Automated Wireless Network Penetration Testing

Using Wifite and Reaver

Aparicio Carranza, PhD1, Josue Magallanes1, Casimer DeCusatis, PhD2 and Javier Espinal1
1
The New York City College of Technology – CUNY, USA, [email protected], [email protected]
2
Marist College, USA, [email protected]

Abstract– Wireless access points are susceptible to many types

of cybersecurity attacks. In particular, by attacking the Wi-FI
Protected Setup (WPS) passcode using a brute force dictionary
attack, it is possible to circumvent the use of password-based
network encryption and gain access to the wireless network content.
In this tutorial paper, we investigate penetration testing of wireless
networks using open source tools which have been automated in
Kali Linux, including Wifite and Reaver. Traffic on wireless
networks which have been compromised in this manner are further
analyzed using the Wireshark network protocol analyzer.
Keywords—Kali Linux, Penetration Test, Wi-Fi Protected
Setup (WPS).

Digital Object Identifier (DOI):

http://dx.doi.org/10.18687/LACCEI2017.1.1.64
ISBN: 978-0-9993443-0-9
ISSN: 2414-6390

15th LACCEI International Multi-Conference for Engineering, Education, and Technology: “Global Partnerships for
Development and Engineering Education”, 19-21 July 2017, Boca Raton Fl, United States.
 Automated Wireless Network Penetration Testing
Using Wifite and Reaver
Aparicio Carranza, PhD1, Josue Magallanes1, Casimer DeCusatis, PhD2 and Javier Espinal1
1
The New York City College of Technology – CUNY, USA, [email protected], [email protected]
2
Marist College, USA, [email protected]
Abstract– Wireless access points are susceptible to many types
of cybersecurity attacks. In particular, by attacking the Wi-FI
Protected Setup (WPS) passcode using a brute force dictionary
attack, it is possible to circumvent the use of password-based
network encryption and gain access to the wireless network content.
In this tutorial paper, we investigate penetration testing of wireless
networks using open source tools which have been automated in
Kali Linux, including Wifite and Reaver. Traffic on wireless
networks which have been compromised in this manner are further
analyzed using the Wireshark network protocol analyzer.
Keywords—Kali Linux, Penetration Test, Wi-Fi Protected
Setup (WPS).
I. INTRODUCTION
Wireless routers serving as network access points have
become a ubiquitous way to connect mobile devices to the
Internet [1]. Unfortunately, these devices also suffer from a
number of cybersecurity vulnerabilities, which necessitates
penetration testing of common wireless networks [2]. In
particular, most wireless routers support a one-click
configuration option for creating a secure wireless connection
known as Wi-Fi Protected Setup (WPS). Created by the Wi-Fi
Alliance in 2006, this feature was intended to allow home
users with little or no security background to set up a protected
Wi-Fi connection, and make it easier to add new devices to an
existing network. This feature doesn’t require access to the
router configuration management interface, or the wireless
network password and security key [3]; instead, it relies on an
8 digit passcode which is unique for each device joining the
network [4]. In 2011, it was first reported that this passcode
was susceptible to brute force attacks; because the passcode is
relatively short and consists only of numbers, it can be cracked
quite quickly (anywhere from a few minutes to a few hours
[5]). Since many devices using WPS allow devices to be
added to the network either by pressing a physical button on
the router or entering a default access code printed on the
router, it’s important to provide some level of physical
security around the router. In this paper, we will focus on
versions of the attack which can be executed remotely,
without physical access to the device (either in real time over a
network or offline). This attack requires that WPS is enabled
on the router, and that the attacker knows the Set Service ID
(SSID) of the network (which can often be easily obtained
through other means).
Digital Object Identifier (DOI): http://dx.doi.org/10.18687/LACCEI2017.1.1.64
ISBN: 978-0-9993443-0-9
ISSN: 2414-6390
15th LACCEI International Multi-Conference for Engineering, Education, and Technology: “Global Partnerships for
Development and Engineering Education”, 19-21 July 2017, Boca Raton Fl, United States.
While this attack has been demonstrated previously using
custom software tools, available from only a few specific
locations, recently the tools required to perform such attacks
were automated and combined with the open source Kali
Linux distribution. We investigate the use of Kali Linux for
penetration testing of wireless networks using two different
automated password cracking tools (Wifite and Reaver); if we
are successful in gaining access to the network, then we will
proceed to examine network traffic using the open source
network packet analyzer Wireshark (which is also built into
Kali Linux). Wifite is a password cracking tool which attacks
WEP and WPA encrypted networks, and can also crack WPS
passcodes [6]. Reaver is designed to perform a brute force
attack against WPS passcodes, and will also work on
WPA/WPA2 encrypted networks [7]. Both tools allow us to
customize our attacks using different password dictionaries.
The remainder of this paper is organized as follows: Section 2
describes our Penetration Testing Environment. Section 3
presents a tool within Kali Linux called wifite. In section 4,
another tool called reaver is presented which by design is to
perform brute force attacks on an 8 digits WPS passcode.
Section 5 presents the use of wireshark to capture wireless
network traffic from the identified network for further
analysis. Section 6 presents the concluding remarks.
II. PENETRATION TESTING ENVIRONMENT
Wireless penetration testing requires both a dedicated
server running Kali Linux (with a compatible wireless adapter
[8]) and a WPS-enabled router. We downloaded Kali Linux,
which is open source [9], and burned it onto a flash drive to
facilitate installation on the testing server. Specifically, we
used the Wifite, Reaver, and Wireshark tools for this testing.
Any standard Wi-Fi router can be used for the testing; we
configured the router through a local connection rather than
using the wireless control plane. Router configuration
requires obtaining the appropriate default gateway of the
router in order to obtain the configuration page address,
logging into the router configuration page and changing both
the SSID and password, and finally enabling WPS. First, we
obtain the gateway router’s default IP address by issuing the
ipconfig command at the local host command line shell. We
can then access the router settings from any standard web
browser, using the manufacturer’s factory default userid and
password (commonly both are set to “admin”). Under the
wireless settings menu, we can change the SSID to be
1
compatible with the network under test. The WPS features can
be enabled under the advanced wireless settings menu.

A cryptographically random 8 bit WPS can provide up to 108

unique passcodes (100 million combinations). However, WPS
is actually weaker than that. The last digit of a WPS passcode
is a checksum for the previous seven digits, leaving 107unique
combinations (10 million). Further, when a device is being
enrolled into the network, the registrar verifies the value of the
first four bits separately from the verification of the last three
bits. As shown in Figure 1, there are only 10,000 unique
combinations in the first four bits of the passcode, and 1,000
unique combinations in the next three bits. This is a reduction
by three orders of magnitude from the complexity of the
original passcode. Since the two halves of the passcode are
validated independently, it is possible to recover the passcode
in no more than 11,000 guesses. The ease of exploiting this
vulnerability depends on how WPS is implemented, since
some manufacturers slow down or disable WPS after several Figure 2 - Initial target scanning using Wifite
consecutive failed passcode attempts. Generally speaking, it
should be possible to crack the WPS passcode in under four Results of a typical scan are shown in Figure 3. Each network
hours, and in some cases it can be cracked within minutes. is assigned a unique numerical identifier (NUM) and name
There are several possible defenses against this attack [10]. If (ESSID). The ENCR entry indicates what type of encryption
the manufacturer detects when a brute force attack is in is being used on the network, POWER provides the signal
process and disables the passcode for an extended period of strength in dB, and the WPS field indicates whether this
time, the attack may become impractical. Disabling WPS protocol is enabled.
would theoretically block this attack, however since WPS was
designed to make router configuration quick and easy, many
devices make it impossible to turn off WPS. In some
implementations, disabling WPS in the router configuration
menu does not actually turn the feature off, leaving the device
vulnerable to attack. Some of these devices have issued
firmware patches to fully disable WPS, but despite these
precautions many Wi-Fi routers remain exposed to this attack.
A thorough penetration testing scheme will allow us to find
and correct this vulnerability.

Figure 1 – Numeric fields in a WPS passcode

III. WIFITE
Within Kali Linux, the Wifite tool may be accessed either
through the applications menu (under wireless attacks/wifite)
or by invoking wifite from a command line prompt. When the
tool is opened, it automatically begins scanning for available
wireless networks in the vicinity, as shown in the screen
capture of Figure 2.
Figure 3 – Output of a typical Wifite scan
The Wifite tool can conduct exhaustive keyword searches,
otherwise known as brute force or dictionary attacks. The tool
includes lists of the most commonly used passwords, or the
user can provide their own dictionary list. We invoke a
dictionary attack against one of the networks (preferably one
with WPS enabled and a high signal strength) using the
command wifite –dict /usr/wordlists/fern-wifi/commontxt.

15th LACCEI International Multi-Conference for Engineering, Education, and Technology: “Global Partnerships for
Development and Engineering Education”, 19-21 July 2017, Boca Raton Fl, United States. 2
Note that the –dict option allows us to specify the location of a
password list to be used in the attack.

Figure 4 – Output from a successful Wifite attack

In some cases, this approach can compromise a wireless

network very quickly. As shown in Figure 4, we were able to
successfully break into WPS and recover the WPA password
for the wireless network under test in about 20 seconds.
IV. REAVER
The Reavertool is designed to perform brute force attacks on
an 8 digit WPS passcode. Upon successfully guessing the
passcode, it also retrieves the WPA / WPA2 passcode,
granting access to the entire Wi-Fi network. Reaver can be
launched either via the Kali Linux GUI (by clicking the
“Show Application” Icon, then navigating to the “Wireless
Attacks” section and clicking on the Reaver icon), or simply
by entering “reaver” in a command line terminal shell. Either
approach leads to a menu of commands as shown in Figure 5.
The first time Reaver is used, a folder in the root directory
must be created to hold the dictionary files; if needed, this can
be done through the command line interface by entering
mkdir /etc/reaver.
Figure 6 - Output of various airmon-ng commands and
arguments
Entering the airmon-ng command lists the interface status of a
device, including its driver and chipset, which allows us to
verify that the device is suitable for penetration testing using
Reaver. If the device has any other chipsets enabled, their
drivers can be temporarily disabled by using the rmmod
command. It is recommended to disable any unnecessary
chipsets or background processes which may interfere with the
testing. Entering the airmon-ng command with the “start
<interface>” argument allows us to start a specific interface,
and indicates where monitor mode is currently enabled (see
Figure 6, where monitor mode wlan1mod is enabled and
highlighted with a green box).

Figure 5 - Reaver’s command list upon launching the

application
Figure 7 - Nearby wireless networks discovered by Reaver

15th LACCEI International Multi-Conference for Engineering, Education, and Technology: “Global Partnerships for
Development and Engineering Education”, 19-21 July 2017, Boca Raton Fl, United States. 3
Typing the command “wash -i“ allows the user to specify an
interface to use for packet capture. Adding the optional
argument – c specifies that the capture should ignore any
frame checksum errors (FCS). The output of this command
will list all the wireless networks within range of the Kali
Linux machine, as shown in Figure 7. We can select the
ESSID of a wireless network that we wish to test, and make
note of the BSSID for that network (the chipset identified by
the wireless access point’s 48 bit MAC address).
rogue access point, both the access point (enrollee) and client
device (registrar) need to prove they know the passcode.
Consequently, hashed versions of the passcode elements are
transmitted between the enrollee and registrar. When the two
nonces used in this process are known, the original passcode
can be recovered by Reaver in a matter of minutes.
V. WIRESHARK
Using Wireshark, we can capture wireless network traffic
from the networks identified in the prior sections for further
analysis. With the appropriate network selected, we can
capture traffic from the device under test as it attempts to
access the Internet, using the port filter tcp.port ==80to
identify HTTP protocol traffic as shown in Figure 9. In this
test, we can identify packets associated with the wireless
device’s web browsing history (including names of the
websites visited); such packets will include the keyword GET
as part of the packet information listed.

Figure 8 - The Reaver tool running a brute force attack

against the WPS passcode

Finally, by entering the command “reaver”, we can launch a

brute force attack against the selected network as shown in
Figure 8. The “reaver” command may include the arguments -
Figure 9 - Wireshark scan of HTTP traffic after
i (specifying the interface), -b (specifying the MAC address),
compromising the WPS passcode
and -d (which allows the user to delay between successive
guess attempts, since consecutive attempts can force the router
In our testing, we attempted to run Wireshark and Kali Linux
to lock its interface). Other command options include –s
in a virtual machine under the VMware environment.
which utilizes smaller keys in an effort to improve the time
Unfortunately, VMware does not support all types of wireless
required to decipher a message once the passcode is selected.
NICs; for an unsupported NIC, we found that VMware
The –N option disables transmission of NACK messages
defaults to treating the wireless NIC as a standard Ethernet
(which negate a previously received packet). The –vv option
connection, which means that some tools such as Wifite and
displays non-critical warning messages.
Reaver do not recognize any wireless networks in the vicinity.
There are several possible solutions for this issue. First, we
Reaver can also be used to automate the so-called Pixie
can run Kali Linux as a live boot or dual boot, or use a
Dust attack, an offline brute force attack first demonstrated in
bootable USB adapter when running under VMware. Second,
2014 which only works for the default WPS implementation
an external wireless card will not be improperly identified by
on chipsets from Broadcom, Realtek, MediaTek, and Ralink.
VMware, unlike a built-in wireless NIC. We can also
For these implementations of WPS, there is a lack of
manually configure VMware to access a wireless NIC, using
randomization for the nonces used to protect both halves of
the Virtual Network Editor in VMware (the “bridged to:”
the passcode. To prove that the client is not connected to a

15th LACCEI International Multi-Conference for Engineering, Education, and Technology: “Global Partnerships for
Development and Engineering Education”, 19-21 July 2017, Boca Raton Fl, United States. 4
menu option allows configuration of the current wireless
card). The default Bridged connection should be changed to
Custom, and this problem can be avoided.

VI. CONCLUSION

This paper explored the use of automated brute force

exhaustive dictionary attack tools, Wifite and Reaver, in
compromising the WPS passcode; network traffic can then be
monitored using Wireshark. These tools are included in the
open source Kali Linux distribution. Both tools were able to
successfully compromise a WPS passcode and related WPA
passwords, enabling us to view network traffic using
Wireshark. Both tools provided an automated, easy to use
penetration test, although Reaver offers a more basic graphic
user interface and a richer set of command line options.

REFERENCES
[1] E. Geier, "Secure Your Home Or Office Wi-Fi." PCWorldvol30.4 pp. 33-
34 (2012)
[2] P. Joaquin, L. Colunga, and R. Gomez. “Routerpwn - One Click Exploits,
Generators, Tools, News, Vulnerabilities, Poc, Alerts.” Routerpwn - One
Click Exploits, Generators, Tools, News, Vulnerabilities, Poc,
Alerts, http://routerpwn.com/about/ (last accessed December 8, 2016)
[3] D.W. Dieterle, Basic Security Testing with Kali Linux, CreateSpace
Independent Publishing (March 2016)
[4] A. Johns, Mastering Wireless Penetration Testing for Highly Secured
Environments, Birmingham, UK, Packt Publishing Limited (2015).
[5] “Alert (TA12-006A).” Wi-Fi Protected Setup (WPS) Vulnerable to Brute-
Force Attack, https://www.us-cert.gov/ncas/alerts/ta12-006a (last
accessed December 8, 2016)
[6] “Wifite Package Description.” Http://tools.kali.org/ (last accessed
December 8, 2016)
[7] M. Alamanni, Kali Linux Wireless Penetration Testing Essentials,
Birmingham, UK, Packt Publishing Ltd. (2015).
[8] “Best Kali Linux Compatible USB Adapter / Dongles 2016.”
WirelesSHack, http://www.wirelesshack.org/best-kali-linux-
compatible-usb-adapter-dongles-2016.html (last accessed December
8, 2016)
[9] “Kali Linux Downloads.” Kali Linux, www.kali.org/downloads/ (last
accessed December 8, 2016)
[10] M. Gregg, The Network Security Test Lab: a Step-by-Step Guide,
Indianapolis, IN, John Wiley &Sons, Inc. (2015)

15th LACCEI International Multi-Conference for Engineering, Education, and Technology: “Global Partnerships for
Development and Engineering Education”, 19-21 July 2017, Boca Raton Fl, United States. 5