22/12/2014

CrackingWifiWPA/WPA2passwordsusingReaverWPSblackMOREOps

Learnonetrickaday....

HomeCrackingCrackingWifiWPA/WPA2passwordsusingReaverWPS

CrackingWifiWPA/WPA2passwordsusing

ReaverWPS

ThisentrywaspostedinCrackingHackingLinuxReaverWifiWirelessandtaggedCrackingReaverWPSWifiWPA2onOctober
12,2013byblackMOREOps(updated13daysago)

1. Top5Wireless

3. WifiBooster

5. WirelessAccess

2. WirelessEarbuds

4. WirelessConnection

6. WirelessWiFi

reaverwps
BruteforceattackagainstWifiProtectedSetupCrackingWifiWPA/WPA2passwordsusingReaver
WPS

http://www.blackmoreops.com/2013/10/12/crackingwifiwpawpa2passwordsusingreaverwps/

1/11

22/12/2014

CrackingWifiWPA/WPA2passwordsusingReaverWPSblackMOREOps

1. WirelessWiFi
2. Top5Wireless
3. WifiBooster
4. WirelessAccessPoints
5. WirelessEarbuds

Overview:
ReaverwpsperformsabruteforceattackagainstanaccesspointsWiFiProtectedSetuppinnumber.Oncethe
WPSpinisfound,theWPAPSKcanberecoveredandalternatelytheAPswirelesssettingscanbe
reconfigured.ThispostoutlinesthestepsandcommandthathelpscrackingWifiWPA/WPA2passwordsusing
ReaverWPS.
WhileReaverwpsdoesnotsupportreconfiguringtheAP,thiscanbeaccomplishedwithwpa_supplicantonce
theWPSpinisknown.
Readers,notethatIvesincewrittenanotherpostwhereIcouldcrackapasswordin14.21seconds.usingpyrit
cowpattyandWiFitecombinationattackwithdictionary.Thewholeprocesstakeslessthan10minutes.
ThosewhowouldliketotrymorewaysofcrackingWifiWPAWPA2passwords,youcanalsouseHashCator
cudaHashcatoroclHashcattocrackyourunknownWifiWPAWPA2passwords.ThebenefitofusingHashcatis,
youcancreateyourownruletomatchapatternanddoaBruteforceattack.Thisisanalternativetousing
dictionaryattackwheredictionarycancontainonlycertainamountofwordsbutabruteforceattackwillallow
youtotesteverypossiblecombinationsofgivencharsets.HashcatcancrackWifiWPA/WPA2passwordsand
youcanalsouseittocrackMD5,phpBB,MySQLandSHA1passwords.UsingHashcatisangoodoptionasif
youcanguess1or2charactersinapassword,itonlytakesfewminutes.Forexample:ifyouknow3
charactersinapassword,ittakes12minutestocrackit.Ifyouknow4charactersinapassword,ittakes3
minutes.Youcanmakerulestoonlytrylettersandnumberstocrackacompletelyunknownpasswordifyou
knowacertainRoutersdefaultpasswordcontainsonlythose.Possibilitiesofcrackingisalothigherinthisway.
http://www.blackmoreops.com/2013/10/12/crackingwifiwpawpa2passwordsusingreaverwps/

2/11

22/12/2014

CrackingWifiWPA/WPA2passwordsusingReaverWPSblackMOREOps

ImportantNote:Manyuserstrytocapturewithnetworkcardsthatarenotsupported.Youshouldpurchasea
cardthatsupportsKaliLinuxincludinginjectionandmonitormodeetc.Alistcanbefoundin802.11
RecommendedUSBWirelessCardsforKaliLinux.Itisveryimportantthatyouhaveasupportedcard,
otherwiseyoullbejustwastingtimeandeffortonsomethingthatjustwontdothejob.
Contents[hide]
reaverwps
BruteforceattackagainstWifiProtectedSetupCrackingWifi
WPA/WPA2passwordsusingReaverWPS
Overview:
Description:
Installation:
Usage:
MoreonBasicUsages
SpeedingUptheAttack
MACSpoofing
SupportedWirelessDrivers
PartiallySupported
NotSupported
Conclusion
Related

Description:
ReaverwpstargetstheexternalregistrarfunctionalitymandatedbytheWiFiProtectedSetupspecification.
Accesspointswillprovideauthenticatedregistrarswiththeircurrentwirelessconfiguration(includingtheWPA
PSK),andalsoacceptanewconfigurationfromtheregistrar.
Inordertoauthenticateasaregistrar,theregistrarmustproveitsknowledgeoftheAPs8digitpinnumber.
RegistrarsmayauthenticatethemselvestoanAPatanytimewithoutanyuserinteraction.BecausetheWPS
protocolisconductedoverEAP,theregistrarneedonlybeassociatedwiththeAPanddoesnotneedanyprior
knowledgeofthewirelessencryptionorconfiguration.
ReaverwpsperformsabruteforceattackagainsttheAP,attemptingeverypossiblecombinationinorderto
guesstheAPs8digitpinnumber.Sincethepinnumbersareallnumeric,thereare10^8(100,000,000)
possiblevaluesforanygivenpinnumber.However,becausethelastdigitofthepinisachecksumvaluewhich
canbecalculatedbasedontheprevious7digits,thatkeyspaceisreducedto10^7(10,000,000)possible
values.
ThekeyspaceisreducedevenfurtherduetothefactthattheWPSauthenticationprotocolcutsthepininhalf
andvalidateseachhalfindividually.Thatmeansthatthereare10^4(10,000)possiblevaluesforthefirsthalfof
thepinand10^3(1,000)possiblevaluesforthesecondhalfofthepin,withthelastdigitofthepinbeinga
checksum.
Reaverwpsbruteforcesthefirsthalfofthepinandthenthesecondhalfofthepin,meaningthattheentirekey
spacefortheWPSpinnumbercanbeexhaustedin11,000attempts.ThespeedatwhichReavercantestpin
numbersisentirelylimitedbythespeedatwhichtheAPcanprocessWPSrequests.SomeAPsarefastenough
thatonepincanbetestedeverysecondothersareslowerandonlyallowonepineverytenseconds.
Statistically,itwillonlytakehalfofthattimeinordertoguessthecorrectpinnumber.

Installation:
InstallKaliLinux,everythingbuiltintoit.(Reaverwps,libpcapandlibsqlite3)

http://www.blackmoreops.com/2013/10/12/crackingwifiwpawpa2passwordsusingreaverwps/

3/11

22/12/2014

CrackingWifiWPA/WPA2passwordsusingReaverWPSblackMOREOps

1. WirelessWiFi
2. Top5Wireless
3. WifiBooster
4. WirelessAccessPoints
5. WirelessEarbuds

Usage:
Usually,theonlyrequiredargumentstoReaverwpsaretheinterfacenameandtheBSSIDofthetargetAP:
#reaverimon0b00:01:02:03:04:05

ThechannelandSSID(providedthattheSSIDisnotcloaked)ofthetargetAPwillbeautomaticallyidentifiedby
Reaverwps,unlessexplicitlyspecifiedonthecommandline:
#reaverimon0b00:01:02:03:04:05c11elinksys

Bydefault,iftheAPswitcheschannels,Reaverwpswillalsochangeitschannelaccordingly.However,this
featuremaybedisabledbyfixingtheinterfaceschannel:
#reaverimon0b00:01:02:03:04:05fixed

Thedefaultreceivetimeoutperiodis5seconds.Thistimeoutperiodcanbesetmanuallyifnecessary(minimum
timeoutperiodis1second):
#reaverimon0b00:01:02:03:04:05t2

Thedefaultdelayperiodbetweenpinattemptsis1second.Thisvaluecanbeincreasedordecreasedtoany
nonnegativeintegervalue.Avalueofzeromeansnodelay:
#reaverimon0b00:01:02:03:04:05d0

SomeAPswilltemporarilylocktheirWPSstate,typicallyforfiveminutesorless,whensuspiciousactivityis
detected.Bydefaultwhenalockedstateisdetected,Reaverwpswillcheckthestateevery315seconds(5
minutesand15seconds)andnotcontinuebruteforcingpinsuntiltheWPSstateisunlocked.Thischeckcanbe
increasedordecreasedtoanynonnegativeintegervalue:
#reaverimon0b00:01:02:03:04:05lockdelay=250

Foradditionaloutput,theverboseoptionmaybeprovided.Providingtheverboseoptiontwicewillincrease
verbosityanddisplayeachpinnumberasitisattempted:

http://www.blackmoreops.com/2013/10/12/crackingwifiwpawpa2passwordsusingreaverwps/

4/11

22/12/2014

CrackingWifiWPA/WPA2passwordsusingReaverWPSblackMOREOps

#reaverimon0b00:01:02:03:04:05vv

ThedefaulttimeoutperiodforreceivingtheM5andM7WPSresponsemessagesis.1seconds.Thistimeout
periodcanbesetmanuallyifnecessary(maxtimeoutperiodis1second):
#reaverimon0b00:01:02:03:04:05T.5

SomepoorWPSimplementationswilldropaconnectiononthefloorwhenaninvalidpinissuppliedinsteadof
respondingwithaNACKmessageasthespecsdictate.Toaccountforthis,ifanM5/M7timeoutisreached,itis
treatedthesameasaNACKbydefault.However,ifitisknownthatthetargetAPsendsNACKS(mostdo),this
featurecanbedisabledtoensurebetterreliability.ThisoptionislargelyuselessasReaverwpswillautodetect
ifanAPproperlyrespondswithNACKsornot:
#reaverimon0b00:01:02:03:04:05nack

WhilemostAPsdontcare,sendinganEAPFAILmessagetocloseoutaWPSsessionissometimesnecessary.
Bydefaultthisfeatureisdisabled,butcanbeenabledforthoseAPsthatneedit:
#reaverimon0b00:01:02:03:04:05eapterminate

When10consecutiveunexpectedWPSerrorsareencountered,awarningmessagewillbedisplayed.Sincethis
maybeasignthattheAPisratelimitingpinattemptsorsimplybeingoverloaded,asleepcanbeputinplace
thatwilloccurwheneverthesewarningmessagesappear:
#reaverimon0b00:01:02:03:04:05failwait=360

MoreonBasicUsages
First,makesureyourwirelesscardisinmonitormode:
#airmonngstartwlan0

TorunReaver,youmustspecifytheBSSIDofthetargetAPandthenameofthemonitormodeinterface
(usuallymon0,notwlan0,althoughthiswillvarybasedonyourwirelesscard/drivers):
#reaverimon0b00:01:02:03:04:05

YouwillprobablyalsowanttousevvtogetverboseinfoaboutReaversprogress:
#reaverimon0b00:01:02:03:04:05vv

SpeedingUptheAttack
Bydefault,Reaverwpshasa1seconddelaybetweenpinattempts.Youcandisablethisdelaybyaddingd0
onthecommandline,butsomeAPsmaynotlikeit:
#reaverimon0b00:01:02:03:04:05vvd0

Anotheroptionthatcanspeedupanattackisdhsmall.ThisoptioninstructsReavertousesmalldiffiehellman
secretnumbersinordertoreducethecomputationalloadonthetargetAP:
#reaverimon0b00:01:02:03:04:05vvdhsmall
http://www.blackmoreops.com/2013/10/12/crackingwifiwpawpa2passwordsusingreaverwps/

5/11

22/12/2014

CrackingWifiWPA/WPA2passwordsusingReaverWPSblackMOREOps

MACSpoofing
Insomecasesyoumaywant/needtospoofyourMACaddress.ReaversupportsMACspoofingwiththemac
option,butyoumustensurethatyouhavespoofedyourMACcorrectlyinorderforittowork.
ChangingtheMACaddressofthevirtualmonitormodeinterface(typicallynamedmon0)WILLNOTWORK.
YoumustchangetheMACaddressofyourwirelesscardsphysicalinterface.Forexample:
#ifconfigwlan0down
#ifconfigwlan0hwether00:BA:AD:BE:EF:69
#ifconfigwlan0up
#airmonngstartwlan0

#reaverimon0b00:01:02:03:04:05vvmac=00:BA:AD:BE:EF:69

SupportedWirelessDrivers
ThefollowingwirelessdrivershavebeentestedorreportedtoworksuccessfullywithReaverwps:
ath9k
rtl8187
carl19170
ipw2000
rt2800pci
rt73usb

PartiallySupported
Thefollowingwirelessdrivershavehadmixedsuccess,andmayormaynotworkdependingonyourwireless
card(i.e.,ifyouarehavingproblemswiththesedrivers/cards,considertryinganewcardbeforesubmittinga
troubleticket):
ath5k
iwlagn
rtl2800usb(usingthelatestcompatwirelessdrivershasfixedmanyuser'sproblems,hinthint.
..)
b43

NotSupported
Thefollowingwirelessdrivers/cardshavebeentestedorreportedtonotworkproperlywithReaver:
iwl4965
RT3070L
NetgearWG111v3

Conclusion
IfyouwanttoPentestorHackyourWifiPasswords,thenthefirstthingyouneedisacompatibleWificard.Most
Wificardsarepricedbetween15$35$USD.Iseenopointstrugglingwithanunsupportedcardwhenyoucan
justinvestthatextrabucksandthatcardwilllastyouyears.YougettolearnhowtopentestorhackWifi
passwords,howtoInject,spoof,setupfakeAPorHoneypot.SeethelistofsupportedUSBWifiadaptercards
thatworksinKaliLinuxandareavailableinAmazon.

Relatedpost:SpeedupWPA/WPA2crackingwithPyritandCUDAandleveragingWifite[Thispostisnow
replacedandupdatedbythenextonebelow]
http://www.blackmoreops.com/2013/10/12/crackingwifiwpawpa2passwordsusingreaverwps/

6/11

22/12/2014

CrackingWifiWPA/WPA2passwordsusingReaverWPSblackMOREOps

CrackingWifiWPA/WPA2passwordsusingpyritcowpattyinKaliLinux

AboutblackMOREOps
blackMOREOpsisdedicatedtoHowto,Guides,SecurityfeaturesandTipsandTricksforLinuxOS.
Thankyouforvisitingusandfollowusherewww.blackmoreops.com.
ViewallpostsbyblackMOREOps

LeaveaReply

Email(required)

(Addressnevermadepublic)

Name(required)

Website

Notifymeofnewcommentsviaemail.

PostComment

Notifymeofnewpostsviaemail.

2thoughtsonCrackingWifiWPA/WPA2passwords
usingReaverWPS
Pingback:AdetailedguideoninstallingKaliLinuxonVirtualBoxblackMOREOps

Pingback:20thingstodoafterinstallingKaliLinuxblackMOREOps

http://www.blackmoreops.com/2013/10/12/crackingwifiwpawpa2passwordsusingreaverwps/

7/11

22/12/2014

CrackingWifiWPA/WPA2passwordsusingReaverWPSblackMOREOps

Postnavigation
FixingPulseAudioconfiguredforperusersessions(warning)inKaliLinuxandDebian
WPSCANandquickwordpresssecurity

GoogleSiteSearch

RecentPosts
darodar.comreferrerspamandWhattodo?
RandomquotesandcreaturesusingfortuneandcowsayinLinuxterminal
Fixingerror:Packagepackagenameisnotavailable,butisreferredtobyanotherpackage.Thismay
meanthatthepackageismissing,hasbeenobsoleted,orisonlyavailablefromanothersourceE:
Packagepackagenamehasnoinstallationcandidate
FixingProxyChainsERROR:ld.so:objectlibproxychains.so.3fromLD_PRELOADcannotbepreloaded:
ignored.

http://www.blackmoreops.com/2013/10/12/crackingwifiwpawpa2passwordsusingreaverwps/

8/11

22/12/2014

CrackingWifiWPA/WPA2passwordsusingReaverWPSblackMOREOps

RecentComments
FixingProxyChainsERROR:ld.so:object'libproxychains.so.3'fromLD_PRELOADcannotbepreloaded:
ignored.blackMOREOpson20thingstodoafterinstallingKaliLinux
802.11RecommendedUSBWirelessCardsforKaliLinuxblackMOREOpsonTPLinkTLWDN3200
N600WirelessDualBandUSBAdapterinLinux
802.11RecommendedUSBWirelessCardsforKaliLinuxblackMOREOpsonCrackingWifi
WPA/WPA2passwordsusingpyritcowpattyinKaliLinux
Links18/12/2014:LinuxQuestions.orgPolls,FedoraforPOWER|TechrightsonRandomquotesand
creaturesusingfortuneandcowsayinLinuxterminal

Archives

December2014(6)

November2014(3)

October2014(4)
September2014(5)

http://www.blackmoreops.com/2013/10/12/crackingwifiwpawpa2passwordsusingreaverwps/

9/11

22/12/2014

CrackingWifiWPA/WPA2passwordsusingReaverWPSblackMOREOps

August2014(9)

July2014(2)

June2014(10)

April2014(2)

March2014(8)

February2014(6)

January2014(12)

December2013(10)

November2013(12)

October2013(29)

Categories

BIOS(1)

Browser (5)

Cracking(3)

DataRecovery (1)

DDOS(1)

Denialofservice(1)

Driver (2)

Hacking(4)

Hashcat(1)

Howto(87)

Linux (115)

Administration(17)

AMD(9)

BIND(1)

CentOS(1)

DesktopManagers (12)

KaliLinux (62)

Metasploit(2)

Monitoring(3)

Networking(4)

NVIDIA(7)

ProxyChains (1)

Reaver (1)

Security (8)
Sound(2)

Pyrit(8)

cli(12)

VPN(1)

WPSCAN(2)

News (1)
Others (12)

Recoverrootpassword(1)

Spam(1)
Usability (2)

USB(1)

http://www.blackmoreops.com/2013/10/12/crackingwifiwpawpa2passwordsusingreaverwps/

10/11

22/12/2014

CrackingWifiWPA/WPA2passwordsusingReaverWPSblackMOREOps

VirtualBox (2)

Wifi(9)

Wireless (3)
Wordpress (2)

RSSFeed
RSSPosts
RSSComments

2014blackMOREOpsDesignedbyThemes&Co
Backtotop

http://www.blackmoreops.com/2013/10/12/crackingwifiwpawpa2passwordsusingreaverwps/

11/11