Wi-Fi Protected Setup (WPS) is a protocol created by Wi-Fi Alliance, and it’s goal is to allow for an easy way to connect devices to your Wi-Fi network. You can connect your device into your access point with WPS by pressing a button on your access point and on your wireless device or you can also use a 8 number PIN code to connect into access point. PIN code is usually on a sticker on your access point at the bottom of your device.
The idea behind WPS was, that the users do not need to remember long passwords and the people who set up the access point do not feel the need to setup a shorter password that is easier to remember. However the WPS has a severe fault, the 8 number PIN consists of numbers 0-9 which leaves us with 100 000 000 possible combinations. The last number however is a checksum of the previous digits, and it can be predicted, that leaves us with 10 000 000 possible combinations. On top of that the first 4 and the following 3 numbers are checked separately which leaves us with 11,000 options. When actually attempting PIN by PIN on average you only need around 5500 attempts. This is what makes WPS cracking viable option.
We start by enabling the WPS on our access point. Our TP-Link had it off by default which is a good thing to keep off if you don’t want unwanted guests logged into you’r access point.
When the WPS is set to Enabled we start looking into access points that have WPS enabled with a tool called Wash. First update your softwares to make sure we have the latest versions.
sudo apt-get update
Then proceed by putting your wireless adapter to monitoring state with:
airmon-ng start wlan1
After that we call wash to the monitoring interface with the command:
wash -i wlan1mon
Wash tool shows us all the nearby devices that have WPS, wash also shows us what version of WPS they are running and if the devices have WPS locked or unlocked. In our proximity after a short wash scan we found 12 access points including ours that had WPS enabled and only one of them had WPS locked. We scanned with airodump-ng and found total of 17 Wi-Fi networks excluding ours and out of those 17 networks 11 had WPS up for some reason. We did not try to crack other Wi-Fi networks other than ours but in theory many of the public networks are open to WPS attacks.
Then it is time to use tool called Reaver. Reaver is a tool that uses brute force attacks against WPS and tries to guess the PIN that we can later on use to recover WPA/WPA2 passphrases. Open up Reaver with the command below. The -i stands for interface, -b is BSSID of target AP, -S uses small DH keys to improve crack speed -c is the channel which the AP is on and finally -vv displays us all the non-critical warnings.
reaver -i wlan1mon -b D4:6E:0E:FC:AB:E4 -S -c 10 -vv
Forcing the PIN keys might take from couple hours to days, but when Reaver has finished it will display you the PIN key what we use later in order us to get the password. Many access points block you out after couple of succeeded Reaver attempts so we need to do some small adjustments. Close the reaver and save the session.
Now we want to start up Aireplay-ng on a different terminal. We choose -1, that is the fake authentication, 120 is reassociation timing in seconds and -q1 sends keep alive packets every one second.
aireplay-ng wlan1mon -1 120 -a D4:6E:0E:FC:AB:E4 -e yaparperi -q1
When the Aireplay and Reaver are running, Aireplay should look something like this.
While the Aireplay-ng is up and running boot up Reaver on a different terminal. This time we add some parameters to ensure Reaver works properly. The -L parameter ignores the locked state reported by the target access point, -N means do not send NACK messages when out of order packets are received, -d is the delay in seconds, -A means that Reaver does not accociate with the access point and must be done with another applications which in our case is the Aireplay-ng running on the other terminal. Finally -r is recurring delay which means after 3 pin attempts Reaver will pause for 5 seconds.
reaver -i wlan1mon -c 2 -b D4:6E:0E:FC:AB:E4 -vv -S -L -N -d 1 -A -r 5:3
This way we can keep brute forcing through PIN codes until Reaver finds the correct PIN code. Keep in mind that many access points will block you out after couple of attempts. You might need to make adjustments to the delay and recurring delay, making the attempts have more time in between them. If you do get blocked by the target access point, you can wait for the block to end and try again later or in our case since we own the AP we can just reboot it. It is possible to spoof your Wi-Fi adapters mac address to a different one with macchanger command and try again. Start with the command to shut down wlan1mon, after that use macchanger to spoof it with a random MAC address.
ifconfig wlan1mon down macchanger -r wlan1mon ifconfig wlan1mon up
One trick is also to use a tool called mdk3 which exploits the 802.11 protocol’s weaknesses. Some of its exploits can cause the router to reset, which resets the WPS in some routers. We are choosing the a option which stands for authentication DoS mode.
Keep the mdk3 running a while and try again using reaver and choose the option to continue where reaver was last stopped.
Incase Reaver is not working, we have found that downgrading your ubuntu with an earlier version of development libraries works better with Reaver. You can download them from here:
Download the version libpcap0.8_1.4.0-2_amd64.deb if you are running 64bit version otherwise choose _i386.deb. Choose the right path of the file and unpack it with dpkg. After it has finished open Reaver plus Aireplay and try again.
Incase Reaver still can’t find the PIN we can try Reaver with -K argument which stands for pixie-dust attack. Open up Reaver and add -K argument. Pixie Dust is an offline attack, when run it will try to attack Ralink, Broadcom and Realtek detected chipset. If you attack Realtek chipset don’t use DH Keys (-s).
reaver -i wlan1mon -c 2 -b D4:6E:0E:FC:AB:E4 -vv -K
WPS Pixie Dust attack dust needs these components to figure out the PIN.
E-Hash1 is a hash in which we brute force the first half of the PIN.
E-Hash2 is a hash in which we brute force the second half of the PIN.
HMAC is a function that hashes all the data. The function is HMAC-SHA-256.
PSK1 is the first half of the router’s PIN (10,000 possibilities)
PSK2 is the second half of the router’s PIN (1,000 or 10,000 possibilities)
PKE is the Public Key of the Enrollee (used to verify the legitimacy of a WPS exchange and prevent replays.)
PKR is the Public Key of the Registrar (used to verify the legitimacy of a WPS exchange and prevent replays.)
More about WPS Pixie Dust and how it works here:
Now that we have the WPS PIN available, we can use it with Reaver or with a tool called Bully. In our case Reaver did not find the WPA2 password with the WPS PIN, so we decided to use bully instead. Open up Bully with with argument -p, which is the PIN and if Bully does not want to start the program suggests to add argument –force, do that.
And there we go, Bully found us the password which is in the KEY field, using the WPS PIN obtained by Reaver using Pixie Dust attack.