Backtrack - Quick break into a router, if you know the WPS PIN 10-10-2013, 09:37 AM
#1
Let's assume this situation - you have successfully cracked with Reaver or another method some WPA/WPA2 password and you have found the victim's router with default login/password. So far you have been inside and of course you took note about pretty everything in the router configuration, including the curent WPS PIN number. Now, let's suppose you got somehow detected and the victim asks for some 'expert" friend to change his WPA/WAP2 password. If you need to break again the new WPA/WAP2 password, here is a quick way without to wait for reaver to break it again, assuming the PIN wasn't changed.
Believe me in 90% it won't be, people just use to think, that if a router is in their room, it is theirs :-)
So we'll use the PIN we know to associate via WPS and of course to get the new WPA /WPA2 PSK. Here is how:
1. Open text editor in Backtrack and write:
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
update_config=1
Save it as wpa_supplicant.conf in /etc/wpa_supplicant.conf
2. Start wpa_supplicant in daemon mode:
wpa_supplicant -Dwext -iwlan0 -c/etc/wpa_supplicant.conf -B
3. Run wpa_cli, and verify that it's working by issuing command status. You should see wpa_state=INACTIVE
wpa_cli
4. Now, lets add victim's router BSSID and PIN:
wps_reg xx:xx:xx:xx:xx:xx 12345678 (substitute 12345678 with the PIN you know)
You should see an "OK". Wait a few more seconds as wpa_supplicant picks up the BSSID and tries to associate and perform key negotiation. What you want to see is CTRL-EVENT-CONNECTED, which will indicate that the PIN was accepted and that you're now associated.
At this point, if you were to exit wpa_cli, you could run dhclient on wlan0 and would be offered an IP from the AP, assuming DHCPd were enabled. Now you can use Internet on the victim's router.
Go ahead and type the command save, which should output another "OK". This will update the wpa_supplicant.conf file, as specified from the command line, with a static configuration for this new network.
5.Verify with:
cat /etc/wpa_supplicant.conf
If all went well, you should have a line in wpa_supplicant.conf under this new network titled psk.
Happy hacking and don't forget to enable WPS assosiation in every router you enter, if it is disabled. This will be one of your backdoors ;-)
Believe me in 90% it won't be, people just use to think, that if a router is in their room, it is theirs :-)
So we'll use the PIN we know to associate via WPS and of course to get the new WPA /WPA2 PSK. Here is how:
1. Open text editor in Backtrack and write:
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
update_config=1
Save it as wpa_supplicant.conf in /etc/wpa_supplicant.conf
2. Start wpa_supplicant in daemon mode:
wpa_supplicant -Dwext -iwlan0 -c/etc/wpa_supplicant.conf -B
3. Run wpa_cli, and verify that it's working by issuing command status. You should see wpa_state=INACTIVE
wpa_cli
4. Now, lets add victim's router BSSID and PIN:
wps_reg xx:xx:xx:xx:xx:xx 12345678 (substitute 12345678 with the PIN you know)
You should see an "OK". Wait a few more seconds as wpa_supplicant picks up the BSSID and tries to associate and perform key negotiation. What you want to see is CTRL-EVENT-CONNECTED, which will indicate that the PIN was accepted and that you're now associated.
At this point, if you were to exit wpa_cli, you could run dhclient on wlan0 and would be offered an IP from the AP, assuming DHCPd were enabled. Now you can use Internet on the victim's router.
Go ahead and type the command save, which should output another "OK". This will update the wpa_supplicant.conf file, as specified from the command line, with a static configuration for this new network.
5.Verify with:
cat /etc/wpa_supplicant.conf
If all went well, you should have a line in wpa_supplicant.conf under this new network titled psk.
Happy hacking and don't forget to enable WPS assosiation in every router you enter, if it is disabled. This will be one of your backdoors ;-)
![[+]](https://sinister.ly/images/modern/collapse_collapsed.png)