Introduction 1. What is WPS? WPS, or "Wi-Fi Protected Setup" is a wireless computing standard designed to allow easy establishment...
1. What is WPS?
WPS, or "Wi-Fi Protected Setup" is a wireless computing standard designed to allow easy establishment of connections between devices in a home network (definitely not suited for a corporation, as you will soon see). Most routers have a little WPS button on them (usually you may have used in installing wireless range extenders / APs at home.
What is Reaver & how does it work?
2. What you need
Reaver
Wash
Aircrack-ng (using Airmon-ng specifically)
A vulnerable wireless network (WPS enabled)
A wireless card which supports going into monitor mode
Backtrack 5R3 (or earlier, it has reaver and wash installed on it)
3. The Attack
"Step 1"
Backtrack will start with your wireless card enabled BUT it will not be in monitor mode, we need it in monitor mode to grab beacon packets from the air to identify other networks and thus communicate with them.
"Step 2"
Using the airmon-ng tool we turn a monitor mode interface ON using our wlan0 interface.
"Step 3"
As you can see, when we list our various interfaces in BT5, mon2 is listed (usually mon0, I just had 2 other interfaces turned on at the time which I needed to turn off T_T)
"Step 4"
Next, using wash, we sniff the air (using the mon2 interface) for beacon and other packets being sent around by wireless aps and routers. For this tutorial I used my own router, the very first one you see listed with an RSSI of -53 (and the scribbled out SSID ).
The important thing here is the RSSI number, and the WPS Locked status. The lower the RSSI digit the better, this attack sends ALOT of information through the air and we want the most reliable connection possible so our packets don't get dropped. If WPS Locked is slated as "No", all is good, it means the router has WPS enabled on and is vulnerable!
"Step 5"
TADA! All done! reaver will display the WPS pin and the networks wireless password (I greyed mine out just from paranoia). Because my pin was so simple, it was cracked REALLY fast (6 seconds omg, fasest I've gotten is 4 ^_^), however if the person has a more complex pin HAVE NO FEAR, due to the limitations of a WPS pin, it should take a maximum of 4 hours to crack the pin due to the mathematical formula reaver uses.
4. Conclusion
So as you can see, this is a very powerful tool which absolutely obliterates WPS enabled routers and completely compromises the network. I can see the attractiveness of this attack and only imagine you HF kids running around outside grabbing pins off your neighbours wireless but PLEASE remember using reaper without the express consent of the network administrator (your neighbor basically) of the network you are hacking is ILLEGAL.
So either
1. Get permission,
2. Do it on your own network,
3. Buy a new junkish router with WPS or
4. Just don't do it
All these tutorials are intended for Security research purpose & should not be used illegaly...
Kindly Like and Share :)
COMMENTS