I wrote a little introduction into WPS in Part 1 of this article. Part 2 is the practical part. I’ll setup a router with WPS and show you how to attack it. It’s for educational purposes only. So try to hack your own device!
1x Alfa AWUS 036H Wlan Adapter
1x Zyxel Router NBG-460N
VMware or Virtualbox Image with
Kali Linux or other Linux with iwash and reaver installed
I did setup a Wifi Protection with WPA2-PSK and a very secure Password 😉 The SSID of my Network will be Swiss_Emmentaler and as you can see WPS is activated. Let’s start!
First step is to map the WLAN Card into the virtual machine. Let’s check that with the command iwconfig. As we can see It’s mounted as wlan0.
Next step is to put the WLAN interface into monitor mode. Putting a wireless interface into monitor mode allows us to monitor all traffic received from the wireless adapter.
We can see that the monitor interface can get a conflict with three system processes. I’ll kill them and check if the mon0 interface is up.
Next step is to do a scan with the tool wash (allready installed in kali). I’ve scanned only for channel 6 and as we can see my Swiss_Emmentaler AP got successful deteced. We need the mac address of the router that we want to attack.
With the tool reaver we have a lot of advanced options that we can use for the attack.
– i means the interface mon0
– b means the target Mac Address
– D improvs the cracking speed
– vv dispays non critical warning
set the command reaver in your shell for a detailed information about all the commands
In my lab the bruteforce speed depends from 3 to 6seconds/pin. If everything works fine I should get the WPA2-PSK key in between 8 and 16 hours.
If we stop the cracking process, the session gots automatically stored that we can continue later.
In my test it took 34057 seconds to crack the pin. 34057/3600 = 9.46h
Recommondation: Turn off WPS
Happy Hacking 🙂