How to Get WiFi Passwords with WPS Attacks
WPS was introduced in 2006 as a simpler way to connect to WiFi. It stands for WiFi Protected Setup though it is far from protected. These days WPS is obsolete but older routers may still have it enabled.
Tools
Reaver — Popular tool used in most WPS Attacks
Pixiewps — Tool to exploit the pixiedust Attack
Equipment
Computer — Should have some form of Linux on it
WiFi Adapter — Should be capable of packet injection
Prerequisites
Make sure both tools are installed either via GitHub or the package manager and that your WiFi adapter is in monitor mode.
Finding Targets
We will start by finding all nearby targets that support WPS. Do keep in mind that although a target may seem to support WPS it may be disabled. Reaver comes with a scanning tool known as wash. To use it type in the terminal
sudo wash -i adapter_name_here
Ex. “sudo wash -i wlan0mon”
and a bunch of stuff pops up.
On the collum labeled ESSID are the names of the WPS capable networks. On the collum labeled BSSID are the mac addresses of the routers. The dBm collum represents the strength of the network. The Lck collum tells you if the router has locked the WPS function (not always accurate). The Ch collum tells you which channel the network is on. Choose your target and copy their BSSID somewhere for later use.
Pixiedust
We will start with the pixiedust attack as it is the fastest. Reaver has a built in pixiedust option which we will be using. Start by typing in the terminal
sudo reaver -i adapter_name_here -b BSSID_of_target_here -K -vvv
Ex. sudo reaver -i wlan0mon -b B8:A3:86:0C:25:64 -K -vvv
and pressing enter. If the attack succeeds then Reaver will try to use the found pin and retrieve the password. If retrieval succeeds then Reaver will show you the password. If the attack fails then Reaver will tell you the target is not vulnerable.
Null Pin
The null pin attack works by sending null to the router instead of a pin code. It is not common but still possible. To perform the attack type out
sudo reaver -i adapter_name_here -b BSSID_of_target_here -p “” -vvv
and Reaver will show the password if it works
Brute Force
You probably already know what this will do. If not then search up what a Brute Force attack is. Type out
sudo reaver -i adapter_name_here -b BSSID_of_target_here -vvv
and reaver will begin trying all possible pins.
Known Pin
If you already know the pin then you can use this attack. Simply type out
sudo reaver -i adapter_name_here -b BSSID_of_target_here -p pin_here -vvv
and Reaver will do the rest.
WPS Lockouts
Some routers will lock WPS functions if too many failed attempts are made. This is why we started with pixiedust as it usually doesn’t trigger a lockout. If a lockout does happen Reaver will detect it and wait for one minute before trying again. A lockout is usually temporary and WPS functions will resume after some time. The time depends on the manufacturer but it is usually 24 hours. This renders the brute force attack useless as it would take too long. There are ways around this such as changing mac addresses or the Revdk3 script which uses mdk3 to force the router to reboot but it still takes longer.
False Positives
Some routers report having WPS but they might not be set up. This can be detected fairly quickly. When running Reaver, if you see
Received deauth request
multiple times without any pins being tested then the router does not have WPS set up. This may also show up during WPS Lockouts too.
Mac Filtering
Not quite related but something I have encountered. If Reaver shows
send_packet called from resend_last_packet() send.c:161
then the router is likely using some form of mac filtering. To bypass this simply find a device on that network and clone their mac address.
Scripts
There are many scripts online that simplify the WPS attack process. The ones I would recommend are Airgeddon and Wifite. Airgeddon is better for targeted attacks and can do more than just WPS attacks. Wifite is better for targeting multiple routers.
Final Note
WPS is a pretty stupid feature that should be disabled no matter what. It completely nullifies the benefits of having a strong password and its security is sometimes worse than the dreaded WEP networks. If your router has it on then go turn it off now and if your workplace has it then notify the IT department about it.
Happy Hacking~!
