17 – Revisited – using Wash and Reaver to bypass long WPA2 passphrases and attack WPS to bypass TKIP encryption this time

Ok, someone contacted me recently and said this did not work for TKIP and they couldn’t get it working so this is to show that TKIP can also be bypassed and not just AES when using ‘reaver’. Thanks for the feedback.

See here for the previous lesson on ‘reaver’ and ‘wash’ to bypass WPA2 AES encryption if you want to read more information on this attack.

You should note that this is not actually breaking the WPA2 AES/TKIP encryption algorithms, but is in fact undermining the inherent trust we have in Wi-Fi Protected Setup (WPS), it is here for convenience so that people don’t need to enter in long WPA keys and for that we have introduced a weakness in our current security model and infrastructure that can be broken, very easily.

Think of someone leaving a Raspberry Pi 2 like the one I am using and adding a battery to it, concealing it (or not) in a location near to the access point they need to gain access to. The battery will last for a lot longer than required for the assessment and also gets rid of the risk required with the on-line attack, automate the whole process and you don’t need to do anything else to it, you can also do this for normal wireless assessments that don’t have WPS.

Anyway, first configure your router as follows:1 - router configurationStart monitor mode with airmon-ng, you don’t actually require your card to be in monitor mode for this assessment but I like to check the access point details are correct etc so I just do it out of habit.2 - start airmon-ngStart airodump to check your access point

airodump-ng mon0 –bssid 00:18:E7:XX:XX:XX -c 6

“airodump-ng” runs airodump-ng
“mon0” is the interface of the card
“–bssid” is for the MAC address of the access point
“-c 6” is to run on channel 63 - Start airodump-ng and check your access pointOutput of airodump-ng below, something else to note here is that no client is attached to the network we are recovering the WPS PIN from. You do not require any clients to be connected to the access point in order to carry out this attack, you are strictly communicating with the access point.4 - airodump-ng outputrun wash

“wash” runs wash
“-i” is for the interface in which you want to capture packets on which is mon0
“-c” is for the channel to listen on in this case 6

Explaining the output below

BSSID is our target access point MAC address
Channel 6 is the channel of our access point
RSSI is the Received signal strength indication ( A minus is a good thing here 😉
WPS Version which is 1.0
WPS Locked tells you if the access point has been locked due to to many attempts for example
ESSID is the network name of the access point5 - wash start checkAs before just run “reaver” from the terminal for a full list of switches available to you

“reaver” runs reaver
“-i” is to select the sniffing interface in this case mon0
“-b” is followed by the target access point MAC address or BSSID
“-vv” is for very verbose output
“-w” is to mimic a Windows 7 registrar

reaver -i mon0 -b 00:18:E7:XX:XX:XX -vv w

Excerpt from Stefan Viehbock’s paper, this explains how the WPS communication process works for design flaw #1 :6.1 explaining the process6.2 explaining the process6.3 explaining the process6.4 explaining the processYou only require seven numbers as the last is a checksum and a ‘zero’, once the first four numbers are authenticated you then only require a further three numbers in order to get the correct PIN. This in effect makes the cracking process quite trivial to carry out with very little resources

design flaw #2:

The bruteforce attack then allows you to determine the PIN with a live attack over the air as a received ‘EAP-NACK’ will help you to determine whether the PIN is correct or not in only 11,000 attempts. The ‘EAP-NACK’ helps you to determine if the first or second part of the PIN is correct or not as when you receive an ‘EAP-NACK’ after an M4 or M6 it means it is incorrect and it is therefore unauthenticated.6.4.1 explaining the process version 2So when you look at the output from reaver below you may see it differently now:6 - start reaverI left it to run for the night again7 - reaver finished TKIPThe total time was 2 hours 01 minute or ‘7250 seconds’ as you can see above, we can also see the PIN, PSK and AP SSID above which is the sign of success!

Lesson learned:

The reaver WPS attack may not work against all access point’s and you may run into issues. I tried this on my Netgear too and it timed out on me after a certain number of attempts, this needs to be researched further but you just need to play around with the pin attempts per second and play with some other options to get it to work, it’s also good to note that reaver will actually save your previous attempts so you can even break the PIN over a few day’s if you need to space out your assessment for any reason. It’s not a good idea to have a ‘burned in’ eight digit PIN as an access method to any system, especially if it’s an easier method to access a system than a big long passphrase which allows you to bypass WPA/2 encryption and do so in a fraction of the time compared to trying to crack the passphrase after you capture the four way handshake, even then you either need a good word-list or a cloud service to try and crack the unknown faster than you would otherwise.





3 thoughts on “17 – Revisited – using Wash and Reaver to bypass long WPA2 passphrases and attack WPS to bypass TKIP encryption this time

  1. Thanks Keith,
    very instructive, you demonstrated that also TKIP is vulnerable by a Reaver attack (on selected routers of course, recent firmwares apply countermeasures).
    As you probably know, currently the state of the art is Pixie attack (included in a special Reaver fork by t6x).
    The tool is still improving thanks to social collaboration, I think you can find really useful to follow this live thread on the subject:


    For sure a detailed lesson also on this cool topic will be surely appreciated.
    Thx again, it’s a pleasure to read you.

    1. Hi leverage,

      I think I may be going beyond the scope of what I had originally set out to do here now but I am having fun with it 🙂

      I agree with you that this will only work on certain vulnerable routers and that firmware can apply countermeasures to this form of attack, the use of wash however is a good way to find out if a router is vulnerable.

      I have been reading about the Pixie attack and also mentioned it in the previous post here

      Thanks for the link on the Kali forum, it looks like something I will definitely play around with in the future but for now I have to focus on other things first.

      Thank you for the kind comments.


Leave a Reply