Reaver is the penetration tester’s ultimate choice, this tool can help you crack WPA/WPA2 keys within a matter of hours. Reaver does not directly perform a brute force attack against the WPA/ WPA2 keys, but it performs a brute force attack against the WPS pins. The WPS pins are eight digits in length, and as most routers use default pins, they can easily be compromised.
Once reaver compromises the pins by either using the default pins or by using a brute force
attack, which won’t take much long since eight-digit pins would have 10,000,000 (10^7) and the last digit can be calculated by using the first seven pins according to official documentation.
As reaver compromises the pins, it gets authenticated as a valid external registrar. A registrar has access to all the configurations of the access point, which would include the WPA/WPA2 keys. For this attack to work, the access point should have WPS enabled. The good thing is that we would have it enabled in most of the access points we encounter. Let’s see how we can use reaver to crack WPS-enabled wireless networks.
Once reaver compromises the pins by either using the default pins or by using a brute force
attack, which won’t take much long since eight-digit pins would have 10,000,000 (10^7) and the last digit can be calculated by using the first seven pins according to official documentation.
As reaver compromises the pins, it gets authenticated as a valid external registrar. A registrar has access to all the configurations of the access point, which would include the WPA/WPA2 keys. For this attack to work, the access point should have WPS enabled. The good thing is that we would have it enabled in most of the access points we encounter. Let’s see how we can use reaver to crack WPS-enabled wireless networks.
Step 1—Make sure that your wireless card is in the monitor mode.
Step 2—Next, we would use airodump-ng to select our target we want to attack.
In this case we target the access point with ESSID PTCL-BB, and BSSID F4:3E:61:F5:FC:49.
We will copy the BSSID, since this will be the only input required for reaver to work.
Step 2—Next, we would use airodump-ng to select our target we want to attack.
In this case we target the access point with ESSID PTCL-BB, and BSSID F4:3E:61:F5:FC:49.
We will copy the BSSID, since this will be the only input required for reaver to work.
Step 3—Now, we will use reaver to attack our access point. The command would be as follows:
reaver –i mon0 –b F4:3E:61:F5:FC:49 –vv
The –i parameter was used to specify the interface, which is mon0, followed by the –b parameter used to define the bssid and –vv for the verbosity. The verbosity is set to twice, which means that it will display each pin’s number as it’s tried against the access point.
reaver –i mon0 –b F4:3E:61:F5:FC:49 –vv
The –i parameter was used to specify the interface, which is mon0, followed by the –b parameter used to define the bssid and –vv for the verbosity. The verbosity is set to twice, which means that it will display each pin’s number as it’s tried against the access point.
REDUCING THE DELAY
We can tweak reaver into reducing the delay between the pins. The default delay is 1 s, but we can reduce it to 0 by specifying a –d parameter.
Command:
reaver –i mon0 –b ≤bssid≥ –d 0
reaver –i mon0 –b ≤bssid≥ –d 0
Command:
reaver –i mon0 –b ≤bssid≥ –d 0
reaver –i mon0 –b ≤bssid≥ –d 0
FURTHER READING
For further hints, tips, and usage guide, I’d recommend you to take a look at the official wiki of reaver:
https://code.google.com/p/reaver-wps/wiki/HintsAndTips
http://www.amazon.com/ALFA-Network-AWUS036H-Wireless-802-11g/dp/B000WXSO76
https://code.google.com/p/reaver-wps/wiki/HintsAndTips
http://www.amazon.com/ALFA-Network-AWUS036H-Wireless-802-11g/dp/B000WXSO76
No comments:
Post a Comment