TUTORIAL: how to bruteforce WPS Pin with backtrack 5 [by a noob, for noobs]
n this tutorial I will teach you how to crack a WPS pin via Reaver.
This tutorial is for beginners, so if you already know how to do this, you probably won't get much out of this tutorial.
All you need for this tutorial is backtrack 5
Before we start you need to check if your network interface supports packet injection, This is a must for reaver.
you can check that with this command:
Code:
Code:
aireplay-ng mon0 -9
A bit about reaver first. It's a tool that exploits an alternate form of authentication for wpa/wpa2 router encryptions, wps pins.
WPS or WI-fi protected setup was supposed to be able to make it easier for users with little knowledge on networking to still use wpa/wpa2.
Not really sure how, and in theory it was a good idea, but this alternate form of authentication is extremely susceptible to bruteforce attacks, and more often than not this bruteforce attack is way quicker than a dictionary attack.
Note that not every router has wps enabled and older routers may not even have wps available, but for most routers it comes enabled by factory settings
Okay, so this is a very simple tool to use, and only requires one command, but before that we'll need to bring our interface into monitor mode. do a quick ifconfig and check the name of your interface that supports packet injection (usually wlan0, or wlan1 depending on how many network adapters and such you might have)
For the purpose of this tutorial let's say its wlan0, using airmon-ng we'll bring the interface into monitor mode now
Code:
Code:
airmon-ng start wlan0
Your interface should now be in monitor mode, if you want to check it just type airmon-ng again and it will show you all of the available interfaces, if it worked your card should read both wlan0 and mon0.
Now that you're interface is in monitor mode you'll want to do an airodump-ng to select a target network. Always make sure you specify your interface.
Code:
Code:
airodump-ng mon0
Select your target network and keep in mind that airodump won't tell you whether or not there is a wps pin on the router, but make sure to select a network with a wpa or wpa2 encryption key. All you need from the access point is the bssid (MAC Address.)
The variables we'll be using for this attack are -i for specifying your interface, -vv for giving non critical messages during the attack, and -b for the bssid of the access point.
So here's all there is to it: Code:
Code:
reaver -i mon0 -b XX:XX:XX:XX:XX:XX -vv
Good luck and if it works it will give you the wps pin and the wpa/wpa2 password in plain text! It usually takes between 1-12 hours.
Please let me know if you learned anything from this tutorial!
