Before we start, this tutorial is for educational purposes only, DO NOT use it to hack real users. The main purpose is ethical and to show you how to protect yourself.
In this post, we're gonna go over an easy way to hack into WiFi networks using the WPS vulnerabilities, mainly 2 of them, brute force and pixie dust. Believe it or not, there's a lot of routers still unpatched against these attacks.
WPS stands for WiFi Protected Setup and is used to easily connect to WiFi using a button on the router. In many routers, hackers can exploit this feature to brute force the 8-digit pin and connect using it, or to execute another attack called Pixie Dust which is an offline version of cracking this pin. We're gonna go over these 2 methods.
We're gonna use tools mainly on Linux, specifically Kali. However, if you have other distros the tutorial might work for you if you install the required tools. The important thing is you have a Linux OS.
Set Up
First open terminal. We need to know the name of the wireless adapter connected to the computer. Beginners guide for a hacking wireless network having WPA2-PSK level of security with the most basic steps and least requirements. A brief idea to use airmon-ng including other tools such as airodump-Ng and airplay-Ng.
Before we start, make sure to update your Linux system by running:
If you didn't know, 'sudo' keyword's purpose is to give root privileges allowing you to execute scripts and updating tools, and we advise to use it carefully outside this tutorial.
Next, we need the Reaver tool, which you can find here or just install it on Kali by running:
We'll also need another tool which is aircrack-ng, but it usually comes with Kali. If you're using something else, try to run the above command with aircrack-ng instead of reaver. If you're not using Linux or you're using another distro, refer to aircrack-ng.
Usually you shouldn't run into errors. However, sometimes it happens and depending on your distro there might be different reasons why it does, so be patient.
Make sure you install these tools successfully to proceed.
Prepare WiFi Adapter
You'll need a WiFi adapter to put it in a mode called monitor mode, which allows us to execute these hacks.
Most laptops' chipsets do the work, but if you run into problems it might be that your adapter does not support monitor mode.
Let's first check our adapter's name by running:
Your WiFi adapter has on the right side the local IP if you're connected to some WiFi, just like above. Keep note of its name because we're gonna use to to fire up the monitor mode. In my case, my adapter is wlan0.
Airjack Wifi Hack Download
Before we start monitor mode, keep in mind that once we do, you'll disconnect from any WiFi because in monitor mode your adapter cannot connect to the internet. So either use this tutorial on another PC or just save it somewhere.
Airjack Wifi Hacks
Start monitor mode on your adapter by typing:
Your interface name will change to something like adapter-name+'mon', in my case it became wlan0mon.
You can check the name and whether you successfully put it in monitor mode by running these 2 commands (in the second command put your adapter name if it's different):
Scan & Attack
We can start scanning nearby WiFi and look for WPS-enabled networks. Do that by executing (keep in mind instead of wlan0mon, use your adapter name after monitor mode):
As you can see, the wash command allows us to see which WiFi has WPS enabled, which is what we need.
Take note of the Mac Address (BSSID) of the WiFi you're testing this attack against, and that has WPS enabled, then execute the attack:
The -b argument takes the BSSID (mac address) of the target, and -vv tells the tool to show us on terminal what's going on during the attack.
A couple of things to keep in mind. First, the attack might not work on the first try and it'll take time to crack the WPS pin if the router is indeed vulnerable. Second, it might not always work since some routers have been patched against it.
Another variation of this attack, which is usually more effective on outdated routers, is the Pixie Dust attack, an offline version of this.
You can execute Pixie Dust attack by the same command by providing the -K parameter to reaver like below:
If the attack was successful, you should see WPS pin on the terminal by the tool, and usualy the WPA key too (WiFi password).
If only the pin was showed OR you already have the WPS pin, you can get the WPA (WiFi) password by passing the pin tor reaver. The parameter -p takes the pin, and the rest syntax remains the same:
Summary
In this post, we've seen how WPS can be exploited to hack WiFi networks. The tools we used are in our Top 5 WiFi Hacking Tools! To protect yourself, your best chance is to turn off WPS from your router's page. If you don't wanna do that, upgrade your router's firmware to the latest version or buy a newer router if you have an old one. Stay safe and happy ethical hacking 🙂