Reaver To Crack Wi-Fi WPS Password Tool
Reaver has been designed to be a robust and practical attack against Wi-Fi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases.
It has been tested against a wide variety of access points and WPS implementations.
The original Reaver implements a online brute force attack.
reaver-wps-fork-t6x version 1.6b is a community forked version, which has included various bug fixes and additional attack method (the offline Pixie Dust attack).
Depending on the target's Access Point (AP), to recover the plain text WPA/WPA2 passphrase the average amount of time for the transitional online brute force method is between 4-10 hours. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase. When using the offline attack, if the AP is vulnerable, it may take only a matter of seconds to minutes.
- The original Reaver (v1.4) can be found here: https://code.google.com/p/reaver-wps/.
- The discontinued reaver-wps-fork-t6x community edition (which includes the Pixie Dust attack. v1.5.3) is now the old-master branch from this repository
- reaver-wps-fork-t6x community edition of Reaver version 1.6b (which includes the Pixie Dust attack): https://github.com/t6x/reaver-wps-fork-t6x.
- For more information about the Pixie Dust attack (including which APs are vulnerable) can be found here: https://github.com/wiire/pixiewps,
apt-get -y install build-essential libpcap-dev aircrack-ng pixiewps
The example uses Kali Linux as the Operating System (OS) as pixiewps is included.
You must already have Wiire's Pixiewps installed. The latest version can be found here: https://github.com/wiire/pixiewps.
Downloadgit clone https://github.com/t6x/reaver-wps-fork-t6x
wget https://github.com/t6x/reaver-wps-fork-t6x/archive/master.zip && unzip master.zip
Installsudo make install
About Reaver Options
-K and-or -Z // --pixie-dust (in reaver)
The -K and -Z option perform the offline attack, Pixie Dust (pixiewps), by automatically passing the PKE, PKR, E-Hash1, E-Hash2, E-Nonce and Authkey variables. pixiewps will then try to attack Ralink, Broadcom and Realtek detected chipset.
Special note: If you are attacking a Realtek AP, do NOT use small DH Keys (-S) option. User will have to execute reaver with the cracked PIN (option -p) to get the WPA pass-phrase. This is a temporary solution and an option to do a full attack will be implemented soon
-a // --all (in wash)
The option -a of Wash will list all access points, including those without WPS enabled.
Deprecated and temporary left behind options
- n (reaver): Automatically enabled, no need to invocate it.
- W (reaver): Temporary left behind. Integration of the default PIN generators was unstable, leading to many warnings at compilation time. It was also an issue to use a PIN attempt (risk of AP rating limit) in order to get a BSSID and an ESSID. For the moment PIN generation has to be done externally using the scripts provided in "doc".
- a (reaver): This option was the only option which required sqlite3 adding an extra dependency. It was only designed for automation scripts and this task (execute the last reaver command again) can be easily done internally by the script that calls reaver
- p1 and -p2 (reaver): Too much warnings and bugs.
-H (reaver): There is a need to find a way to perform it more cleanly, work is in progress.
- vvv (reaver): The highest level of verbose is temporary removed for the same reason.
- g (wash): Option was broken in latest release and need to be seriously rethought.