Finding WPS enabled Wifi Networks with Kali Linux Wash


Kali Linux Wash is a tool to find WPS enabled routers in your area. A lot of routers support Wifi Protected Setup (WPS) and it’s likely enabled by default by your internet service provider or by the router manufacturer. Like UPnP, it is an insecure feature that makes your wireless network more vulnerable to certain attacks. Pixie dust vulnerable routers with WPS turned on for example, can be cracked in a matter of seconds. Make sure to disable it in your router settings to avoid attacks like these. In this tutorial we’re going to use Kali Linux Wash to scan for WPS enabled networks in the area. Wash can also be used to determine whether an access point is locked or not. A lot of routers tend to lock WPS when the PIN is being brute forced with a tool like Reaver, usually after 5 or 6 attempts. Unlocking WPS has to be done manually in the administrator interface of the router.

It might be needless to say but Wifi networks with WPS disabled are less likely to be the target of a hacker because the easiest and fastest ways of hacking the wireless network are ruled out. Without the possibility of WPS related attacks the attacker is left to more time consuming ways to hack your Wifi network, like capturing handshakes and brute force these or more advanced ways. Turning WPS off in combination with a strong wireless network password will keep out most attackers.

Let’s put the wifi interface in monitoring mode using:

airmon-ng start wlan0

14-08-2015 update

For anyone getting the following error in Kali Linux 2.0:

[X] ERROR: Failed to open ‘wlan0mon’ for capturing

try this as a solution:

1. Put the device in Monitor mode Airmon-ng start wlan0
2. A monitoring interface will be started on wlan0mon
3. Use iwconfig to check if the interface MODE is in managed mode, if so then change it to monitor instead of managed with the following commands:
ifconfig wlan0mon down
iwconfig wlan0mon mode monitor
ifconfig wlan0mon up
4. iwconfig check if the mode is monitoring mode now
8. airodump-ng wlan0mon

If necessary kill the mentioned processes which could disturb the scanning process using the following command:

kill [pid]

Use the following command to start Kali Linux Wash:

wash -I [monitoring interface]

Wash gives you an overview of wireless networks in range and tells you if WPS is locked or not. Press control + C to exit Wash and return to your command line.

Wash WPS locks

Kali Linux Wash video tutorial

Thanks for watching and it would be awesome if you subscribed to my YouTube channel :)

Wireless Hacking Banner

If you’re interested in learning more about WiFi hacking, Wireshark, hacking tools and wireless in general, you can follow any of these online courses:

Online Hacking Courses

Virtual Hacking Labs - Penetration testing lab

Learn Wi-fi Hacking/Penetration Testing From Scratch

This course contains 50 Videos to learn practical attacks to test the security of Wi-fi and wired networks from scratch using Linux. Read more…

ARP spoofing & Man In The Middle Attacks Execution & Detection

Learn practical attacks to test the security of clients connected to a network and how to protect against these attacks. Read more…




    Hello there,

    I am using ALFA AWUS036ACH wifi adaptor. I use the command
    iwconfig wlan0 mode monitor

    to start the monitor mode. Then when I run:


    it shows around 10 to 15 Access Point. But when I run:

    wash -i wlan0

    I only see 2 access points.

    Could you please advise what seems wrong?

Leave A Reply