Mar 11, 2013

Reaver: guide to brute forcing Wifi Protected Setup

I thought I would share how easy it is to take down a router that is vulnerable against WPS attacks like my own. Reaver is an open source tool that brute forces WPS (Wifi Protected Setup). This is the pin (usually printed on the bottom of your router) that you can use to authenticate other devices to your wireless network without typing in a password. With enough time, reaver can crack this pin and reveal the WPA or WPA2 password.

Getting Started

To get started you will need to be on Linux, you will need the aircrack suite and reaver installed, and your wireless nic will need to be put into monitor mode. I’m using Ubuntu for this post from a friends computer. You’ll notice I’ve masked some personal details in the images below to hide my router details. I’ll explain as we move along.

In Ubuntu(debian) you can install aircrack and reaver just like you install everything else.

If you need to download, and need help installing Ubuntu, you can use this page for help.
http://www.ubuntu.com/download/desktop

sudo apt-get install aircrack-ng reaver

Next you need to put your wireless card into monitor mode (mon0). I’m using an internal wireless card so my wireless interface is wlan0, however you can run ifconfig to ensure your using wlan0 or wlan1. To put your interface into monitor mode you would run the following:

sudo airmon-ng start wlan0

Next you need to obtain the unique identifier for the router you wish to crack. Here’s a screenshot of me running airodump to grab my access points bssid. Masked for privacy reasons but you get the point.

airodump-ng mon0


Now you can start up reaver.

reaver -i moninterface -b bssid -vv


Now reaver runs for a while, trying to bruteforce the WPS pin.


In After about 2 hours, reaver hits my pin and gives up the password for the router. In the screenshot I re-run reaver with my pin used first to save time. And that’s it. It’s that easy.


If you need any help with the commands you can ask for help, or read the man pages.

command --help
reaver --help
wash --help
man reaver

Protecting yourself

The easiest way to protect yourself is to turn WPS off, however some routers don’t have an option to turn it off, and some routers are still vulnerable even if the feature is turned off. Personally I would recommend using a third party firmware on your router like DD-WRT. DD-WRT doesnt support WPS, so no worries there.

Further reading:

If your looking to learn more about wireless hacking and reaver here are some links I would suggest.

http://www.aircrack-ng.org – aircrack suite
http://code.google.com/p/reaver-wps/ – Reaver webpage, also has a point and click commercial version.

Here is a spreadsheet of vulnerable routers, i’m not sure how current this is so the best route to see if your (or others) router is vulnerable will be to use reavers “wash” tool.

0 comments:

Post a Comment