cracking wifi wpa_wpa2 passwords using reaver-wps - blackmore ops

22/12/2014 CrackingWifiWPA/WPA2passwordsusingReaverWPSblackMOREOps

http://www.blackmoreops.com/2013/10/12/crackingwifiwpawpa2passwordsusingreaverwps/ 1/11

CrackingWifiWPA/WPA2passwordsusingReaverWPSThisentrywaspostedinCrackingHackingLinuxReaverWifiWirelessandtaggedCrackingReaverWPSWifiWPA2onOctober12,2013byblackMOREOps(updated13daysago)

reaverwpsBruteforceattackagainstWifiProtectedSetupCrackingWifiWPA/WPA2passwordsusingReaverWPS

1.

2.

3.

4.

5.

6.

Top5Wireless

WirelessEarbuds

WifiBooster

WirelessConnection

WirelessAccess

WirelessWiFi

HomeCrackingCrackingWifiWPA/WPA2passwordsusingReaverWPS

2

Learnonetrickaday....



Overview:ReaverwpsperformsabruteforceattackagainstanaccesspointsWiFiProtectedSetuppinnumber.OncetheWPSpinisfound,theWPAPSKcanberecoveredandalternatelytheAPswirelesssettingscanbereconfigured.ThispostoutlinesthestepsandcommandthathelpscrackingWifiWPA/WPA2passwordsusingReaverWPS.

WhileReaverwpsdoesnotsupportreconfiguringtheAP,thiscanbeaccomplishedwithwpa_supplicantoncetheWPSpinisknown.

Readers,notethatIvesincewrittenanotherpostwhereIcouldcrackapasswordin14.21seconds.usingpyritcowpattyandWiFitecombinationattackwithdictionary.Thewholeprocesstakeslessthan10minutes.

ThosewhowouldliketotrymorewaysofcrackingWifiWPAWPA2passwords,youcanalsouseHashCatorcudaHashcatoroclHashcattocrackyourunknownWifiWPAWPA2passwords.ThebenefitofusingHashcatis,youcancreateyourownruletomatchapatternanddoaBruteforceattack.Thisisanalternativetousingdictionaryattackwheredictionarycancontainonlycertainamountofwordsbutabruteforceattackwillallowyoutotesteverypossiblecombinationsofgivencharsets.HashcatcancrackWifiWPA/WPA2passwordsandyoucanalsouseittocrackMD5,phpBB,MySQLandSHA1passwords.UsingHashcatisangoodoptionasifyoucanguess1or2charactersinapassword,itonlytakesfewminutes.Forexample:ifyouknow3charactersinapassword,ittakes12minutestocrackit.Ifyouknow4charactersinapassword,ittakes3minutes.YoucanmakerulestoonlytrylettersandnumberstocrackacompletelyunknownpasswordifyouknowacertainRoutersdefaultpasswordcontainsonlythose.Possibilitiesofcrackingisalothigherinthisway.

1.

2.

3.

4.

5.

WirelessWiFi

Top5Wireless

WifiBooster

WirelessAccessPoints

WirelessEarbuds



ImportantNote:Manyuserstrytocapturewithnetworkcardsthatarenotsupported.YoushouldpurchaseacardthatsupportsKaliLinuxincludinginjectionandmonitormodeetc.Alistcanbefoundin802.11RecommendedUSBWirelessCardsforKaliLinux.Itisveryimportantthatyouhaveasupportedcard,otherwiseyoullbejustwastingtimeandeffortonsomethingthatjustwontdothejob.

Contents[hide]

reaverwpsBruteforceattackagainstWifiProtectedSetupCrackingWifiWPA/WPA2passwordsusingReaverWPS

Overview:Description:Installation:Usage:MoreonBasicUsagesSpeedingUptheAttackMACSpoofingSupportedWirelessDrivers

PartiallySupportedNotSupported

ConclusionRelated

Description:ReaverwpstargetstheexternalregistrarfunctionalitymandatedbytheWiFiProtectedSetupspecification.Accesspointswillprovideauthenticatedregistrarswiththeircurrentwirelessconfiguration(includingtheWPAPSK),andalsoacceptanewconfigurationfromtheregistrar.

Inordertoauthenticateasaregistrar,theregistrarmustproveitsknowledgeoftheAPs8digitpinnumber.RegistrarsmayauthenticatethemselvestoanAPatanytimewithoutanyuserinteraction.BecausetheWPSprotocolisconductedoverEAP,theregistrarneedonlybeassociatedwiththeAPanddoesnotneedanypriorknowledgeofthewirelessencryptionorconfiguration.

ReaverwpsperformsabruteforceattackagainsttheAP,attemptingeverypossiblecombinationinordertoguesstheAPs8digitpinnumber.Sincethepinnumbersareallnumeric,thereare10^8(100,000,000)possiblevaluesforanygivenpinnumber.However,becausethelastdigitofthepinisachecksumvaluewhichcanbecalculatedbasedontheprevious7digits,thatkeyspaceisreducedto10^7(10,000,000)possiblevalues.

ThekeyspaceisreducedevenfurtherduetothefactthattheWPSauthenticationprotocolcutsthepininhalfandvalidateseachhalfindividually.Thatmeansthatthereare10^4(10,000)possiblevaluesforthefirsthalfofthepinand10^3(1,000)possiblevaluesforthesecondhalfofthepin,withthelastdigitofthepinbeingachecksum.

Reaverwpsbruteforcesthefirsthalfofthepinandthenthesecondhalfofthepin,meaningthattheentirekeyspacefortheWPSpinnumbercanbeexhaustedin11,000attempts.ThespeedatwhichReavercantestpinnumbersisentirelylimitedbythespeedatwhichtheAPcanprocessWPSrequests.SomeAPsarefastenoughthatonepincanbetestedeverysecondothersareslowerandonlyallowonepineverytenseconds.Statistically,itwillonlytakehalfofthattimeinordertoguessthecorrectpinnumber.

Installation:InstallKaliLinux,everythingbuiltintoit.(Reaverwps,libpcapandlibsqlite3)



Usage:Usually,theonlyrequiredargumentstoReaverwpsaretheinterfacenameandtheBSSIDofthetargetAP:

#reaverimon0b00:01:02:03:04:05

ThechannelandSSID(providedthattheSSIDisnotcloaked)ofthetargetAPwillbeautomaticallyidentifiedbyReaverwps,unlessexplicitlyspecifiedonthecommandline:

#reaverimon0b00:01:02:03:04:05c11elinksys

Bydefault,iftheAPswitcheschannels,Reaverwpswillalsochangeitschannelaccordingly.However,thisfeaturemaybedisabledbyfixingtheinterfaceschannel:

#reaverimon0b00:01:02:03:04:05fixed

Thedefaultreceivetimeoutperiodis5seconds.Thistimeoutperiodcanbesetmanuallyifnecessary(minimumtimeoutperiodis1second):

#reaverimon0b00:01:02:03:04:05t2

Thedefaultdelayperiodbetweenpinattemptsis1second.Thisvaluecanbeincreasedordecreasedtoanynonnegativeintegervalue.Avalueofzeromeansnodelay:

#reaverimon0b00:01:02:03:04:05d0

SomeAPswilltemporarilylocktheirWPSstate,typicallyforfiveminutesorless,whensuspiciousactivityisdetected.Bydefaultwhenalockedstateisdetected,Reaverwpswillcheckthestateevery315seconds(5minutesand15seconds)andnotcontinuebruteforcingpinsuntiltheWPSstateisunlocked.Thischeckcanbeincreasedordecreasedtoanynonnegativeintegervalue:

#reaverimon0b00:01:02:03:04:05lockdelay=250

Foradditionaloutput,theverboseoptionmaybeprovided.Providingtheverboseoptiontwicewillincreaseverbosityanddisplayeachpinnumberasitisattempted:

1.

2.

3.

4.

5.

WirelessWiFi

Top5Wireless

WifiBooster

WirelessAccessPoints

WirelessEarbuds



#reaverimon0b00:01:02:03:04:05vv

ThedefaulttimeoutperiodforreceivingtheM5andM7WPSresponsemessagesis.1seconds.Thistimeoutperiodcanbesetmanuallyifnecessary(maxtimeoutperiodis1second):

#reaverimon0b00:01:02:03:04:05T.5

SomepoorWPSimplementationswilldropaconnectiononthefloorwhenaninvalidpinissuppliedinsteadofrespondingwithaNACKmessageasthespecsdictate.Toaccountforthis,ifanM5/M7timeoutisreached,itistreatedthesameasaNACKbydefault.However,ifitisknownthatthetargetAPsendsNACKS(mostdo),thisfeaturecanbedisabledtoensurebetterreliability.ThisoptionislargelyuselessasReaverwpswillautodetectifanAPproperlyrespondswithNACKsornot:

#reaverimon0b00:01:02:03:04:05nack

WhilemostAPsdontcare,sendinganEAPFAILmessagetocloseoutaWPSsessionissometimesnecessary.Bydefaultthisfeatureisdisabled,butcanbeenabledforthoseAPsthatneedit:

#reaverimon0b00:01:02:03:04:05eapterminate

When10consecutiveunexpectedWPSerrorsareencountered,awarningmessagewillbedisplayed.SincethismaybeasignthattheAPisratelimitingpinattemptsorsimplybeingoverloaded,asleepcanbeputinplacethatwilloccurwheneverthesewarningmessagesappear:

#reaverimon0b00:01:02:03:04:05failwait=360

MoreonBasicUsagesFirst,makesureyourwirelesscardisinmonitormode:

#airmonngstartwlan0

TorunReaver,youmustspecifytheBSSIDofthetargetAPandthenameofthemonitormodeinterface(usuallymon0,notwlan0,althoughthiswillvarybasedonyourwirelesscard/drivers):

#reaverimon0b00:01:02:03:04:05

YouwillprobablyalsowanttousevvtogetverboseinfoaboutReaversprogress:

#reaverimon0b00:01:02:03:04:05vv

SpeedingUptheAttackBydefault,Reaverwpshasa1seconddelaybetweenpinattempts.Youcandisablethisdelaybyaddingd0onthecommandline,butsomeAPsmaynotlikeit:

#reaverimon0b00:01:02:03:04:05vvd0

Anotheroptionthatcanspeedupanattackisdhsmall.ThisoptioninstructsReavertousesmalldiffiehellmansecretnumbersinordertoreducethecomputationalloadonthetargetAP:

#reaverimon0b00:01:02:03:04:05vvdhsmall



MACSpoofingInsomecasesyoumaywant/needtospoofyourMACaddress.ReaversupportsMACspoofingwiththemacoption,butyoumustensurethatyouhavespoofedyourMACcorrectlyinorderforittowork.

ChangingtheMACaddressofthevirtualmonitormodeinterface(typicallynamedmon0)WILLNOTWORK.YoumustchangetheMACaddressofyourwirelesscardsphysicalinterface.Forexample:

#ifconfigwlan0down#ifconfigwlan0hwether00:BA:AD:BE:EF:69#ifconfigwlan0up#airmonngstartwlan0#reaverimon0b00:01:02:03:04:05vvmac=00:BA:AD:BE:EF:69

SupportedWirelessDriversThefollowingwirelessdrivershavebeentestedorreportedtoworksuccessfullywithReaverwps:

ath9krtl8187carl19170ipw2000rt2800pcirt73usb

PartiallySupported

Thefollowingwirelessdrivershavehadmixedsuccess,andmayormaynotworkdependingonyourwirelesscard(i.e.,ifyouarehavingproblemswiththesedrivers/cards,considertryinganewcardbeforesubmittingatroubleticket):

ath5kiwlagnrtl2800usb(usingthelatestcompatwirelessdrivershasfixedmanyuser'sproblems,hinthint...)b43

NotSupported

Thefollowingwirelessdrivers/cardshavebeentestedorreportedtonotworkproperlywithReaver:

iwl4965RT3070LNetgearWG111v3

ConclusionIfyouwanttoPentestorHackyourWifiPasswords,thenthefirstthingyouneedisacompatibleWificard.MostWificardsarepricedbetween15$35$USD.Iseenopointstrugglingwithanunsupportedcardwhenyoucanjustinvestthatextrabucksandthatcardwilllastyouyears.YougettolearnhowtopentestorhackWifipasswords,howtoInject,spoof,setupfakeAPorHoneypot.SeethelistofsupportedUSBWifiadaptercardsthatworksinKaliLinuxandareavailableinAmazon.

Relatedpost:SpeedupWPA/WPA2crackingwithPyritandCUDAandleveragingWifite[Thispostisnowreplacedandupdatedbythenextonebelow]



CrackingWifiWPA/WPA2passwordsusingpyritcowpattyinKaliLinux

AboutblackMOREOpsblackMOREOpsisdedicatedtoHowto,Guides,SecurityfeaturesandTipsandTricksforLinuxOS.Thankyouforvisitingusandfollowusherewww.blackmoreops.com.

ViewallpostsbyblackMOREOps

LeaveaReply

Notifymeofnewcommentsviaemail.

Notifymeofnewpostsviaemail.

PostComment

Email(required) (Addressnevermadepublic)

Name(required)

Website

2thoughtsonCrackingWifiWPA/WPA2passwordsusingReaverWPS

Pingback:AdetailedguideoninstallingKaliLinuxonVirtualBoxblackMOREOps

Pingback:20thingstodoafterinstallingKaliLinuxblackMOREOps



FixingPulseAudioconfiguredforperusersessions(warning)inKaliLinuxandDebian

WPSCANandquickwordpresssecurity

P o s t n a v i g a t i o n

GoogleSiteSearch

RecentPostsdarodar.comreferrerspamandWhattodo?

RandomquotesandcreaturesusingfortuneandcowsayinLinuxterminal

Fixingerror:Packagepackagenameisnotavailable,butisreferredtobyanotherpackage.Thismaymeanthatthepackageismissing,hasbeenobsoleted,orisonlyavailablefromanothersourceE:Packagepackagenamehasnoinstallationcandidate

FixingProxyChainsERROR:ld.so:objectlibproxychains.so.3fromLD_PRELOADcannotbepreloaded:ignored.



ArchivesDecember2014(6)November2014(3)October2014(4)

September2014(5)

RecentCommentsFixingProxyChainsERROR:ld.so:object'libproxychains.so.3'fromLD_PRELOADcannotbepreloaded:ignored.blackMOREOpson20thingstodoafterinstallingKaliLinux

802.11RecommendedUSBWirelessCardsforKaliLinuxblackMOREOpsonTPLinkTLWDN3200N600WirelessDualBandUSBAdapterinLinux

802.11RecommendedUSBWirelessCardsforKaliLinuxblackMOREOpsonCrackingWifiWPA/WPA2passwordsusingpyritcowpattyinKaliLinux

Links18/12/2014:LinuxQuestions.orgPolls,FedoraforPOWER|TechrightsonRandomquotesandcreaturesusingfortuneandcowsayinLinuxterminal



August2014(9)July2014(2)

June2014(10)April2014(2)

March2014(8)February2014(6)January2014(12)

December2013(10)November2013(12)October2013(29)

CategoriesBIOS(1)

Browser(5)Cracking(3)

DataRecovery(1)DDOS(1)

Denialofservice(1)Driver(2)

Hacking(4)Hashcat(1)Howto(87)Linux(115)

Administration(17)AMD(9)BIND(1)

CentOS(1)cli(12)

DesktopManagers(12)KaliLinux(62)Metasploit(2)Monitoring(3)Networking(4)NVIDIA(7)

ProxyChains(1)Pyrit(8)

Reaver(1)Security(8)Sound(2)VPN(1)

WPSCAN(2)

News(1)Others(12)

Recoverrootpassword(1)Spam(1)

Usability(2)USB(1)



Backtotop

VirtualBox(2)Wifi(9)

Wireless(3)Wordpress(2)

RSSFeedRSSPosts

RSSComments

2014blackMOREOpsDesignedbyThemes&Co

cracking wifi wpa_wpa2 passwords using reaver-wps - blackmore ops

Documents