Description: Cracking WPA using reaver, it uses a brute force attack on the access point’s WPS (Wifi Protected Setup) and may be able to recover the WPA/WPA2 passphrase in 4-10 hours but it also depends on the AP.
there is no need to get a handshake.
All 802.11 access points implementing WiFi Protected Setup (WPS) and have it enabled. Tested on: Access points from Linksys, Cisco, D-Link, TP-Link, Trendnet, and others
Be advised the attack may cause a denial of service to the router.
for more info check out my site thawildcard.com
Special thanks to the researcher Craig Heffner and his team
Tags: cracking wifi , reaver , reaver wps , cracking wpa , easy cracking wifi , j0k3rr , Stefan Viehbock ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
Hey I'm having some issues with the program. Here's the output:
root@bt:~# reaver -i mon0 -b 00:21:29:A6:ED:D5
Reaver v1.0 Wifi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
[+] Waiting for beacon from 00:21:29:A6:ED:D5
[!] WARNING: Failed to associate with 00:21:29:A6:ED:D5 (ESSID: Mynetwork)
[!] WARNING: Failed to associate with 00:21:29:A6:ED:D5 (ESSID: Mynetwork)
I used aireplay-ng -9 mon0 to make sure the WiFi card is working for injection and no problems there... I'm thinking maybe the issue is with my AP I'm trying on..anyone have any other ideas?
@Jayb1 I'm not 100% sure but u can try this, log into your access point and check if it has WPS enabled or even if it supports WPA. WPS ( Wifi protected Setup) this attack needs that as I understand in order for it to work. Let me know and if it's not the issue I will try looking into it.
If it supports WPS *
I accidentally typed WPA my bad.
One more thing it could also be the AP is not close enough but that's from what I heard. Hope it works out for u let me know. Peace
Thanks for the reply man. Yeah my access point doesn't have WPS which I figured was the problem. Although I've tried about 4-5 others in my area with the same results.. figured it was a coincidence but wanted to make sure I wasn't missing something. Must be the error it gives when the AP has no WPS. Thanks for the help. Hope this helps anyone else who comes across this problem.
Cheers,
@Jayb1 No problem man :) I actually just disabled the WPS on my router and it gave me the same error that you got. This attack works on most routers such as linksys Belkin D-link that have the WPS feature and the funny thing is its enabled by default and most people dont even know the risks. Take care :)
Nicely done! I was planning to do a demo myself but you beat me to it. Do you mind if I post this as part of the SWSE courseware group?
@Vivek-Ramachandran LOL I was so worried you would beat me to this video tutorial. Sure you can add this to the SWSE. I am here today thanks to you educating us and made me live computer secuirty. Thanks Vivek for everything!
Made me love computer security**
Sorry that was auto correct on my phone
@Vivek-Ramachandran If you want I could remake this video take the music out and talk with a webcam on for the SWSE let me know :)
@j0k3rr, would really appreciate if you could remove the music with your nice voice commentary :)
Keep Securing!
@CS-FAQs will do :) need some time on it but this coming week for sure
@CS-FAQS - Done just updated the video
@Vivek-Ramachandran: I updated the video removed the music and added my voice to it explaining details about reaver.
peace
Very nicely made video!
@j0k3rr Sorry for the delayed response buddy. That would be fantasic - slides + demo + voice :) + webcam :)
Look forward!
@ Kualla thanks so much your comment motivates me into doing more vocal tutorials :)
@ Vivek I will do my best on the slides and add my face to the intro :) will do my best. Reason why I asked about the slides was cause of the SWSE I don't know if u will add this actual video to it? Shall I use the same Standerd of slides you use? And I understand your busy do I don't expect u to rush thanks Vivek my email is j0k3rr@thawildcard.com if u prefer to contact me through that
Anyone using this for wpa2 ? I got and issue with it. I managed to crack it but the psk i get is just a 64 character hash in hexa. That's obviously not the right psk and even more, I get a different one when i try a few more times. Also to note is that the ap essid is not prompted correctly. I get the name "network-" followed by its bssid. Am I missing something. Btw I'm using version 1.3
Hi,
I've tried to reproduce in house you demonstration against WPA / WPA2.
By the way, Thanks! for and much appreciate the effort spent producing this.
However, there are some limitations thought and I'll share one of the most important.
1. The target should be under -50 PWR signal strength otherwise the attack will take 1 billion light years or can't be performed.
2. The target should have a strong firmware to support the attack itself otherwise after a while will became incapable to sustain "the wave" and it needs to be restarted / reinitialized. That' no good for " this is not a drill" situation :)
With that being said, happy hunting and drive safe.
@fric Yeah in this video demo i attacked a WPA2 PSK and it worked. try it on another AP, maybe its best to report this to the developers of reaver.
@Osirium: yeah it could cause a Denial of service to some Access points. about the signal there are solutions to it :) i wont say more!
Yea, I went to their issue tracker and surfed it a little. Found out that some routers just produce some random psk. Nevertheless the pin is still correct and only way to gain access is to use the wpa_supplicant but I can't seem to use it right ;p
So i know this is a few months old post but i'm getting the WARNING: Failed to associate with XX:XX:XX:XX:XX:XX (ESSID: XXXXX), I know the router has WPS and its not disabled. There is Mac Filtering to only allow certain Macs on that are approved. Is this causing my issue? And if so would Spoofing an approved MacAddress make it work?
@TehChaos: your right it seems like the Mac filtering is causing reaver not to associate with the AP. try spoofing a mac address that's already associated with the access point.
If your still having trouble check out reavers google code page They have a lot of support on there that might help.
Please let us know how it goes you got me curious on this mac filtering.
Thanks for your comment really appreciate it.
Yea my dad is a sneaky sneaky man. I am using Look At Lan to get the Ip's of the connected pc's and Nettools 5 to use the network remote MAC address. If you know an easier way let me know. And I wont know until tomorrow. I have to get a computer to connect via wifi. Do you know of an easier way to get mac's? And will spoofing an Ipod/Ipad Work? i know both of those are always connected to the wifi :D Just little Q/A that will not only help me but my fellow educators also :D
@TehChaos: Yeah there are tools that come with backtrack aircrack suite that shows every mac address connected to a wireless router, Vivek Ramachandran owner of securitytube made a bunch of videos on wifi security here is one called laughing off mac filters http://www.securitytube.net/video/1775
to see more go to http://www.securitytube.net/user/Vivek-Ramachandran
he also released a book you can buy or download the e book off amazon http://www.amazon.com/BackTrack-Wireless-Penetration-Testing-Beginners/dp/1849515581
@j0k3rr:
Nice good sir, I spoofed the MAC and got a lot better results than i was getting prior. So Yes spoofing a MAC will work and god its taking forever! And I wasn't connected to the Router. My dad set it up so i can test the vulnerability of it. This WPS was the long shot that just happens to going to work :D I also have to WPS pin off the router, Is there any way to use that to skip to the end of this process?
Ha so after watching this video. I knew this. So I feel Dumb that i didnt get the mac address his way :D Shows that i was up 2 late yesterday :D
@TehChaos: I was confused on y you would want to use the pin to speed up the process. but my guess is you want the WPA-SPK passphrase?
use reaver with the -p switch and include the 4 or 8 digit pin
@TehChaos and thanks for sharing your experience really appreciate it :)
Experience naw. I'm just like everyone else. I just happen to learn quick. So I have an issue with Windows. I can't spoof the Mac address on the list. Windows isn't liking the Apple product macs and idk what to do. Linux when i do 'macchanger -m 00:00:00:00:00:00 mon0' it accepts it no matter what, but windows isn't allowing me mimic this. Ideas on how to fix, And I can change my mac on windows. just not to the ones i want! I also uses TMAC to see if i was doing it wrong. Still doesn't spoof
@j0k3rr Man there has to be a better way for this back and forth. Windows 7 drivers for certain NIC are programmed to ignore Some spoofed mac address's So i had to get windows xp drivers for my nic to correct this. and now i'm on my dad's net once again.
@j0k3rr I am getting after I unzip the reaver package "bash: cd srt: No such file or directory" right after we type in "ls" and "docs src" appears. I would really appreciate some help with this error. Thanks in advance.
@TehChaos: sorry im not so sure about mac spoofing for windows. I apologize for the late response.
@supremeoverlord: if your using BT5 R2 reaver comes installed with it just type the command reaver or wash, wash scans for AP's that support WPS. you can also download reaver using the svn. unzip works for zip files if its tar.gz use tar zxvf and filename :)
@J0k3rr I got it. Just download a program called TMAC. It works ezmode.
If you start reaver -i mon0 -b :11:22:33:44:55:66 -vv
b=example! reaver will begin to try the pins.
but sometimes you will reveive an warning ap rating detected
and it wil stop typing vor 325 sec!
I figured it out how to buypass this warning and i found an possible way to lock the wps and reaver proceed trying the pins. first start to disconnect from internet !!!when you disable the internet wifi go to your root and type aimon-ng
than afther that this command :
airmon-ng start wlan.
if you received an message monitor mode is enable on mon1
give this command : airmon-ng stop mon1
you wil have now wlan0 or wlan1 and mon0
than type : airodump-ng mon0
afther 30 sec push ctrl+c togetter this stop scan:
than finally reaver -i -mon0 -b (mac that you attac) -L -vv
and buy buy wps no errors anymore and reaver wil never disturb anymore happy hacking greatings hacker 66
better is this command it's locked wps and channel
example : reaver - i mon0 -b 00:11:22:33:44:55:66 -L -c 11 -vv