Advanced WiFi Password Hack Techniques – WPS Attack

We can use a special WiFi password hack if a dictionary attack against WPA/WPA2 fails. If our target’s wireless router or access point uses something called WPS, we can hack the wireless password without actually having to attack the encrypted keys. We simply attack the WPS component instead.

Sounds complicated? It’s really not. WiFi Protected Setup (WPS) is a technology that allows easy access to secure wireless home networks. WPS-capable access points come hard-coded with an 8 digit PIN number. Users can connect their devices to a WPS-capable access point without having to type the long passphrases commonly associated with WPA/WPA encryption. WPS only uses this 8 digit PIN to connect.

8 digits has 100,000,000 variations, but luckily (for us) there are some additional WPS vulnerabilities that reduce our workload to only 11,000 variations. Statistically, we will crack the password in ½ the time, so count on only having to churn through roughly 5,500 PIN guesses before we crack the WPA WPA2 password.

To get started on this advanced WiFi password hack, make sure you have the right tools:

  • Back Track or Kali Linux Live CD
  • A wireless Network Card Capable of Packet Injection like the ALFA AWUS036H High Power Wireless adapter.

First update Back Track or Kali Linux by performing the commands below (make sure you are updating as the root user. Open up a terminal window and update the distribution before proceeding:

apt-get update

When that finishes, also be sure to run:

apt-get upgrade

Once our MAC address is spoofed on both the physical adapter and on the virtual one, which we’ll use to sniff and inject with. We are ready to scan the surround air and pick out our target wireless network to perform a WiFi password hack on.

Then run the follow command:

airodump-ng mon0

It will start picking up a ton of WiFi access points in the area, and your screen will fill up similar to the image below. I have however, blocked out the BSSID and ESSID fields.  You will want to pay careful attention to the BSSIDENC, and ESSID fields.

The BSSID field display’s target access points’ own MAC address (which you will use soon).

The ENC field shows the access point’s encryption method. For the WPS-based WiFi password hack to succeed, the ENC field must show WPA or WPA 2. This attack does not work against WEP WiFi networks.

The ESSID field shows the access point’s name.

Pick out your target’s access point. The easiest is to check the ESSID and try to determine it that way. Once you find your target access point, press control C when you want to stop listening on the interface. For reference, my target is outlined in purple below.

We are now ready to launch our attack against WPS. This is an online attack, so we’ll need to keep Back Track or Kali Linux online for the entire engagement. Keep another thing in mind. This particular wifi password hack may or may not work. The reason is because it’s a blind attack. Not all access points use WPS, and saavy administrators know to turn WPS off entirely. We cannot be 100% certain that our target access point uses WPS, but we can be pretty sure that the odds are in our favor.

We will use an off-the-shelf wifi password cracker called Reaver, to do most of our work. Open up another terminal window in your Back Track or Kali Linux live CD, and run the command:

reaver -i monO -b (the target’s BSSID)

-i signifies the adapter we are going to run reaver from. In my case, it is monO. (Again, for you it may be different)

-b specifies the target’s BSSID field. The BSSID is the target’s MAC address. We will need to copy the target access point’s BSSID and enter it,

Hit Enter, and you’ll get some output similar to the image below.

Reaver may scan channels, but it should eventually associate with your target’s BSSID and then it will start the cracking process. Cycling through 11,000 variations of an 8 digit PIN.

Eventually, reaver will crack the WPA password! I’ve highlighted it in purple. And even though all this is marked out it is VERY exciting when you get to this point! You now have the target access point’s WPA PSK. Also known as the wireless password. This is the key you will be able to type in to connect to the WiFi network. Congratulations, you’ve just performed a pretty gutsy WiFi password hack.

The most important thing to take away from this exercise is to NOT USE WPS. If your wireless router or access point uses WPS, it’s vulnerable to this form of WiFi password hack. How can you protect yourself? Check your wireless access point or wireless router. Look at the back, the bottom, and the sides, for a sticker.  If you see a WPS PIN number listed anywhere on the device, it definitely uses WPS. Contact the manufacturer and ask about this. Usually an manufacturers will release updated firmware to close the WPS vulnerability. If they are not or haven’t disabled WPS with a firmware update, raise hell. At the end of the day though, you’re probably better off moving to a wireless AP that does not use WPS at all. You’ll sleep better at night.

Troubleshooting:

Reaver may time out. It may lose association with the target access point from time to time. In most cases, it’s best to Google the exact error you receive and you will find lots of suggestions. Reaver has a large, active user base and there are plenty of people out there to help.

Also, after 10 bad pins, expect a warning message from Reaver. This may be another sign the AP is rate limiting the connection (rather than temp locking) or is just being overwhelmed and cannot keep up with processing the influx of PIN guesses. You can tell Reaver to sleep for a specified period of time by appending your Reaver commands with:

–fail-wait=300 – Some access points will temporarily lock their WPS state if it detects anything suspicious. Like a sudden influx of WPS Pin attempts.
–fail-wait=300 command tells Reaver to stop testing different PINs, then check back after 300 seconds. You can play with the value to see what works best when on an engagement. This may help in situations where you are losing connection to the access point.

Good luck on your WiFi password hacks!