WPS lets you join a secure WiFi network without selecting the network name and entering the password, it tries to make connection between a router and wireless devices faster and easier. WPS works only for wireless networks that have WPA Personal or WPA2 Personal security. Wi-Fi Protected Setup was a nice idea, but using it is a mistake. WPS has an “push button” to connect Wireless devices to your router. When you are connecting a device that supports WPS, you have the option of using WPS instead of entering the WiFi Password. Then put the device you want to connect in the WPS state area (by selecting it on your device like smartphone, tablet, etc), then press the WPS button on your router/modem. Finally, the two devices will exchange information and the device will connect. Simple and easy.

WPS Suxk and Insecure

There two different methods how WPS works:

  1. PBC (Push Button Connect): As i explain earlier, WPS has a physical push button. After trying to connect you device to router, you can simply push WPS physical button on the router, usually located on back. Devices can only connect with this method for a few minutes after the button is pressed or after a single devices connects. This is (look alike) more secure, it won’t be active and available to exploit all the time. WPS Push button connect seems largely secure, but, the vulnerability of using this way is on that button. Who ever could reach that button could connect to that wireless, even if they didn’t know the Wi-Fi passphrase.
  2. PIN: The router has a eight-digit PIN that you need to enter on your devices to connect. What makes WPS PINs very easy to bruteforce, rather than check the entire eight-digit PIN at once, the router checks the first four digits separately from the last four digits. By guessing different combinations and there are only 11.000 of four digit codes possibility, and once the bruteforce tool gets the first four digits correctlyt, the attacker can move on to the rest of the digits. Many routers doesnt time out after a wrong WPS PIN is matched, allowing hackers to guess over and over again. A WPS PIN can be bruteforced in about whole a day long. Kali linux has several tools to bruteforce that wps.

In this tutorial, i will rather hack WPS router, i just show you how to scan your target whether it has WPS enabled or not. I will do hack wps on the next upcoming tutorial post.

Find Enabled WPS WiFi in Kali Linux

Wash is a tool in Kali linux to find WPS enabled routers in your area. Wifi networks with WPS disabled are less likely to be the target of a hacker because it is the easiest and fastest ways of hacking the wireless network. Without the possibility of WPS related attacks the attacker is left to more time consuming ways to hack your Wifi network, like capturing handshakes and brute force these or more advanced ways.

STEP 1 : Set Monitor Mode

Firstly, set your wireless interface on monitor mode using airmon-ng, and don’t forget to do “check kill”. Use “ifconfig” to check your interface name.
WASH - Find Enabled WPS Wifi in Kali Linux

I choose my external wifi interface which on “wlan1“, then here is the command.

Rosetta Porter

 

STEP 2 : Scan WPS Enabled With WASH

Run wash too see detailed options available, wash also support the 5GHz channel.

The simplest wash argument are :

WASH - Find Enabled WPS Wifi in Kali Linux

Unless you declare the “–all” argument on wash command, you will only see the wps enabled router. The router or modem which has WPS disabled will not be displayed on screen. Here you can set or choose your target (if there are many target displayed) for further kind of attack, like pixie dust which is concerning to attack WPS support on modem or router. Luckily, this kind of attack will not work on modern routers.