Howto: Reaver 1.4 WPS Bruteforcing Tutorial

[mauristechchannel]

Maybe its intresting for some people.

http://maurisdump.blogspot.com/2012/01/reaver-14-wps-bruteforcing-tool-upgrade.html

Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations. Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases

On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase.

Prerequisites

You must be running Linux
You must have a wireless card capable of raw injection
You must put your wireless card into monitor mode. This is most easily done using airmon-ng from the aircrack-ng tool suite.

Basic Usage

First, make sure your wireless card is in monitor mode:

# airmon-ng start wlan0

Then Start ./wash -i mon0 to scan for valid Wifis.

To run Reaver, you must specify the BSSID of the target AP and the name of the monitor mode interface (usually 'mon0', not 'wlan0', although this will vary based on your wireless card/drivers):

# reaver -i mon0 -b 00:01:02:03:04:05

You will probably also want to use -vv to get verbose info about Reaver's progress:

# reaver -i mon0 -b 00:01:02:03:04:05 -vv

Speeding Up the Attack

By default, Reaver has a 1 second delay between pin attempts. You can disable this delay by adding '-d 0' on the command line, but some APs may not like it:

# reaver -i mon0 -b 00:01:02:03:04:05 -vv -d 0

[Xtr0id]

Yes. Reaver is great. Managed to successfully recover the Wpa/2 password on 4 separate pentests.

[mauristechchannel]

Yes. Reaver is great. Managed to successfully recover the Wpa/2 password on 4 separate pentests.

Great! Can u tell me how long the average "crack" process took ?

[limdis]

I first got my hands on 1.2 and did a LOT of testing with 1.3. It is great stuff, I'm excited to test out the latest release.

I posted in a previous thread about where to go to get downloads, follow submitted bugs, and find updates. The readme's provided with the download include explanations of what is doing what. I highly suggest anyone going to try reaver to read it first before you skiddie it up and start running commands. (before you accidentally ddos someone lol)

Great! Can u tell me how long the average "crack" process took ?

Check back Sat, I'll post my run times.

EDIT: Been a busy weekend. Sorry for the delay. I will post times soon as I get a bit of free time.

[Xtr0id]

Cracking time varies.
My first one was done in about 3 hours, however one of them took nearly 3 days. It all depends on how fast the victim's router can handle the WPS requests.

[Comperz91]

Yes. Reaver is great. Managed to successfully recover the Wpa/2 password on 4 separate pentests.

Great! Can u tell me how long the average "crack" process took ?

My first one took me 1 hour ^^
My second took me around 4 hours
But i have had some hard time where it took me around 5-6 days ^^

[smer4]

I have some problem with reaver , as it strarted to try pins, some first pins go fine and then i gain errors x02, x03, x04...
is seems like Alice-dsl boxes locate and block the bruteforcing after some pin - faliules
BANG!
to say more, some reaver -options like -N or -d seems not to work, i dkn why : i enter options after -d MAC -N ... -d ...
and they are ignored.

Another my question, what MAC uses reaver ? From mon0 ? Is it possible be so that it used hardware-MAC and macchanger had no effect?
Is it possible to make reaver use "dynamic" MAC , so if the box block one due to pin-faliules, it continue from another?

[ConchX]

I highly recommend anyone who wants to use Reaver to read the documentation at least once.
It's really small and will teach you how to use the tool effectively.


I usually use the --dh-small switch to speed things up.
Delay set to 2, Just to avoid suspicion.
I add a lock delay of 250.
And I add the --no-nacks switch.
And a Fail wait switch incase it times-out on connections.
And finally an --eap-terminate switch.

So it total my command is..
reaver -i mon0 -b xx.xx.xx.xx.xx --dh-small -d 2 --lock-delay=250 --no-nacks --fail-wait=350 --eap-terminate

This seems to run smoothly with no errors.
I don't add verbosity unless I get segementation errors.

I also found out, (I could be wrong on this) that you be to be authorised on the network, sort of like what airplay-ng does with the handshake, I'm not sure if you need someone on the network for this, so you can de-auth them.
But I prefer to run airplay-ng and auth myself, then add the -A switch to reaver. (This is if I was to attack another network)
If you're on ya own network, it's just a case of being connected to it while PIN cracking, so you can brute it.

I could be completely wrong though.

[learnzndy]

How can i as admin notice that this kind of attack is going on?

And as attacker/pen tester, how much time i need to wait before pin cracking? It seems to just promt me that i am Associated with <MAC Adress> (ESSID: essid) or warnning: Failed to associate with...

Edit: found answer for the second question elsewhere.

[Comperz91]

Well, one way to find out is that your internet might slow down a bit (but this might be something you wont see)

So the best way for you to see if someone "Borrows" your wirless is to login to the router's adminpanel by simple open your webclient (firefox/chrom/IE/safari) and go on to 192.168.0.1 or 192.168.1.1 if non of this works.. you could google your router to findout what url they use.

well on the first page you will get an login form where the login/password is for the most of the times admin/password (if you havent change it before) or the router uses something else (this is easy to look up in google or the manual) xD

lets say u get no access to the panel.. dont worry there is a reset button on the router (just press it for 10-15 sec)

well .. when you get inside to the router panel you can just simple check the logs to see if its an intruder..

Now over to the security of the wirless network..
I recommend that you are using WPA2 decryption, and a stong password.. also if you are paranoid.. you can use an second security..

in most routers you can activate so that every client who connects wont get any access until you accept them ^^

Yeah.. i know i wrote alot, but im tired.. and why not.. if a person that is more "unskilled" wants to know how.. he will get my fine step by step xD