Diclaimer: This article is just for educational purpose.Please don't misuse it.
Overview: Reaver-wps performs a brute force attack against an access point’s WiFi Protected
Setup pin number. Once the WPS pin is found, the WPA PSK can be recovered and
alternately the AP’s wireless settings can be reconfigured. This post outlines the
steps and command that helps cracking Wifi WPA/WPA2 passwords using.Reaver-WPS.
While Reaver-wps does not support reconfiguring the AP, this can be accomplished
with wpa_supplicant once the WPS pin is known.
Readers, note that I’ve since written another post where I could crack a password in
14.21 seconds. using pyrit cowpatty and WiFite combination attack with
dictionary.The whole process takes less than 10 minutes.
Those who would like to try more ways of cracking Wifi WPA WPA2 passwords, you
can also use HashCat or cudaHashcat or oclHashcat to crack your unknown Wifi
WPA WPA2 passwords. The benefit of using Hashcat is, you can create your own rule
to match a pattern and do a Brute-force attack. This is an alternative to using
dictionary attack where dictionary can contain only certain amount of words but a
brute-force attack will allow you to test every possible combinations of given
charsets. Hashcat can crack Wifi WPA/WPA2 passwords and you can also use it to
crack MD5, phpBB, MySQL and SHA1 passwords. Using Hashcat is an good option as
if you can guess 1 or 2 characters in a password, it only takes few minutes. For
example: if you know 3 characters in a password, it takes 12 minutes to crack it. If
you know 4 characters in a password, it takes 3 minutes. You can make rules to only
try letters and numbers to crack a completely unknown password if you know a
certain Router’s default password contains only those. Possibilities of cracking is a
lot higher in this way.
Important Note: Many users try to capture with network cards that are not
supported. You should purchase a card that supports Kali Linux including injection
and monitor mode etc. A list can be found in 802.11 Recommended USB Wireless
Cards for Kali Linux. It is very important that you have a supported card, otherwise
you’ll be just wasting time and effort on something that just won’t do the job.
Description: Reaver-wps targets the external registrar functionality mandated by the WiFi
Protected Setup specification. Access points will provide authenticated registrars
with their current wireless configuration (including the WPA PSK), and also accept a new
configuration from the registrar.
In order to authenticate as a registrar, the registrar must prove its knowledge of the
AP’s 8-digit pin number. Registrars may authenticate themselves to an AP at any
time without any user interaction. Because the WPS protocol is conducted over EAP,
the registrar need only be associated with the AP and does not need any prior
knowledge of the wireless encryption or configuration.
Reaver-wps performs a brute force attack against the AP, attempting every possible
combination in order to guess the AP’s 8 digit pin number. Since the pin numbers
are all numeric, there are 10^8 (100,000,000) possible values for any given pin
number. However, because the last digit of the pin is a checksum value which can be
calculated based on the previous 7 digits, that key space is reduced to 10^7
(10,000,000) possible values.
The key space is reduced even further due to the fact that the WPS authentication
protocol cuts the pin in half and validates each half individually. That means that
there are 10^4 (10,000) possible values for the first half of the pin and 10^3
(1,000) possible values for the second half of the pin, with the last digit of the pin
being a checksum.
Reaver-wps brute forces the first half of the pin and then the second half of the pin,
meaning that the entire key space for the WPS pin number can be exhausted in
11,000 attempts. The speed at which Reaver can test pin numbers is entirely limited
by the speed at which the AP can process WPS requests. Some APs are fast enough
that one pin can be tested every second; others are slower and only allow one pin
every ten seconds. Statistically, it will only take half of that time in order to guess
the correct pin number.
Installation: Install Kali Linux, everything built into it. (Reaver-wps, libpcap and libsqlite3)
Usage: Usually, the only required arguments to Reaver-wps are the interface name and the
BSSID of the target AP:
# reaver -i mon0 -b 00:01:02:03:04:05
The channel and SSID (provided that the SSID is not cloaked) of the target AP will
be automatically identified by Reaver-wps, unless explicitly specified on the
command line:
#reaver -i mon0 -b 00:01:02:03:04:05 -c 11 -e linksys
By default, if the AP switches channels, Reaver-wps will also change its channel
accordingly. However, this feature may be disabled by fixing the interface’s channel:
#reaver -i mon0 -b 00:01:02:03:04:05 --fixed
The default receive timeout period is 5 seconds. This timeout period can be set
manually if necessary (minimum timeout period is 1 second):
# reaver -i mon0 -b 00:01:02:03:04:05 -t 2
The default delay period between pin attempts is 1 second. This value can be
increased or decreased to any non-negative integer value. A value of zero means no
delay:
# reaver -i mon0 -b 00:01:02:03:04:05 -d 0
Some APs will temporarily lock their WPS state, typically for five minutes or less,
when “suspicious” activity is detected. By default when a locked state is detected,
Reaver-wps will check the state every 315 seconds (5 minutes and 15 seconds) and
not continue brute forcing pins until the WPS state is unlocked. This check can be
increased or decreased to any non-negative integer value:
# reaver -i mon0 -b 00:01:02:03:04:05 --lock-delay=250
For additional output, the verbose option may be provided. Providing the verbose
option twice will increase verbosity and display each pin number as it is attempted:
# reaver -i mon0 -b 00:01:02:03:04:05 -vv
The default timeout period for receiving the M5 and M7 WPS response messages is
.1 seconds. This timeout period can be set manually if necessary (max timeout
period is 1 second):
# reaver -i mon0 -b 00:01:02:03:04:05 -T .5
Some poor WPS implementations will drop a connection on the floor when an invalid
pin is supplied instead of responding with a NACK message as the specs dictate. To
account for this, if an M5/M7 timeout is reached, it is treated the same as a NACK by
default. However, if it is known that the target AP sends NACKS (most do), this
feature can be disabled to ensure better reliability. This option is largely useless as
Reaver-wps will auto-detect if an AP properly responds with NACKs or not:
# reaver -i mon0 -b 00:01:02:03:04:05 --nack
While most APs don’t care, sending an EAP FAIL message to close out a WPS
session is sometimes necessary. By default this feature is disabled, but can be
enabled for those APs that need it:
# reaver -i mon0 -b 00:01:02:03:04:05 --eap-terminate
When 10 consecutive unexpected WPS errors are encountered, a warning message
will be displayed. Since this may be a sign that the AP is rate limiting pin attempts or
simply being overloaded, a sleep can be put in place that will occur whenever these
warning messages appear:
# reaver -i mon0 -b 00:01:02:03:04:05 --fail-wait=360
More on Basic Usages:
First, make sure your wireless card is in monitor mode:
# airmon-ng start wlan0
To run Reaver, you must specify the BSSID of the target AP and the name of the
monitor mode interface (usually ‘mon0′, not ‘wlan0′, although this will vary based
on your wireless card/drivers):
# reaver -i mon0 -b 00:01:02:03:04:05
You will probably also want to use -vv to get verbose info about Reaver’s progress:
# reaver -i mon0 -b 00:01:02:03:04:05 -vv
Speeding Up the Attack:
By default, Reaver-wps has a 1 second delay between pin attempts. You can disable
this delay by adding ‘-d 0′ on the command line, but some APs may not like it:
# reaver -i mon0 -b 00:01:02:03:04:05 -vv -d 0
Another option that can speed up an attack is –dh-small. This option instructs
Reaver to use small diffie-hellman secret numbers in order to reduce the
computational load on the target AP:
# reaver -i mon0 -b 00:01:02:03:04:05 -vv --dh-small
MAC Spoofing:
In some cases you may want/need to spoof your MAC address. Reaver supports
MAC spoofing with the –mac option, but you must ensure that you have spoofed
your MAC correctly in order for it to work.
Changing the MAC address of the virtual monitor mode interface (typically named
mon0) WILL NOT WORK. You must change the MAC address of your wireless card’s
physical interface. For example:
# ifconfig wlan0 down
# ifconfig wlan0 hw ether 00:BA:AD:BE:EF:69
# ifconfig wlan0 up
# airmon-ng start wlan0
# reaver -i mon0 -b 00:01:02:03:04:05 -vv --mac=00:BA:AD:BE:EF:69
Supported Wireless Drivers:
The following wireless drivers have been tested or reported to work successfully
with Reaver-wps:
ath9k
rtl8187
carl19170
ipw2000
rt2800pci
rt73usb
Partially Supported:
The following wireless drivers have had mixed success, and may or may not work
depending on your wireless card (i.e., if you are having problems with these
drivers/cards, consider trying a new card before submitting a trouble ticket):
ath5k
iwlagn
rtl2800usb (using the latest compat-wireless drivers has fixed many user's problems, hi
nt hint...)
b43
Not Supported:
The following wireless drivers/cards have been tested or reported to not work
properly with Reaver:
iwl4965
RT3070L
Netgear WG111v3
Conclusion:
If you want to Pentest or Hack your Wifi Passwords, then the first thing you need is a
compatible Wifi card. Most Wifi cards are priced between 15$-35$ USD.I see no
point struggling with an unsupported card when you can just invest that extra bucks
and that card will last you years. You get to learn how to pentest or hack Wifi
passwords, how to Inject, spoof, setup fake AP or Honeypot. See the list of
supported USB Wifi adapter cards that works in Kali Linux and are available in
Amazon.
Thank You