Howto: Reaver 1.4 WPS Bruteforcing Tutorial

Data that travels over the air and how to protect (or decipher) it

Howto: Reaver 1.4 WPS Bruteforcing Tutorial

Post by mauristechchannel on Tue Jan 24, 2012 5:37 am
([msg=63847]see Howto: Reaver 1.4 WPS Bruteforcing Tutorial[/msg])

Maybe its intresting for some people.

http://maurisdump.blogspot.com/2012/01/reaver-14-wps-bruteforcing-tool-upgrade.html

Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations. Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases

On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase.

Prerequisites

You must be running Linux
You must have a wireless card capable of raw injection
You must put your wireless card into monitor mode. This is most easily done using airmon-ng from the aircrack-ng tool suite.

Basic Usage

First, make sure your wireless card is in monitor mode:

# airmon-ng start wlan0

Then Start ./wash -i mon0 to scan for valid Wifis.

To run Reaver, you must specify the BSSID of the target AP and the name of the monitor mode interface (usually 'mon0', not 'wlan0', although this will vary based on your wireless card/drivers):

# reaver -i mon0 -b 00:01:02:03:04:05

You will probably also want to use -vv to get verbose info about Reaver's progress:

# reaver -i mon0 -b 00:01:02:03:04:05 -vv

Speeding Up the Attack

By default, Reaver has a 1 second delay between pin attempts. You can disable this delay by adding '-d 0' on the command line, but some APs may not like it:

# reaver -i mon0 -b 00:01:02:03:04:05 -vv -d 0
mauristechchannel
New User
New User
 
Posts: 5
Joined: Tue Jan 24, 2012 5:31 am
Blog: View Blog (0)


Re: Howto: Reaver 1.4 WPS Bruteforcing Tutorial

Post by Xtr0id on Tue Jan 24, 2012 11:56 am
([msg=63849]see Re: Howto: Reaver 1.4 WPS Bruteforcing Tutorial[/msg])

Yes. Reaver is great. Managed to successfully recover the Wpa/2 password on 4 separate pentests.
Xtr0id
New User
New User
 
Posts: 2
Joined: Tue Jan 24, 2012 11:54 am
Blog: View Blog (0)


Re: Howto: Reaver 1.4 WPS Bruteforcing Tutorial

Post by mauristechchannel on Tue Jan 24, 2012 2:00 pm
([msg=63851]see Re: Howto: Reaver 1.4 WPS Bruteforcing Tutorial[/msg])

Xtr0id wrote:Yes. Reaver is great. Managed to successfully recover the Wpa/2 password on 4 separate pentests.


Great! Can u tell me how long the average "crack" process took ?
mauristechchannel
New User
New User
 
Posts: 5
Joined: Tue Jan 24, 2012 5:31 am
Blog: View Blog (0)


Re: Howto: Reaver 1.4 WPS Bruteforcing Tutorial

Post by limdis on Thu Jan 26, 2012 5:47 pm
([msg=63898]see Re: Howto: Reaver 1.4 WPS Bruteforcing Tutorial[/msg])

I first got my hands on 1.2 and did a LOT of testing with 1.3. It is great stuff, I'm excited to test out the latest release.

I posted in a previous thread about where to go to get downloads, follow submitted bugs, and find updates. The readme's provided with the download include explanations of what is doing what. I highly suggest anyone going to try reaver to read it first before you skiddie it up and start running commands. (before you accidentally ddos someone lol)

mauristechchannel wrote:Great! Can u tell me how long the average "crack" process took ?

Check back Sat, I'll post my run times.

EDIT: Been a busy weekend. Sorry for the delay. I will post times soon as I get a bit of free time.
Last edited by limdis on Sun Jan 29, 2012 11:12 am, edited 1 time in total.
"The quieter you become, the more you are able to hear..."
"Drink all the booze, hack all the things."
User avatar
limdis
Moderator
Moderator
 
Posts: 1300
Joined: Mon Jun 28, 2010 5:45 pm
Blog: View Blog (0)


Re: Howto: Reaver 1.4 WPS Bruteforcing Tutorial

Post by Xtr0id on Thu Jan 26, 2012 7:17 pm
([msg=63900]see Re: Howto: Reaver 1.4 WPS Bruteforcing Tutorial[/msg])

Cracking time varies.
My first one was done in about 3 hours, however one of them took nearly 3 days. It all depends on how fast the victim's router can handle the WPS requests.
Xtr0id
New User
New User
 
Posts: 2
Joined: Tue Jan 24, 2012 11:54 am
Blog: View Blog (0)


Re: Howto: Reaver 1.4 WPS Bruteforcing Tutorial

Post by Comperz91 on Fri Jan 27, 2012 6:55 am
([msg=63908]see Re: Howto: Reaver 1.4 WPS Bruteforcing Tutorial[/msg])

mauristechchannel wrote:
Xtr0id wrote:Yes. Reaver is great. Managed to successfully recover the Wpa/2 password on 4 separate pentests.


Great! Can u tell me how long the average "crack" process took ?


My first one took me 1 hour ^^
My second took me around 4 hours :P
But i have had some hard time where it took me around 5-6 days ^^
I wanna be the very best Like no one ever was,
To know it all is my real test To master it, is my cause

programming, gotta know 'em all
User avatar
Comperz91
New User
New User
 
Posts: 35
Joined: Fri Jan 27, 2012 6:24 am
Location: Sweden
Blog: View Blog (0)


Re: Howto: Reaver 1.4 WPS Bruteforcing Tutorial

Post by smer4 on Tue Jan 31, 2012 11:21 am
([msg=64034]see Re: Howto: Reaver 1.4 WPS Bruteforcing Tutorial[/msg])

I have some problem with reaver , as it strarted to try pins, some first pins go fine and then i gain errors x02, x03, x04...
is seems like Alice-dsl boxes locate and block the bruteforcing after some pin - faliules
BANG!
to say more, some reaver -options like -N or -d seems not to work, i dkn why : i enter options after -d MAC -N ... -d ...
and they are ignored.

Another my question, what MAC uses reaver ? From mon0 ? Is it possible be so that it used hardware-MAC and macchanger had no effect?
Is it possible to make reaver use "dynamic" MAC , so if the box block one due to pin-faliules, it continue from another?
smer4
New User
New User
 
Posts: 1
Joined: Tue Jan 31, 2012 10:59 am
Blog: View Blog (0)


Re: Howto: Reaver 1.4 WPS Bruteforcing Tutorial

Post by ConchX on Tue Mar 20, 2012 6:22 am
([msg=65100]see Re: Howto: Reaver 1.4 WPS Bruteforcing Tutorial[/msg])

I highly recommend anyone who wants to use Reaver to read the documentation at least once.
It's really small and will teach you how to use the tool effectively.
:)

I usually use the --dh-small switch to speed things up.
Delay set to 2, Just to avoid suspicion.
I add a lock delay of 250.
And I add the --no-nacks switch.
And a Fail wait switch incase it times-out on connections.
And finally an --eap-terminate switch.

So it total my command is..
reaver -i mon0 -b xx.xx.xx.xx.xx --dh-small -d 2 --lock-delay=250 --no-nacks --fail-wait=350 --eap-terminate

This seems to run smoothly with no errors.
I don't add verbosity unless I get segementation errors.

I also found out, (I could be wrong on this) that you be to be authorised on the network, sort of like what airplay-ng does with the handshake, I'm not sure if you need someone on the network for this, so you can de-auth them.
But I prefer to run airplay-ng and auth myself, then add the -A switch to reaver. (This is if I was to attack another network)
If you're on ya own network, it's just a case of being connected to it while PIN cracking, so you can brute it.

I could be completely wrong though. :P
ConchX
New User
New User
 
Posts: 2
Joined: Mon Mar 19, 2012 8:52 pm
Location: England.
Blog: View Blog (0)


Re: Howto: Reaver 1.4 WPS Bruteforcing Tutorial

Post by learnzndy on Tue May 22, 2012 4:47 am
([msg=66517]see Re: Howto: Reaver 1.4 WPS Bruteforcing Tutorial[/msg])

How can i as admin notice that this kind of attack is going on?

And as attacker/pen tester, how much time i need to wait before pin cracking? It seems to just promt me that i am Associated with <MAC Adress> (ESSID: essid) or warnning: Failed to associate with...

Edit: found answer for the second question elsewhere.
learnzndy
New User
New User
 
Posts: 9
Joined: Tue Jan 31, 2012 4:21 am
Blog: View Blog (0)


Re: Howto: Reaver 1.4 WPS Bruteforcing Tutorial

Post by Comperz91 on Sat Sep 08, 2012 1:25 am
([msg=69238]see Re: Howto: Reaver 1.4 WPS Bruteforcing Tutorial[/msg])

Well, one way to find out is that your internet might slow down a bit (but this might be something you wont see)

So the best way for you to see if someone "Borrows" your wirless is to login to the router's adminpanel by simple open your webclient (firefox/chrom/IE/safari) and go on to 192.168.0.1 or 192.168.1.1 if non of this works.. you could google your router to findout what url they use.

well on the first page you will get an login form where the login/password is for the most of the times admin/password (if you havent change it before) or the router uses something else (this is easy to look up in google or the manual) xD

lets say u get no access to the panel.. dont worry there is a reset button on the router (just press it for 10-15 sec)

well .. when you get inside to the router panel you can just simple check the logs to see if its an intruder..

Now over to the security of the wirless network..
I recommend that you are using WPA2 decryption, and a stong password.. also if you are paranoid.. you can use an second security..

in most routers you can activate so that every client who connects wont get any access until you accept them ^^

Yeah.. i know i wrote alot, but im tired.. and why not.. if a person that is more "unskilled" wants to know how.. he will get my fine step by step xD
I wanna be the very best Like no one ever was,
To know it all is my real test To master it, is my cause

programming, gotta know 'em all
User avatar
Comperz91
New User
New User
 
Posts: 35
Joined: Fri Jan 27, 2012 6:24 am
Location: Sweden
Blog: View Blog (0)


Next

Return to Networking

Who is online

Users browsing this forum: No registered users and 0 guests