Introduction
Wi-Fi Protected Setup (WPS) is a feature designed to make it easy to connect devices to a wireless network. However, certain implementations of WPS have a design flaw that makes them vulnerable to brute-force attacks, allowing an attacker to discover the network's WPA/WPA2 password.
Before attempting such an attack, you must first identify which nearby networks have WPS enabled and are not locked. The wash tool, which is part of the Reaver suite, is designed specifically for this purpose. It scans the airwaves for WPS-enabled access points and reports their status.
In this lab, you will learn the fundamental steps of wireless reconnaissance by using wash to find potential targets. You will install the necessary tools, place a simulated wireless card into monitor mode, and then run and interpret the output of a wash scan.
Ensure the Reaver Suite is Installed
In this step, you will install the necessary software packages. The wash command is part of the reaver package. We will also install aircrack-ng, a suite of tools for Wi-Fi network security, which contains the airmon-ng utility we'll need in the next step.
First, update your package list and then install reaver using the apt package manager. The -y flag automatically confirms the installation.
sudo apt update
sudo apt install reaver -y
You will see output as the package manager fetches and installs reaver and its dependencies.
Next, install the aircrack-ng suite:
sudo apt install aircrack-ng -y
Once both commands complete successfully, you will have all the tools required for this lab.
Put Your Wireless Card into Monitor Mode
In this step, you will enable "monitor mode" on your wireless interface. Standard Wi-Fi mode, known as "managed mode," only captures packets addressed to your device. Monitor mode is a promiscuous mode that captures all wireless traffic on a given channel, which is essential for tools like wash.
We will use the airmon-ng utility for this task. First, it's good practice to check for and stop any processes that might interfere with monitor mode.
Run the following command to kill potentially conflicting processes:
sudo airmon-ng check kill
You should see a simulated output indicating that a process like wpa_supplicant has been stopped.
Killing these processes:
PID Name
123 wpa_supplicant
Now, start monitor mode on the simulated wireless interface, wlan0. This command will create a new virtual interface, typically named wlan0mon, which is the one we will use for scanning.
sudo airmon-ng start wlan0
The output will confirm that monitor mode has been enabled on a new interface named wlan0mon.
PHY Interface Driver Chipset
phy0 wlan0 ath9k Atheros Communications Inc. AR9271 802.11n
(mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
(mac80211 station mode vif disabled for [phy0]wlan0)
Your wireless card is now ready to scan all nearby traffic.
Run wash on the Monitor Interface using the -i Flag
In this step, with your interface in monitor mode, you can now use wash to begin scanning for WPS-enabled networks.
The basic syntax for wash requires you to specify the monitor mode interface using the -i flag. As established in the previous step, our monitor interface is wlan0mon.
Execute the following command in your terminal to start the scan:
sudo wash -i wlan0mon
wash will start scanning and display a list of networks it discovers in real-time. The output will look similar to this:
Wash v1.6.5 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
BSSID Channel RSSI WPS Version WPS Locked ESSID
--------------------------------------------------------------------------------
C4:01:A3:1E:B4:29 1 -65 1.0 No TestNet-WPS-Unlocked
A0:B2:C3:D4:E5:F6 6 -78 1.0 Yes Home-Network-5G
12:34:56:78:90:AB 11 -52 1.0 No CoffeeShop-WiFi
DE:AD:BE:EF:00:11 1 -81 1.0 Yes Locked-AP
The scan will run indefinitely. Let it run for about 10-15 seconds to populate the list, then press Ctrl+C to stop the process and return to the command prompt.
Interpret the wash Output Columns like BSSID and WPS Locked
In this step, you will learn how to interpret the information provided by wash. Understanding this output is critical for selecting a viable target. There are no commands to run in this step; simply review the breakdown of the columns from the previous output.
Let's analyze the columns:
- BSSID: This is the Basic Service Set Identifier, which is the unique MAC (Media Access Control) address of the wireless access point (AP). You need this address to target a specific network with tools like
reaver. - Channel: The wireless channel the AP is operating on (e.g., 1, 6, 11).
- RSSI: Received Signal Strength Indicator. This value indicates how strong the signal from the AP is. It's a negative number, and a value closer to 0 indicates a stronger signal (e.g., -50 is stronger than -80). A stronger signal is better for a reliable connection.
- WPS Version: The version of the WPS protocol the AP is using.
- WPS Locked: This is the most important column for our purposes.
No: Indicates that the AP's WPS feature is not locked. This is a potentially vulnerable target.Yes: Indicates that the AP has likely detected previous brute-force attempts and has locked its WPS feature, either temporarily or permanently. These targets are not currently vulnerable to a WPS PIN attack.
- ESSID: This is the Extended Service Set Identifier, which is the human-readable name of the Wi-Fi network (e.g., "CoffeeShop-WiFi").
By understanding these fields, you can quickly assess which networks are worth investigating further.
Identify a Suitable Unlocked Target for a WPS Attack
In this final practical step, you will apply the knowledge from the previous section to analyze your scan results and identify the best potential target for a WPS attack. This is a critical thinking step based on the data you've gathered.
Review the output from your wash scan in Step 3:
BSSID Channel RSSI WPS Version WPS Locked ESSID
--------------------------------------------------------------------------------
C4:01:A3:1E:B4:29 1 -65 1.0 No TestNet-WPS-Unlocked
A0:B2:C3:D4:E5:F6 6 -78 1.0 Yes Home-Network-5G
12:34:56:78:90:AB 11 -52 1.0 No CoffeeShop-WiFi
DE:AD:BE:EF:00:11 1 -81 1.0 Yes Locked-AP
To identify a suitable target, you should look for two key characteristics:
WPS LockedisNo: This is a mandatory requirement. An AP with a locked WPS state cannot be attacked.- Strong
RSSI: A stronger signal (a number closer to 0) increases the chances of a successful and faster attack.
Based on these criteria, let's analyze the list:
Home-Network-5GandLocked-APare not viable targets because theirWPS Lockedstatus isYes.TestNet-WPS-UnlockedandCoffeeShop-WiFiare both viable targets because theirWPS Lockedstatus isNo.
Between these two, CoffeeShop-WiFi has a stronger signal (-52) compared to TestNet-WPS-Unlocked (-65), making it the ideal primary target.
You have now successfully identified a vulnerable target. The next logical step in a real penetration test (which is beyond the scope of this lab) would be to use the reaver tool with the target's BSSID (12:34:56:78:90:AB) to begin the PIN cracking process.
Summary
In this lab, you have learned the essential first step in assessing the security of WPS-enabled networks. You have successfully used a combination of tools from the aircrack-ng and reaver suites to perform reconnaissance on a simulated wireless environment.
You have learned to:
- Install the
reaverandaircrack-ngpackages. - Use
airmon-ngto place a wireless interface into monitor mode, a prerequisite for most wireless security tasks. - Run the
washcommand to scan for and discover WPS-enabled access points. - Interpret the detailed output from
wash, paying close attention to the criticalWPS LockedandRSSIfields. - Analyze the scan results to identify the most promising targets for a potential WPS attack.
This foundational skill is crucial for any network security professional or enthusiast looking to understand and test the vulnerabilities of Wi-Fi networks.