Wi-Fi Protected Setup (WPS) is a wireless standard that enables simple connectivity to “secure” wireless APs. The problem with WPS is that its implementation of registrar PINs make it easy to connect to wireless and can facilitate attacks on the very WPA/WPA2 pre-shared keys used to lock down the overall system. With security, everything’s a tradeoff!
WPS is intended for consumer use in home wireless networks. If your wireless environment is like most others that I see, it probably contains consumer-grade wireless APs (routers) that are vulnerable to this attack.
Mar 26, 2015 Maybe add some wpacli commands to connect to the Clients WPS protected router upon cracking the PIN# wpacli wpsreg ap mac addy wps pin# (connects interface to AP using PIN#) dhclient wlan0 (requests an IP address from the AP) wpacli scanresults grep WPS (will show up WPS protected AP's kinda like a wash alternative). 5) Can i Hack Wi-Fi WPA WPS enabled routers from my android mobiles? Ans: Well, Yes. There are many methods to hack Wifi WPA WPA2 WPS enabled routers from android mobiles. Here is a tutorial for Hacking wifi WPA WPS Enabled Routers from android in 2 mins. If you’ve an intention other than ‘fun’ & ‘learning’, you can stop reading now. This Hack was originally showcased at Shmoocon 2012. All vendors (including Cisco/Linksys, Netgear, D-Link, Belkin, Buffalo, ZyXEL, TP-Link and Technicolor) have WPS-enabled devices.
The WPS attack is relatively straightforward using an open source tool called Reaver. Reaver works by executing a brute-force attack against the WPS PIN. Reaver Pro is a device that you connect your testing system to over Ethernet or USB. Reaver Pro’s interface, as shown here, is pretty straightforward.
Running Reaver Pro is easy. You simply follow these steps:
Connect to the Reaver Pro device by plugging your testing system into the PoE LAN network connection. You should get an IP address from the Reaver Pro device via DHCP.
Load a web browser and browse to http://10.9.8.1 and log in with reaver/foo as the username and password.
On the home screen, press the Menu button and a list of wireless networks should appear.
Select your wireless network from the list and then click Analyze.
Let Reaver Pro run and do its thing.
This process is shown here.
Using Reaver Pro to determine that Wi-Fi Protected Setup is enabled.
If you wish to have Reaver Pro automatically start cracking your WPS PIN, you’ll need to click Configure and set the WPS Pin setting to On. WPS PIN cracking can take anywhere from a few minutes to a few hours, but if successful, Reaver Pro will return the WPA pre-shared key or will tell you that the wireless network is too far away or that intruder lockout is enabled.
Countermeasures against the WPS PIN flaw
It’s rare to come across a security fix as straightforward as this one: Disable WPS. If you need to leave WPS enabled, at least set up MAC address controls on your AP(s). It’s not foolproof, but it’s better than nothing! More recent consumer-grade wireless routers also have intruder lockout for the WPS PIN. If the system detects WPS PIN cracking attempts, it will lock out those attempts for a certain period of time. The best things to do to prevent WPS attacks in the enterprise is to not use low-end wireless routers in the first place.
I'm going to preface with this quote:
(from https://forum.hashkiller.co.uk/topic-view.aspx?t=2715)
Quote:Each password is formed as follows: adjective + noun + 3 decimal numbers.
Here some examples in case someone wants to try to build up his own dictionary (ESSID : key : model : mac : serial: loginusrename : loginpassword : WPS / empty if unknown):
NETGEAR00 : mistymint902 : DGN 2200v3 : 100D7F34???? : : admin : password : 40408880
NETGEAR10 : imaginaryviolin590 : WNDR3400v3
NETGEAR12 : livelychair848 : WNDR4300 : 28C68E1854F3 : 36B1315X00585 : admin : password
NETGEAR25 : festiveflower225 : R6300 : : : admin : password : 81968220
NETGEAR29 : exoticbutter003
NETGEAR34 : sillybug772 : R6250 : 4494FC50B225 : : admin : password
NETGEAR35 : aquaticoctopus034 : R7000
NETGEAR37 : vastcoconut260 : WNDR3800 : : : admin : password
NETGEAR45 : blueprairie979 : : 4494FC?????? : BTA13??????4A : :
NETGEAR47 : heavybanana530 : DGN2200v4 : 28C68E8AB6E4
NETGEAR48 : breezysea672 : WNR220 : 008EF24B6ED8 : 2J74275T006AD : admin : password
NETGEAR53 : magicalwater421 : JNR3000 : 008EF28F4B64 : 2XS229B000001 : admin : password : 26168258
NETGEAR62 : friendlyjade842
NETGEAR70 : royalcheese478 : DGND4000 : 00BEF2??????: 34F128BN006FD : admin : password
NETGEAR70 : narrowjungle555 : WNDR3800 : 204E7F71704A : 2M81195F00171 : admin : password
NETGEAR89 : helpfultulip601 : WNDR3400v2 : 74440154701A / 744401547019 : *2NS21C77AA138* : admin : password
NETGEAR96 : huskyocean593 : R7000
NETGEAR99 : yellowtulip399 : WNDR3400v2 : 2CB05D3979AF / 2CB05D3979AE : *2NS2217X126DE* : admin : password
NETGEAR99 : imaginarytomato848 : WNDR3400v2 : : : admin : password
unknown : silkysky657
unknown : blackmoon339
unknown : helpfulflamingo578
Surewest-09 : oddviolin958 (provider is Surewest, manufacturer Netgear).
These kinds of keys is what this dictionary is for, I created it myself. I'm confident it should have a very high success rate, as the others I have tried weren't satisfying to me. The other dicts I tested against this example list above had mixed results, mine has a 100% success rate.
Turn Off Wps Netgear Router
A couple points:
-I'm confident I found the EXACT adjective list that Netgear uses, this saves tons of space when combinator'd. It clocks in at only 8.8KB (1109 lines)
-I'm unsure of their exact noun list, but I pruned a comprehensive list from WordNet.
When used with combinator, the resulting file is 167 MB.
Hack Netgear Router Wpa Wps Mac Wps Code
Total keyspace when using the dict + mask attack ?d?d?d = 10,926,977,000. A GTX 960 (at 90,000 H/s) can get through it in about 1 day 10 hours.THIS LIST IS NOT COMPILED WITH THE 3 NUMBERS AT THE END. IT'S MEANT TO BE USED WITH THE DICT + MASK ATTACK.
A quick way to test this dict against something you know would be (3 ending numbers omitted):
grep 'vastcoconut' NetgearKiller.dict
Feel free to use any/all/none of it, would love to hear the results:
https://drive.google.com/file/d/0By92_TZ...sp=sharing