Cracking WEP / WPA / WPA 2 easy Way With Backtrack 5

 



1. Introduction

What is WPS?
WPS, or "Wi-Fi Protected Setup" is a wireless computing standard designed to allow easy establishment of connections between devices in a home network (definitely not suited for a corporation, as you will soon see). Most routers have a little WPS button on them (usuallyh you may have used in installing wireless range extenders / APs at home.

What is Reaver & how does it work?
Reaver is a command line tool found on BT5R3 (and previous versions) that was designed by Tactical Network Solutions as a proof of concept tool highlighting the inherent insecurity in using WPS enabled routers. Essentially, WPS involves a 7 digit pin number which, if discovered, can allow an attacker to obtain the WEP/WPA/WPA2 key of a network VERY easily. I highly recommend reading the documentation regarding this issue which I have linked at the end of this tutorial, don't be a skid and JUST use automated tools, learn and understand how they work ;)


2. What you need

Reaver
Wash
Aircrack-ng (using Airmon-ng specifically)
A vulnerable wireless network (WPS enabled)
A wireless card which supports going into monitor mode
Backtrack 5R3 (or earlier, it has reaver and wash installed on it)



3. The Attack

"Step 1"

Image has been scaled down 34% (907x510). Click this bar to view original image (1366x768). Click image to open in new window.

Backtrack will start with your wireless card enabled BUT it will not be in monitor mode, we need it in monitor mode to grab beacon packets from the air to identify other networks and thus communicate with them.

"Step 2"

Image has been scaled down 34% (907x510). Click this bar to view original image (1366x768). Click image to open in new window.

Using the airmon-ng tool we turn a monitor mode interface ON using our wlan0 interface.

"Step 3"

Image has been scaled down 34% (907x510). Click this bar to view original image (1366x768). Click image to open in new window.

As you can see, when we list our various interfaces in BT5, mon2 is listed (usually mon0, I just had 2 other interfaces turned on at the time which I needed to turn off T_T)

"Step 4"

Image has been scaled down 34% (907x510). Click this bar to view original image (1366x768). Click image to open in new window.

Next, using wash, we sniff the air (using the mon2 interface) for beacon and other packets being sent around by wireless aps and routers. For this tutorial I used my own router, the very first one you see listed with an RSSI of -53 (and the scribbled out SSID ).

The important thing here is the RSSI number, and the WPS Locked status. The lower the RSSI digit the better, this attack sends ALOT of information through the air and we want the most reliable connection possible so our packets don't get dropped. If WPS Locked is slated as "No", all is good, it means the router has WPS enabled on and is vulnerable!

"Step 5"

Image has been scaled down 34% (907x510). Click this bar to view original image (1366x768). Click image to open in new window.

TADA! All done! reaver will display the WPS pin and the networks wireless password (I greyed mine out just from paranoia). Because my pin was so simple, it was cracked REALLY fast (6 seconds omg, fasest I've gotten is 4 ^_^), however if the person has a more complex pin HAVE NO FEAR, due to the limitations of a WPS pin, it should take a maximum of 4 hours to crack the pin due to the mathematical formula reaver uses.

4. Conclusion
So as you can see, this is a very powerful tool which absolutely obliterates WPS enabled routers and completely compromises the network. I can see the attractiveness of this attack and only imagine you HF kids running around outside grabbing pins off your neighbours wireless but PLEASE remember using reaper without the express consent of the network administrator (your neighbor basically) of the network you are hacking is ILLEGAL. So either 1. Get permission, 2. Do it on your own network, 3. Buy a new junkish router with WPS or 4. Just don't do it