LAB Setup:<\/p>\n
- \n
- 1x Alfa AWUS 036H Wlan Adapter (or similar with monitor mode support)<\/li>\n
- 1x Zyxel Router NBG-460N or similar device<\/li>\n
- 1x virtual machine with Kali Linux installed<\/li>\n<\/ul>\n
\n\n
\n ![\"\"](\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/wifi_and_dect_adapters.jpg\")
<\/td>\n![\"\"](\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/gigabit-wireless-n-router-300x225.jpg\")
<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\nI did setup a Wifi Protection with WPA2-PSK and a very secure Password ?<\/p>\n
The SSID of my Network will be Swiss_Emmentaler<\/strong> and as you can see WPS is activated. Let\u2019s start!<\/p>\n
![\"\"](\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/zyxel_setup_wps.png\")
<\/p>\nCheck if Alfa AWUS 036H Adapter is successfully connected to virtual machine. In my case it’s mounted as wlan0<\/p>\n
![\"\"](\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/wps_hack1.png\")
<\/p>\nNext step is to put the WLAN interface into monitor mode. Putting a wireless interface into monitor mode allows us to monitor all traffic received from the wireless adapter.<\/p>\n
![\"\"](\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/wps_hack2.png\")
<\/p>\nWe can see that the monitor interface can get a conflict with three system processes. I\u2019ll kill them and check if the mon0 interface is up.<\/p>\n
![\"\"](\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/wps_hack3.png\")
<\/p>\nNext step is to do a scan with the tool wash (allready installed in kali). I\u2019ve scanned only for channel 6 and as we can see my Swiss_Emmentaler AP<\/strong> got successful deteced. We need the mac address of the router that we want to attack.<\/p>\n
wash -i mon0 -c 6<\/p>\n
![\"\"](\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/wps_hack4.png\")
<\/p>\nWith the tool reaver we have a lot of advanced options that we can use for the attack.<\/p>\n
\u2013 i means the interface mon0
\n\u2013 b means the target Mac Address
\n\u2013 D improvs the cracking speed
\n\u2013 vv dispays non critical warning
\nset the command reaver in your shell for a detailed information about all the commands<\/p>\n![\"\"](\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/wps_hack5.png\")
<\/p>\nIn my lab the bruteforce speed depends from 3 to 6seconds\/pin. If everything works fine I should get the WPA2-PSK key in between 8 and 16 hours<\/strong>.<\/p>\n
If we stop the cracking process, the session gots automatically stored that we can continue later.<\/p>\n
![\"\"](\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/wps_hack6.png\")
<\/p>\n![\"\"](\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/wps_hack7.png\")
<\/p>\n![\"\"](\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/wps_hack8.png\")
<\/p>\nIn my test it took 34057 seconds to crack the pin. 34057\/3600 = 9.46h<\/strong><\/p>\n
Strongly Recomended: Disable WPS on your router \ud83d\ude42<\/p>\n
<\/p>\n","protected":false},"excerpt":{"rendered":"