool against the WPA3 AP:

sudo hcxdumptool -i wlan0mon -o wpa3_attempt.pcapng --enable_status=1

Wait 2 minutes. Check hcxpcapngtool -o wpa3_hash.22000 wpa3_attempt.pcapng. Is a PMKID present? Is a hash produced?

Deliverable A2

Screenshot of hcxdumptool output + answer: did hcxdumptool extract a crackable hash from WPA3-SAE? Why or why not?

Part B — BLE Sniffing and GATT Enumeration (40 min)

Option 1: nRF52840 dongle with Sniffle (in-lab)

Install Sniffle firmware if not done:

pip install sniffle

Start sniffing BLE advertising:

python3 -m sniffle.sniff_receiver -e -a --rssi -40

This captures all BLE advertising packets from devices within approximately 5 meters. Note any device addresses and names that appear.

Target the instructor's designated lab BLE device. Have the instructor provide its MAC address.

Option 2: Virtual path (nRF52840 not available)

Use the provided lab7_ble_advertising.pcap in Wireshark. Filter: btle. Examine advertising PDUs for device addresses, AD names, and manufacturer data.

GATT Enumeration with bleak

import asyncio
from bleak import BleakClient, BleakScanner

TARGET_ADDR = "XX:XX:XX:XX:XX:XX"  # instructor-provided

async def enumerate_gatt(addr):
    async with BleakClient(addr, timeout=20.0) as client:
        print(f"Connected: {client.is_connected}")
        for service in client.services:
            print(f"\n[Service] {service.uuid}")
            print(f"  Description: {service.description}")
            for char in service.characteristics:
                print(f"  [Char] {char.uuid}")
                print(f"    Properties: {', '.join(char.properties)}")
                print(f"    Description: {char.description}")
                if "read" in char.properties:
                    try:
                        value = await client.read_gatt_char(char.uuid)
                        print(f"    Value: {value.hex()} ({value!r})")
                    except Exception as e:
                        print(f"    Read error: {e}")

asyncio.run(enumerate_gatt(TARGET_ADDR))

Run this against the instructor's lab BLE device. Copy the output into your deliverable.

Deliverable B

1. BLE advertising capture output: list of device addresses seen (from Sniffle or the provided PCAP), with any decoded AD structures (name, manufacturer data)
2. GATT enumeration output: full service/characteristic tree for the lab device
3. Identify: (a) any characteristic with write or write-without-response in its properties, (b) any characteristic value that appears to contain sensitive data in cleartext

Write-up Questions

1. From the WPA3-SAE SAE Commit frame, an attacker captures the group element and scalar. Explain why this data does not allow offline passphrase verification, in contrast to the WPA2 PMKID.
2. The Dragonblood CVE-2019-9494 timing attack requires measuring the time of the SAE Commit response from the AP. What specific implementation behavior creates the timing difference?
3. You found a BLE characteristic with UUID 0x2A37 (Heart Rate Measurement) that has notify property. A fitness tracker is sending heart rate data via this characteristic. Is the data encrypted? What pairing method would need to have been used? What attack could expose this data to a nearby adversary?
4. A BLE smart lock uses write-without-response on its lock/unlock characteristic, but requires bonding (pairing) before allowing writes. Is this secure? What is the attack path if the device uses Just Works pairing?

Cleanup

sudo airmon-ng stop wlan0mon
sudo systemctl restart NetworkManager

Submission

Zip into lab7_YOURNAME.zip:

• deliverable_A_comparison_table.md
• deliverable_A_wireshark_sae.png
• deliverable_A_wireshark_wpa2.png
• deliverable_A2.md (hcxdumptool WPA3 attempt)
• deliverable_B_advertising.txt
• deliverable_B_gatt.txt
• writeup.md