In this article I’ll show you how you can perform a step by step WPS attack.
- WPS – (In)Security P1
- WPS – (In)Security P2
- 1x Alfa AWUS 036H Wlan Adapter (or similar with monitor mode support)
- 1x Zyxel Router NBG-460N or similar device
- 1x virtual machine with Kali Linux installed
I did setup a Wifi Protection with WPA2-PSK and a very secure Password ?
The SSID of my Network will be Swiss_Emmentaler and as you can see WPS is activated. Let’s start!
Check if Alfa AWUS 036H Adapter is successfully connected to virtual machine. In my case it’s mounted as wlan0
Next step is to put the WLAN interface into monitor mode. Putting a wireless interface into monitor mode allows us to monitor all traffic received from the wireless adapter.
We can see that the monitor interface can get a conflict with three system processes. I’ll kill them and check if the mon0 interface is up.
Next step is to do a scan with the tool wash (allready installed in kali). I’ve scanned only for channel 6 and as we can see my Swiss_Emmentaler AP got successful deteced. We need the mac address of the router that we want to attack.
wash -i mon0 -c 6
With the tool reaver we have a lot of advanced options that we can use for the attack.
– i means the interface mon0
– b means the target Mac Address
– D improvs the cracking speed
– vv dispays non critical warning
set the command reaver in your shell for a detailed information about all the commands
In my lab the bruteforce speed depends from 3 to 6seconds/pin. If everything works fine I should get the WPA2-PSK key in between 8 and 16 hours.
If we stop the cracking process, the session gots automatically stored that we can continue later.
In my test it took 34057 seconds to crack the pin. 34057/3600 = 9.46h
Strongly Recomended: Disable WPS on your router 🙂