Once you have this, you collect the public key from both the AP (registrar) and the
client (enrollee). Additionally, you need the two hash values used by the client: the
authentication session key and the nonce used by the enrollee. Once you have those,
there are a couple of programs you can use. One of them is
reaver
. Another is
pix‐
iewps
. Using
pixiewps
is straightforward. To run it with the relevant information, you
use
pixiewps -e -r -s -z -a
key> -n
.
Automating Multiple Tests
Unsurprisingly, you can attack WiFi networks in multiple ways. The problem is that
saying
WiFi networks
suggests that there are only a couple of types of WiFi networks.
The reality is there are many ways that WiFi networks may be deployed, even before
we get into topology—meaning the positioning of the devices, whether it’s a mesh
network, and various other similar concerns. We haven’t talked at all about encryp‐
tion to date, though we’ve referred to keys.
To address concerns about privacy, Wired Equivalent Privacy (WEP) was developed
to ensure transmission was encrypted. Without encryption, anyone with a WiFi radio
could listen in on the transmissions. All they needed was to be in proximity to the
signal, which could be in the parking lot. WEP, though, had vulnerabilities. Because
of the weakness in its initialization vector, the encryption key could be determined,
allowing traffic to be decrypted. As a result, WPA was developed as a successor to
WEP. It, too, had issues, leading to WPA2.
The problem is that some people are still using the older encryption mechanisms. In
