Zero Day Archives
  • What is Zero Day Archives?
  • Contributors
  • Wireless Security
    • Intro to WiFi Pentesting
      • WEP Networks
      • WPS
      • WPA-PSK Networks
      • WPA & WPA2 PSK
      • WPA2 & WPA3 Enterprise Networks
      • WPA2 & WPA3-APLess
  • Reverse Engineering
    • Reverse Engineering
      • Introduction to Software Reverse Engineering
        • Introduction to Capture the Flag (CTF) Competitions
        • What are PE & Elf Binaries
        • Assembly Language for Beginner Reverse Engineers
        • Memory Registers for x86-64 (64-bit) and x86 (32-bit)
        • Reversing Tools: Command-Line Utilities for Binary Analysis
        • Reversing ELF Binaries: Techniques and Tools
      • Disassembly & Debugging
        • GDB for Reverse Engineering
        • RADARE2 for Reverse Engineering
        • GHIDRA for Reverse Engineering
        • IDA Pro for Reverse Engineering
      • Binary Exploitation
        • Buffer Overflows
          • What are Buffer Overflows and Stack Protections?
          • Commonly Exploited C Functions and Their Secure Alternatives
          • Basic Buffer Overflow in x86-64 Using GDB
        • Cryptography
          • Understanding Ciphers and Identifying Common Patterns
          • Teaching XOR Operations in Binary Exploitation
        • Return Oriented Programming (ROP)
          • Practical Guide to Exploring and Identifying Return-Oriented Programming (ROP)
        • Cracking and Patching Binaries
          • Tactics, Tools, and Procedures for Cracking and Patching Binaries
        • Ret2Win Challenges
  • Malware Analysis
    • Malware Analysis
      • Static Analysis
  • Transporting Files to/from Victims
    • Transferring Files to/from High Value Targets
      • Linux
      • Windows
      • CrackMapExec (NetExec)
  • Penetration Testing against GIT Remote Repositories
    • Targeting GIT Repositories
      • Attacking GIT
  • Network Pivoting, Port Forwarding, and Tunneling
    • Pivoting
      • Ligolo-ng
        • Basic Pivoting
        • Setup Reverse Shells through Pivot
        • Transferring Files through Pivot
      • Pivoting: Using Remote Desktop
      • ProxyChains
      • Metasploit
    • SSH Tunneling
      • SSH Local Port Forwarding
      • SSH Dynamic Port Forwarding
      • Sshuttle over SSH
    • Port Fowarding
      • Chisel Port Forwarding
      • NetSH for Port Forwarding
      • Plink for Port Forwarding
      • SoCat
      • Metasploit: Port Forwarding
  • Anti-Virus Evasion
    • Anti-Virus Evasion
      • Evasion with Metasploit
      • Evasion wtih Shellter
      • Evasion with Virus Total
  • Public Exploit Research
    • Online Exploit Research & Methods
  • Password Attacks
    • Password Attacks
      • Identifying Hashes
        • Hash Identifier Tools
      • John The Ripper
        • Cracking Passwords with John
        • Convert to Hashes with John
        • NTLM vs NTLMv2 Hashes + CrackMapExec
      • Hashcat
        • Cracking Passwords with Hashcat
      • Hydra
        • Hydra for Network Services
        • Hydra for Web Services
      • Mutating Wordlists for John & Hashcat
        • Mutating Wordlists
  • Digital Forensics & Incident Response (DFIR)
    • Digital Forensics
  • Data Science
    • Data Science/AI
  • Software Defined Radio (SDR)
    • Software Defined Radio
  • Embedded Systems Programming
    • Field Programmable Gate Arrays (FPGAs)
  • Other Resources
    • Resources for Hackers
Powered by GitBook
On this page
  • Cracking with Reaver and Bully Demonstration
  • Prerequisites
  • Step-by-Step Process
  • Summary
  1. Wireless Security
  2. Intro to WiFi Pentesting

WPS

Cracking with Reaver and Bully Demonstration

In this section, we’ll walk through the process of cracking WPA/WPA2 PINs using Reaver and the Pixie Dust attack. This technique is useful for CTF challenges involving wireless security and cracking.

You can view a demonstration of the process on YouTube.

Prerequisites

Before we begin, ensure you have the necessary tools installed and a compatible wireless card. You should also have a wireless network that supports WPA/WPA2 encryption.

Step-by-Step Process

1. Install Reaver

Reaver is a tool used to crack WPA/WPA2 by exploiting the WPS (Wi-Fi Protected Setup) vulnerability. You can install it by running the following command:

sudo apt-get install reaver

2. Start Interface in Monitor Mode and Kill Unwanted Services

In order to interact with the wireless network and capture packets, you need to switch your wireless card to monitor mode. Additionally, some processes may interfere with wireless scanning, so we’ll stop any unnecessary services.

airmon-ng check kill && airmon-ng start wlan0

  • airmon-ng check kill: Stops any processes that could interfere with wireless card operations.

  • airmon-ng start wlan0: Puts your wireless card into monitor mode (replace wlan0 with the correct interface name for your system).

3. Enumerate Wireless Access Points Using Wash

Now that the interface is in monitor mode, you can use wash to enumerate the wireless points that support WPS. This will help you identify the target BSSID (MAC address) for the attack.

Enumerate Wireless Point using wash:

wash -i <monitor wireless card>

  • Replace <monitor wireless card> with your actual monitor mode interface name (e.g., wlan0mon).

  • wash will display a list of available wireless networks, showing details such as whether WPS is enabled.

4. Execute the Pixie Dust Attack

Once you have identified the target BSSID, use Reaver to execute the Pixie Dust attack. The Pixie Dust attack significantly speeds up the WPS PIN cracking process by leveraging public key cryptography.

reaver -i <monitor wireless card> -b <bssid> -vv -K 1

  • Replace <monitor wireless card> with your interface in monitor mode (e.g., wlan0mon).

  • Replace <bssid> with the target wireless network's BSSID.

  • -vv: Increases verbosity to show detailed information during the attack.

  • -K 1: Enables the Pixie Dust attack, which improves cracking speed.

Notes:

  • Target Selection: Ensure that the target wireless access point supports WPS and that the attack is feasible. The Pixie Dust attack is effective on certain networks that have weak or predictable keys.

  • Time Considerations: This attack can take time depending on the strength of the WPA/WPA2 PIN and the hardware you're using.

Summary

By following these steps, you'll be able to perform a Pixie Dust attack using Reaver on WPA/WPA2 networks that have WPS enabled. This technique is useful in CTF challenges focused on wireless security, allowing you to crack WPS PINs efficiently.

For more advanced attacks or techniques, check out the YouTube demonstration.

PreviousWEP NetworksNextWPA-PSK Networks

Last updated 19 days ago