Before proceeding I need to make this very clear:
DO NOT USE THE BELOW INFORMATION TO ATTACK, MONITOR OR BREAK INTO ANY COMPUTER / NETWORK / DEVICE THAT DOES NOT BELONG TO YOU. I TAKE NO RESPONSIBILITY FOR YOUR ACTIONS.
Sorry, I know that may seem very heavy handed but the majority of countries have laws covering computer misuse and I do not want to see anyone get in trouble / break the law. Now that that is out of the way…
Back in March 2017 I saved up some money and used it to have the great pleasure of attending a hacking workshop / training course where I got to expand on my security / Linux knowledge whilst being taught by the excellent Hacker House (Twitter: @myhackerhouse ).
During the workshop Hacker House gave us virtual machines to run and attack via Kali Linux; which I found to be fun and eye opening. Since then I’ve played with the virtual machines and wanted to expand on that knowledge. So with some free time over this festive break I’m getting out some of my older computer equipment and building some labs that I can hack, break and play with as much as I want without the risk of breaking my regular home network or breaking any laws (harking back to my opening paragraph).
My current set up is a Netgear router that is broadcasting a wireless SSID of “geektechstuff.com” and has WPS enabled. I’m going to look into connecting to the wireless network without knowing the WPS pin. For this I am using:
- Raspberry Pi 3 – available from https://www.raspberrypi.org/ , Kali Linux images are available for the majority of the Pi models but the Pi 3 is currently the most powerful of the models. A computer with more RAM / better processor could be used for faster results (i.e. when running dictionary attacks) but I don’t currently have one spare.
- Kali Linux – A Linux operating system full of security tools, its available at https://www.kali.org/ but for the Raspberry Pi (which runs on an ARM processor) it can be downloaded from https://www.offensive-security.com/kali-linux-arm-images/
- A Wi-Fi card/dongle that can be put into monitor mode – I use this one from Amazon: https://www.amazon.co.uk/dp/B00JZFT3VS/ref=cm_sw_em_r_mt_dp_U_INMkCbNNY12TW which I originally purchased to give my Raspberry Pi 2 wifi capabilities.
The Raspberry Pi does not currently know the connection details of the wireless network.
With Kali Linux booted up on the Pi run the usual commands to make sure it is up to date:
- apt-get update
- apt-get upgrade
and it is then time to install “reaver”:
- apt-get install reaver
With Reaver installed we’ll need to search for our wireless network’s details, which requires our network card/dongle to be in monitor mode. To place the card/dongle into monitor mode type:
- airmon-ng start interface
Replacing interface with the name of your wireless interface e.g. wlan0 or wlan1. With the card/dongle set-up we can then scan for our wireless network by typing:
- wash -i interface
Again replacing interface with the name of the wireless interface e.g. wlan0 or wlan1. A list of wireless networks that support WPS should now be displayed. At this stage be very careful to only attack your network and not someone else’s! Note down the MAC address of your SSID and the channel it is broadcasting on. Then to activate Reaver type:
- reaver -i interface -b SSID MAC ADDRESS -c channel -vv
So for me this was:
- reaver -i wlan0 -b 84:1B:5E:B1:7A:8B -c 1 -vv
Reaver will then kick in and started trying to connect to the wireless network using WPS.
So what is WPS? Well WPS is Wi-Fi Protected Set-Up. It is an 8 digit numerical PIN and allows for “easier” set up of wireless networks. However around 2011 it transpired that WPS can be broken using a brute force attack, which is what Reaver does. Reaver attempts to connect to the wireless network over and over, each time attempting a different PIN. Once it has found the PIN then I can successfully connect to the wireless network with originally knowing the PIN and without the need to know the key/passcode needed if trying to connect via WPA2.
More information can be found on WPS at Wikipedia – https://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup
If possible I would recommend that WPS is disabled on devices, I’ve got it enabled on my lab device as I wanted to test breaking it.
Edit: I’m currently running Reaver and will post the results/timings when finished.