How to get the PSK or Password of a WiFi network if you have the WPS Pin
About: I have previously discussed how easily a router that has WPS enabled can be hacked. You can check out my post on how to perform a Pixie Dust Attack and attempt to grab a WPS pin from a unsecured router. The attack takes a matter of seconds not days and will expose your WiFi password. It doesn’t matter if you are using WPA or WPA2 security since the WPS pin completely bypasses this security. Since you already have the WPS Pin you should be able to connect to the users SSID but you will not know their network password. The method I will show you today will expose their SSID password. If you have their SSID password, they may be using the same password for Facebook or Google or any other website.
A little knowledge about WPS. WPS stands for Wi-Fi Protected Setup and it is a wireless networking standard that tries to make connections between a router and your wireless devices faster and easier. It only works for wireless networks that have WPA/WPA2 security. It is suppose to make it easier to connect devices without a keyboard, like a TV, to your home network. Most routers come with WPS enabled and work by pushing the WPS button on your router and connecting your device. I personally have never heard or WPS before doing this research and have never used it in my personal life.
Objective: To demonstrate how to retrieve the PSK (password) of a WiFi network if you have the WPS Pin
Material: You will need the following:
- Raspberry Pi (I have PwnPi 3.0 running on mine)
- USB WiFi Adapter – I used the Panda USB WiFi adapter in this tutorial
- PwnPi or Kali Linux distro on your Raspberry Pi or Linux machine
- WPS Pin for the Network you are attempting to steal the PSK (Password)
Instructions: I am using PwnPi distro on my Raspberry Pi which has the tools I will need to get the PSK of the victims WiFi. You will pretty much need ‘WPA_Supplicant’ and ‘WPA Cli’ installed on your distro to expose the PSK so using PwnPi or Kali isn’t really necessary if you want to install those packages separately.
As stated earlier I will assume you already have the WPS Pin of the network you want grab the PSK from. We need to start by putting our wireless interface into monitor mode using airmon-ng start <wireless interface> . My wireless interface is wlan0. Use the ‘iwconfig’ to find yours. If you run the command below and airmon-ng gives you errors that certain processes are running and may interfere you can either kill them manually or type the ‘airmon-ng check kill’ command which will check the processes and kill them automatically.
airmon-ng start wlan0
This should create a monitor interface on ‘mon0’. Now we will use wash to find access points in our area that have WPS enabled. Simple run ‘wash -i <monitor-interface>’
wash -i mon0
Go ahead and write down the BSSID of the Access Point that you have the WPS Pin for. We will need this in our next step. In this tutorial I will be gaining access to my own network. The SSID for my network is ‘dayz’ and I will write down ‘9C:D3:6D:02:3A:E’ as my BSSID.
Now we will use ‘wpa_supplicant’ to connect to our Access Point manually and grab the PSK. Let’s start by configuring our wpa_supplicant.conf file
This should open up the .conf file and we will add the following lines. Note: Your file may be empty which is not a problem.
Hit CTRL+X to save the file and exit. We will now startwpa_supplicant with the following command:
wpa_supplicant -Dwext -iwlan0 -c/etc/wpa_supplicant.conf –B
You may get some invalid argument errors, but that’s okay. Leave this window open and open up a new terminal or ssh window. We will now be running wpa_cli and running commands manually.
You should now get a command prompt window where you can enter commands. Type ‘status’ and you should see a ‘wpa_state=INACTIVE’ return. Once you have done this we will add our BSSID from earlier and the WPS Pin that you already have. Type the following command into wpa_cli ‘wps_reg <BSSID> <Pin>’
wps_reg 9C:D3:6D:02:3A:E0 29066810
This should take a few seconds and attempt to associate with the Access Point. We are looking for a ‘CTRL-EVENT-CONNECTED’ to return. When we see this we know that our Pin was accepted and we are associated with the Access Point. When this is complete hit CTRL+C to exit wpa_cli. We will now run dhclient to get an IP address assigned to us in case one was not automatically assigned. Run the following command:
Now return to wpa_cli and type ‘save’ which should return an ‘OK’. This will save data to our wpa_supplicant.conf file. Now we can exit wpa_cli again by typing CTRL+C. Read the wpa_supplicant.conf file with the following command and look for the PSK.
As you can see my PSK is ‘www.kamilslab.com’.
That’s it, you now know the PSK or password of the access point you are connected to. Again, if you know who owns the WiFi access point you can try and use this password on people’s accounts like Facebook, Google, or any other website. Many people use the same password for multiple websites.
If you have any questions please post a comment below.