- Joined
- April 6, 2025
- Messages
- 82
- Reaction score
- 16
- Points
- 8
- Thread Author
- #1
Putting the wireless card into monitor mode
To search for networks with WPS, as well as to attack them, we need to switch the WiFi card to monitor mode.
We close tools that can prevent our attack:
| sudo systemctl stop NetworkManager sudo airmon-ng check kill |
| sudo iw dev |
| sudo ip link set wlan0 down sudo iw wlan0 set monitor control sudo ip link set wlan0 up |
The new network interface in monitor mode is also called wlan0 .
If you have a different name for the wireless network interface, then in all subsequent commands, insert it instead of wlan0 .
Search for access points with WPS enabled
Very many APs have WPS functionality. But for many, this feature is disabled, and for those with it enabled, it can be blocked (for example, due to several unsuccessful attempts to pick up a PIN).
To collect information about access points, we will use the tool Wash , which comes with Reaver, and it is for this purpose intended.
| sudo wash -i wlan0 |
To end the tool, press CTRL + c .
Wash is a utility for identifying access points with WPS enabled. Above is an example of a study on a live (“live”) interface; it can also scan pcap files (several at a time).
Wash shows the following information about detected access points:
| BSSID BSSID Access Point (i.e. MAC Address) Ch AP Channel> dBm AP signal level WPS Version WPS supported by AP Lck WPS lock status Vendor Manufacturer AP ESSID ESSID (i.e. name) of the Access Point |
By default, wash performs a passive probe. Those. the tool does not send any packets and remains completely invisible for possible wireless activity monitoring systems. However, you can specify the -s option and then wash will send probe requests to each AP, this will allow you to get more information about the AP.
In order to search on 5GHz 802.11 channels, the -5 option is used .
Pixie Dust vulnerability check-in Reaver
The Pixie Dust attack allows you to quickly get a PIN. But not all Access Points are affected by this vulnerability.
To check a specific AP for this vulnerability using Reaver, the -K option is used . Those. The command is as follows:
| sudo reaver -i interface -b MAC_Address_AP -K |
For example, I was interested in the following access point:
| BSSID Ch dBm WPS Lck Vendor ESSID -------------------------------------------------------------------------------- EE:43:F6:CF:C3:08 3 -81 2.0 No RalinkTe Keenetic-8955 |
| sudo reaver -i wlan0 -b EE:43:F6:CF:C3:08 -K |
If the access point is invulnerable to Pixie Dust, then before proceeding to the full brute force, it is recommended to try the most probable options for the attacked Access Point.
Brute force WPS pins with Reaver
If none of the described methods helped, then proceed to a complete search, which may take hours or even a day.
The command to start the search is similar to the previous one, but there is no option that launches the Pixie Dust attack:
| sudo reaver -i interface -b MAC_Address_AP |
Getting a WiFi password with a known WPS pin in Reaver
If the Pixie Dust attack is successful, then only the PIN is shown. At full brute force, both a PIN and a WPA password are shown. If you already have a pin, then you need to use the -p option in Reaver , after which specify a known PIN.
Example:
| sudo reaver -i wlan0 -b EE:43:F6:CF:C3:08 -p 36158805 |
