Cracking “WPS ON” router’s password using brute-force

WPS:A Major Blunder

You might be having a pretty strong password, but having that WPS button on can help anyone gain access to your network in a couple of minutes.

WPS – WI-FI protected system is a network security standard that helps make the connection between a router and a device easier and faster.
This is a convenient feature that allows the user to configure a client device against a wireless network by simultaneously pressing a button on both the access point and the client device at the same time. It allows less savvy users to establish a secure connection between their devices quickly and easily, and as it requires physical access to the hardware, it would seem relatively secure.

WPS PIN: The router has an eight-digit PIN that you need to enter on your devices to connect. Rather than check the entire eight-digit PIN at once, the router checks the first four digits separately from the last four digits. This makes WPS PINs very easy to brute force by guessing different combinations. There are only 11,000 possible four-digit codes, and once the brute force software gets the first four digits right, the attacker can move on to the rest of the digits. Many consumer routers don’t time out after a wrong WPS PIN is provided i.e they don’t have WPS lock enabled, allowing attackers to guess over and over again. A WPS PIN can be brute-forced in about a day or less.

RECONNAISSANCE: Finding WPS enabled routers in our proximity

To scan wifi routers in our proximity we must get our wifi adapter into monitoring mode and gather the target’s essid(network name) ,bssid(mac-address) and the channel on which the router is communicating

Using airmon-ng toolkit-

Airmon-ng toolkit is a great tool when it comes to information gathering. Once our wifi adapter is in monitor mode, to find WPS enabled WIFI in our proximity Type the following command-
airodump-ng wlan0mon(our interface name) —wps 
this will give us the following information-

where bssid is the mac address of the routers in our proximity and the ones which show WPS 1.0 or 2.0 (i.e the WPS version they are operating in) are the probable targets. Note down the BSSID and the channel number of the target! Press control + C to exit Airodump and return to your command line.

Using wash

Wash is a simple tool that gives us information about the routers using WPS in our proximity. Wash gives you an overview of wireless networks in range and tells you if WPS LOCK is enabled or not.

Note down the BSSID and the channel number of the target!
Press control + C to exit Wash and return to your command line.

Brute-Force Using REAVER

Reaver is a tool for brute-forcing WPS pin, that comes pre-installed in the Kali Linux toolkit.U can also download reaver from the following link https://pkgs.org/download/reaver

Reaver implements a brute force attack against WiFi Protected Setup which can crack the WPS pin of an access point in a matter of hours and subsequently recover the WPA/WPA2 passphrase.
Specifically, Reaver targets the registrar functionality of WPS, which is flawed in that it only takes 11,000 attempts to guess the correct WPS pin in order to become a WPS registrar. Once registered as a registrar with the access point, the access point will give you the WPA passphrase.

For rever to work, it requires the following necessary arguments-
-i: name of the network interface to be used
-b: the bssid of the target(mac address)
-c: the channel in which our target is communicating (optional)
-v: verbose (more v after the hyphen implies more verbosity)
Example :
reaver -i wlan0mon -b 00:90:4C:C1:AC:21 –vv

it will try all possible pin combinations to verify agains the wps pin and once the pin is found , it will show the wpa password associated with it.

reaver comes equipped with many more advanced options to be used, refer to the reaver help page for them. Run the following command to get to the help page
reaver –help


Protecting yourself :

Prevention is better than cure :
Restrict the use of WPS in your networks

If you still want to use WPS for the ease of it
-make sure to configure it properly
-turn WPS lock on
-disallow repeated attempts on WPS pin


NOTE: android apps which claim to hack wifi passwords make use of this vulnerability to get you access to the target network

Author: Mayank Joshi

Leave a Reply

Your email address will not be published. Required fields are marked *