Monday, 18 September 2017
0 comments

Reaver To Crack Wi-Fi WPS Password Tool

Reaver To Crack Wi-Fi WPS Password Tool


Reaver To Crack Wi-Fi WPS Password Tool


Reaver has been designed to be a robust and practical attack against Wi-Fi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases. 


It has been tested against a wide variety of access points and WPS implementations.

The original Reaver implements a online brute force attack against, as described in http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf.

reaver-wps-fork-t6x version 1.6b is a community forked version, which has included various bug fixes and additional attack method (the offline Pixie Dust attack).

Depending on the target's Access Point (AP), to recover the plain text WPA/WPA2 passphrase the average amount of time for the transitional online brute force method is between 4-10 hours. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase. When using the offline attack, if the AP is vulnerable, it may take only a matter of seconds to minutes.

Requirements


apt-get -y install build-essential libpcap-dev aircrack-ng pixiewps
The example uses Kali Linux as the Operating System (OS) as pixiewps is included.

You must already have Wiire's Pixiewps installed. The latest version can be found here: https://github.com/wiire/pixiewps.

Setup

Download

git clone https://github.com/t6x/reaver-wps-fork-t6x

or

wget https://github.com/t6x/reaver-wps-fork-t6x/archive/master.zip && unzip master.zip

Build

cd reaver-wps-fork-t6x*/
cd src/
./configure
make

Install

sudo make install


About Reaver Options


-K and-or -Z // --pixie-dust (in reaver)

The -K and -Z option perform the offline attack, Pixie Dust (pixiewps), by automatically passing the PKE, PKR, E-Hash1, E-Hash2, E-Nonce and Authkey variables. pixiewps will then try to attack Ralink, Broadcom and Realtek detected chipset.

Special note: If you are attacking a Realtek AP, do NOT use small DH Keys (-S) option. User will have to execute reaver with the cracked PIN (option -p) to get the WPA pass-phrase. This is a temporary solution and an option to do a full attack will be implemented soon

-a // --all (in wash)

The option -a of Wash will list all access points, including those without WPS enabled.

Deprecated and temporary left behind options


- n (reaver): Automatically enabled, no need to invocate it.
- W (reaver): Temporary left behind. Integration of the default PIN generators was unstable, leading to many warnings at compilation time. It was also an issue to use a PIN attempt (risk of AP rating limit) in order to get a BSSID and an ESSID. For the moment PIN generation has to be done externally using the scripts provided in "doc".
- a (reaver): This option was the only option which required sqlite3 adding an extra dependency. It was only designed for automation scripts and this task (execute the last reaver command again) can be easily done internally by the script that calls reaver
- p1 and -p2 (reaver): Too much warnings and bugs.
-H (reaver): There is a need to find a way to perform it more cleanly, work is in progress.
- vvv (reaver): The highest level of verbose is temporary removed for the same reason.
- g (wash): Option was broken in latest release and need to be seriously rethought.

Download Reaver

0 comments:

Post a Comment

 
Toggle Footer
Top