I was at Starbucks today, and saw some kid on a windows laptop running Kali Linux; not casually, not out of curiosity, but actively running it in a way that anybody in the 802.11 field would recognize instantly. I could see the BSSIDs, MAC addresses, channels, client associations—the usual flood of over-the-air data that we all parse without even thinking about it anymore. What really caught my eye was the second window she had open, sitting there waiting to capture a WPA2 4-way handshake as soon as a client reconnected. There was no mystery to it. She was executing the textbook WPA2 capture workflow, right out in public, in full daylight.
I actually walked over and introduced myself as someone who has been to BlackHat a few times in Vegas which was enough to open a door. It did—he didn’t hide anything and smiled with confirmation of exactly what I already knew: He was collecting WPA2 handshakes and doing it openly. I didn’t stay long, but it stuck with me because it reminded me how exposed WPA2 really is and how easy it is for someone with a basic toolkit to attack it. A lot of small shops offering “free Wi-Fi” have no idea how vulnerable their customers are under WPA2, and seeing someone exploit it so casually hammered that point home.
The attack is the same WPA2-PSK workflow that’s been around forever. Kali Linux just makes it accessible. The attacker starts by passively scanning the air for BSSIDs and connected clients, which requires no intrusion and no skill. Once the attacker picks a client-AP pair, they send spoofed de-authentication frames, because management frames aren’t protected unless 802.11w is enabled—which, in public Wi-Fi, they usually aren’t. The client believes those deauth frames and drops off the AP instantly, then begins reconnecting. During that reconnection, the WPA2 4-way handshake is exchanged between AP and client, and it can be captured over the air without interacting with either device. Once captured, the attacker has all the material needed to run offline dictionary or GPU attacks using tools like hashcat. They don’t need to touch the network again. That is the entire problem with WPA2: the PSK is static, the handshake leaks enough information to test guesses offline, and deauthing makes the capture trivial.
This is exactly why WPA3 and OWE change the game. WPA3-Personal replaces the WPA2 PSK handshake with SAE, which is a password-authenticated key exchange built specifically to eliminate offline dictionary attacks. Instead of revealing material that can be cracked later, the SAE handshake never exposes anything useful. An attacker who wants to guess the password has to interact with the AP for every single guess, and each attempt is rate-limited and highly visible. Deauthentication tricks don’t give them anything, because there is nothing reusable in the SAE exchange. This alone shuts down the entire WPA2 capture-and-crack methodology.
OWE takes things even further for SSIDs that are meant to be open. Instead of leaving traffic unencrypted or relying on captive portals, OWE forces a Diffie-Hellman exchange during association. That means every client generates its own unique encryption keys with the AP, and there is no pre-shared key at all. The resulting PMK is unique per session, derived from ephemeral cryptographic values, and never transmitted in a way that an attacker can exploit. Even if someone captures every association frame and every handshake, none of it can be used to decrypt traffic or brute-force a credential. Deauthing a client only forces them to generate a new ephemeral key, which is just as useless to an attacker as the last one.
Seeing Kali in Starbucks wasn’t just an interesting moment—it was a reminder of how outdated WPA2 really is. The entire attack depends on reusable secrets and a handshake that leaks enough information to crack those secrets offline. WPA3 and OWE eliminate the weak points altogether by removing reusable keys and replacing them with per-session cryptographic exchanges that attackers can’t meaningfully exploit. WPA2 wasn’t built for the threat landscape we have now. WPA3 and OWE are.
How the WPA2 Attack Works in Practice
What she was doing is the same WPA2-PSK attack chain that’s been floating around for more than a decade. It’s predictable, reliable, and far too easy to execute. Kali Linux just wraps all the tools in one place so even someone with minimal understanding can run it. The workflow goes like this:
- Passive Scanning
The attacker uses tools likeairodump-ngto watch the air.- BSSIDs
- Channel
- Cipher suites
- Connected client MACs
- Beacon frames and probe responses
- Target Lock — Client + AP Pair
They pick one client associated with the AP.
That client is the doorway into the PSK. - Deauthentication Frames
Using spoofed 802.11 management frames (if 802.11w is not enabled, which in public Wi-Fi it usually isn’t), the attacker sends a burst of deauth packets to the client.- The client trusts those frames.
- The client drops off the AP.
- The AP doesn’t challenge the authenticity of the frame.
- Capture the WPA2 4-Way Handshake
As the client reconnects, the AP and STA exchange the ANonce/SNonce + MIC frames that form the 4-way handshake.airodump-ngcaptures this in real time.
Once captured the attacker now has everything needed to brute-force the PSK offline.
How WPA3 (SAE) and OWE Completely Break This Attack Chain
Here’s the key: the WPA2 attack depends on a predictable, reusable, capture-and-crack handshake. WPA3/OWE remove that foundation entirely.
WPA3-Personal (SAE)
SAE replaces the old WPA2 4-way handshake PSK verification with a Password-Authenticated Key Exchange (PAKE).
What this changes:
- No reusable handshake material
SAE handshake frames don’t contain anything an attacker can brute-force offline. - No offline dictionary cracking possible
To guess the password, the attacker must interact with the AP for each guess.
That’s rate-limited.
That’s detectable.
That’s effectively impossible at scale. - Deauth captures become worthless
Even if they force reconnections, there is nothing to “capture and crack.” - Forward secrecy is built-in
Every authentication event produces new cryptographic material.
Past sessions remain protected even if a password is later exposed.
OWE (Opportunistic Wireless Encryption)
OWE is WPA3’s answer to “open Wi-Fi”—no password, but still encrypted.
Why it kills the WPA2-style attack entirely:
- No PSK means no target to brute-force
There is no shared key.
No pre-distributed secret.
Nothing static. - Per-client Diffie-Hellman key exchange
Each client gets its own encryption keys formed from an ephemeral D-H exchange.
An attacker sniffing the association cannot derive those keys. - The 4-way handshake is no longer the weak point
The PMK used in the handshake is unique per session and derived from ephemeral values. - Deauth attacks lose their value
Even if they force a reconnect, the attacker never gets anything reusable.
When we talk about OWE—what the Wi-Fi Alliance brands as “Enhanced Open”—we’re basically talking about taking the old, wide-open guest SSID model and bolting real cryptography onto it without making the user deal with passwords or portals. OWE comes straight out of RFC 8110, the work Dan Harkins and Warren Kumari put together to fix the long-standing problem of unencrypted “open” networks. Even though the SSID still looks open from a client perspective, the Beacon frames actually advertise an RSN element. That’s the giveaway. Real open networks never include an RSN because there’s nothing to negotiate—no keys, no AKM, no cipher suites. But with OWE, the AP includes AKM type 18 (that’s the OWE indicator) and CCMP-128 for both pairwise and group ciphers, even before anybody associates (Hemant-Chaska, Arista Networks).
Under the hood, OWE leans on Diffie-Hellman for its key establishment—just like WPA3-Personal does with SAE, but without the password component. OWE is strictly about generating shared secret material using public key exchanges in the clear, and then turning that secret into encryption keys for the session. The spec requires elliptic curve groups, so everything here is running on modern, efficient EC-based DH. You’ll see references to groups like 19, 20, and 21—these are predefined elliptic curves. Group 19 is the common 256-bit NIST P-256 curve, which uses a massive prime and a specific curve equation to define the field. That’s the math environment both the AP and the client use when they generate their key pairs.
When a client joins an OWE SSID, the process looks similar to an open association, but the frames tell a different story. The AP and the STA each generate their own private key—just a big random number from the curve’s field. They both multiply that private key by the group’s generator point, producing a public key. Those public keys get tucked into the Association Request and Association Response frames. That’s the big difference from legacy open Wi-Fi—you can actually see the cryptographic material being exchanged if you inspect the frames.
Once the Association exchange finishes, the two sides run their Diffie-Hellman operation. The client takes the AP’s public key and multiplies it by its own private key. The AP does the same thing in reverse. Because of the properties of the curve, they arrive at the same shared secret value without ever sending it over the air. That secret gets pushed into the EAPOL key exchange that follows, which finalizes the Pairwise Master Key used for encrypting all data frames. After that last key message, everything between AP and client is encrypted—on what the user still believes is “open Wi-Fi.”
References:
Leave a Reply