Thursday, 6 September 2012

# 5 Hacking WPA2 (With WPS Bruteforcing)

Hacking with WPA2 (With WPS Bruteforcing)
I thought it was about time to show you somthing a little more *Fun* than installing and setting up backtrack.
In this tutorial I will be showing you how to use a tool called 'Reaver' and another called 'wash'. These two tool togther provide a powerful set of pentration testing tools. Wash is used to find wireless routers that use WPS and are vulnerable to Reaver WPS bruteforcing.
When Reaver find the correct WPS pin it will then give the user the WPA2 password to the wireless router. Allowing the user access to the network and possibly internet if that network is connected the the web.
I will not go into detail about how reaver actually works I will just show you how to use it in this tutorial but if you do want information on how it works visit the link below and have a good read :)
First I show you how to connect your wireless network card and start it in monitoring mode (note: I am using an alfa awus036h network adapter)
This will alow the Wash tool to examine packets being sent wirelessly and discover vulnerable routers.
I will then show you how to use Wash to find the vulnerable routers and lastly I will show you how to use reaver to get the WPA2 password.

First load up your Backtrack VM, once its done then connect your usb wireless network adapter. It may automatically be connected to the VM but if it does not then in the bottom right of your VMware Player you will see little icons like the one's in the picture below:

The icon that looks like a usb stick and is faded is usually the one that represent the wireless network adapter. Simply click on it and select Connect (disconnect from host).

Now we have are wireless card connected lets give it an interface to operate from, to do this we will it in monitor mode. We do this by opening a new terminal and entering the text in bold below:

airmon-ng start wlan1

(Note: your wlan may have a diffrent number but they are usually 1 or 0)

When done correctly it will put you wireless network adapter into monitor mode, which allows us to examine packets being sent wirelessly. This will also start an inteface called mon0 which we will be running are attack trough.

Using Wash to Find a Vulnrable Router

This is easy to do, just open up a terminal end enter in the text in bold below:

wash -i mon0

This will start the wash program and it will use the mon0 interface to find the vulnerable wireless routers and display them in the terminal on a table like in the picture below:

After about 2 minutes wash will have found all vulnerable wirless routers so we will have to stop it running to do this make sure you have the terminal as your active window and Press and hold 'ctlr' and then press 'z'


Using Reaver to Get the Password

Reaver will use a bruteforcing method to attack the wps pin trying a total of 11k pins. its very simple to use but first we need to pick are target from the table in wash.

I suggest picking the one with the lowest RSSI because it will have the best signal. When you pick your target copy the MAC address. The mac address is 12 charchter long and seprated using collens every two characters for example A3:ED:S2:22:SD:FF.

Now open a new terminal and enter the bold text below but replace the example MAC address with the one you copied.

reaver -i mon0 -b C0:3F:0E:C2:D4:C4 -v
This will start the bruteforcing of the WPS pin and will show you what pins it has tried and what percent it is to being completed. We can see this in the picture below.

Reaver can get the right pin first time or it could be the last one it tries but if the router is accepting the pins then reaver will get it! and display the correct WPS pin and password in the terminal!


  1. you rock!! thanks for updating it Im sure more people reading it, looking forward to your pwnstar updates.

    This card you have is that good for all purpose? alfa awus036h network adapter or do you recommend anything else?

  2. I have this card and driver which isn't working I think? Intel 3945ABG iwl3945

    I get this messages all the time [!] Found packet with bad FCS, skipping... like hundreds and nothing else, any thoughts?

  3. No problem man! Yer am just trying to get some bits to work proply before I post it on here.

    Yer the cards a good all round one but there is a newer one which can deal with the new N type router but the one I have works with them too as routers are genrally backwards compatiable. If you do want the newer one its called an alfa awus036nh

  4. I suggest you buy one of the wireless adapters listed above as they are very well supported by reaver and resonably cheap but you can try using the code below when running walsh

    walsh -i mon0 –ignore-fcs

    hopefully that will fix the issue, if not I suggest buying a wireless adapter..... Intel wireless cards RARELY work very well with backtrack

  5. Thanks I ordered one, when does the pwnstar update comes :) would also love to see some https sniffing. Thanks for all the effort

  6. At the moment i am having some issues with PwnStar working propply and have been moving everything back to my place in university so i have not had time. They will be up within the next 2 weeks.

    Also the HTTPS is included with the first Pwnstar update. It will basically allow a user to connect to your fake wireless and use your internet connection. When they log into site the HTTPS sniffer will then allow you to see the credidentials the person is using.

  7. Hi i am using laptop...
    can you please help me with it.
    my laptop having internal wifi card.
    and while i am opening blacktrack r3 in vmware.
    i have given message with no network are available.....
    please help with this one....

  8. This comment has been removed by the author.

  9. after typing wash -i mon0 Found packet with bad FCS, skipping