Disclaimer: This is for educational and personal use only. This was originally done as an assignment for SEC701 – Ethical Hacking. I do not condone potential illegal uses of this information. However it is perfectly legal to “hack” your own equipment or equipment you’re authorized to administer. If you use this for malicious purposes, it is not my fault.
Background
WPS is a security standard that allows users to connect to WPA/WPA2 networks easier, through use of an 8 digit pin code. As a result this actually weakens the security of WPA/WPA2 as this can be brute forced, and once compromised allows the hacker the ability to access the router/access point and have it provide it’s own passphrase or PSK (pre-shared key). The tools used in this attack are as follows, all included in Kali linux.
Reaver Package Description. Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases, as described in this paper. Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations. Jan 06, 2016 reaver windows free download. Xiaopan OS Xiaopan OS is an easy to use software package for beginners and experts that includes a number of ad.
- macchanger (for MAC spoofing, not directly connected to the attack)
- airmon-ng
- wash
- reaver
The video used as a basis for this attack (and shown for demonstration in class) can be found here:
Reaver Wps For Mac Installer
Part 1 – MAC Spoofing
While not essential to our hack, in order to simulate doing this for real we’re going to spoof our MAC Address to limit the potential for getting caught. To do this requires only a few steps. For demonstration purposes, show the current MAC address:
The first thing we do is bring the interface down and stop network manager, by issuing the following commands:
Now we generate a random MAC address using macchanger. There are a couple of different options here, either using -r which will generate a random MAC or -a which will generate a random MAC with the same manufacturer prefix (if it can determine the manufacturer). In my case, it couldn’t so the output is the same as using -r.
Finally bring the interface up, and note the MAC has changed (the previous step actually shows you the original MAC and the new MAC).
Part 2 – Hacking WPS
Hacking WPS was actually less work than hacking WEP, though it took a lot longer. The first thing we need to do is run airmon-ng without options to ensure our wireless interface is being detected properly.
Next issue the command again with the interface included to start monitoring.
Issue the wash command to scan for access points in the area.
The output should look something like the following.
Now we’re going to run reaver with the MAC address of the access point as an argument, which was obtained as a result of the command used in the previous step. This step can take anywhere from 4 to 20+ hours. In my case it took about 6 hours to successfully crack the WPS pin.
Once you have the pin, run reaver again providing it the pin as an argument and it will return the PSK fairly quickly.
Which resulted in the following output.
Conclusions
Wps Office For Mac
Reaver Wps For Mac Windows 10
The attack method used to compromise WPA/WPA2 by way of hacking the WPS was in my opinion much easier than that used to hack WEP in a previous demonstration this semester. While WEP took about 30 minutes to crack, hacking WPS took approximately 6 hours. After some very brief research online I discovered that this process can take anywhere from 4 to 30 hours. You would think the length of time required to perform the hack would be somewhat of a deterrent, however once WPS has been compromised it opens up a permanent vulnerability (unless one disables WPS) as the same key can be used to repeat the process once the Administrator for the access point changes the pre-shared key. To further complicate matters the WPS key is hard coded for each router, and cannot be changed. Which leads us to another problem. Some access points don’t actually disable WPS even when you’ve disabled the ability in the device’s settings. This has been patched by many of the leading manufacturers, but it is up to the Administrator responsible for the access point to see if this is in fact an issue for their particular hardware.