Last week I posted an article on my blog about how to crack a network by brute forcing the WPS service on modern routers. See article here: http://insanitypop.com/2012/01/how-to-hack-eircom-upc-internet-wpa-wpa-2-cracking-with-reaver/.
Anyway I’ve been getting a few private messages from users asking is there a way to identify these networks without performing the brute force attack to save time and resources when war driving. With that in mind here are a few shell codes to help you on your way with finding vulnerable WPS services on networks.
The “Wash” function helps us identify WPS services. Its made by TNS and comes bundled with Reaver. The original package had a spelling error so if you are using an old version of Reaver you might need to replace all sightings of “Wash” with the word “Walsh”. For this post i will be showing “Wash” codes.
In Backtrack 5 (R1) open up a new terminal window (shell) and type the following:
You will now see something like the following printed on your screen showing you the different available commands within Wash.
Wash v1.4 WiFi Protected Setup Scan Tool Copyright (c) 2011, Tactical Network Solutions, Craig Heffner Required Arguments: -i, --interface= Interface to capture packets on -f, --file [FILE1 FILE2 FILE3 ...] Read packets from capture files Optional Arguments: -c, --channel= Channel to listen on [auto] -o, --out-file= Write data to file -n, --probes= Maximum number of probes to send to each AP in scan mode  -D, --daemonize Daemonize wash -C, --ignore-fcs Ignore frame checksum errors -5, --5ghz Use 5GHz 802.11 channels -s, --scan Use scan mode -u, --survey Use survey mode [default] -h, --help Show help
We use the following code to tell the system to scan using our mon0 device id (replacing “mon0″ with your interface monitor id):
wash -i mon0
If that worked for you please consider clicking the advert below. Its your way of buying me a beer without giving me money!
In some cases you might be presented with the following error:
Found packet with bad FCS, skipping…”
We can use the following code to tell the system to scan while ignoring frame checksum errors.
wash -i mon0 –ignore-fcs
So thats it, pretty simple right? And it should save you plenty of time instead of hitting every WPA network in your area to find a vulnerable one.