HISTORY LESSONWPS (Wifi Protected Setup) is a feature created in 2007 to make Wifi Protected Networking easy for the average user while making it secure. However due to a design flaw in the authentication for the PIN for the device, this has allowed the ability to Crack the PIN on a WPS enabled AP. This has nothing to do with cracking the WPA/WPA2 PSK, although it will be obtained with this method.
The PIN is broken down as 11112223 (Example for explanation only and not to be taken literally)
The 1111 is the first half of the PIN. The 222 is the second half of the PIN. The 3 is a checksum of the entire PIN (first 7 digits). Reaver must first obtain the first half of the PIN (1111) before it can go on to the second half (222). When reaver is running you will notice 1111 changes 222 remains same and 3 changes, until it obtains the first half of the PIN. Then the 1111 remains same, 222 and 3 changes as it obtains the second half of the PIN.
Tools needed
Linux Distro (I recommend BackTrack 5r1)
Reaver https://code.google.com/p/reaver-wps/dow...=-filename
A compatible Wifi Adapter (research your preference ie; AWUS036H)
NB: Reaver will only run on linux and why BackTrack 5r1 is recommended.
With Backtrack Running download Reaver
extract and install reaver as follows from Terminal:
tar xvfz reaver1.xxxx (xxxx being the release number which will change with updates)
cd reaver1.xxx
cd /src/
./configure
make
make install
Assuming no errors lets continue
Find your wireless card: Inside Terminal, type:
Press Enter. You should see a wireless device in the subsequent list. Most likely, it'll be named wlan0, but if you have more than one wireless card, or a more unusual networking setup, it may be named something different.
Put your wireless card into monitor mode: Assuming your wireless card's interface nameis
wlan0, execute the following command to put your wireless card into monitor mode:
This command will output the name of monitor mode interface, which you'll also want to make note of. Most likely, it'll be
mon0, like in the screenshot below. Make note of that.
Find the BSSID of the router you want to crack: Lastly, you need to get the unique identifier of the router you're attempting to crack so that you can point Reaver in the right direction. To do this, execute the following command:
(Note: If
airodump-ng wlan0 doesn't work for you, you may want to try the monitor interface instead—e.g., airodump-ng mon0.)
You'll see a list of the wireless networks in range—it'll look something like the screenshot below:
When you see the network you want, press Ctrl+C to stop the list from refreshing, then copy that network's BSSID (it's the series of letters, numbers, and colons on the far left). The network should have WPA or WPA2 listed under the ENC column. (If it's WEP, use our previous guide to cracking WEP passwords.)
Now, with the BSSID and monitor interface name in hand, you've got everything you need to start up Reaver.
Step 4: Crack a Network's WPA Password with Reaver
Now execute the following command in the Terminal, replacing
bssid and moninterfacewith the BSSID and monitor interface and you copied down above:
For example, if your monitor interface was
mon0 like mine, and your BSSID was8D:AE:9D:65:1F:B2 (a BSSID I just made up), your command would look like:
Press Enter, sit back, and let Reaver work its disturbing magic. Reaver will now try a series of PINs on the router in a brute force attack, one after another. This will take a while. In my successful test, Reaver took 2 hours and 30 minutes to crack the network and deliver me with the correct password. As mentioned above, the Reaver documentation says it can take between 4 and 10 hours, so it could take more or less time than I experienced, depending. When Reaver's cracking has completed, it'll look like this:
A few important factors to consider: Reaver worked exactly as advertised in my test, but it won't necessarily work on all routers (see more below). Also, the router you're cracking needs to have a relatively strong signal, so if you're hardly in range of a router, you'll likely experience problems, and Reaver may not work. Throughout the process, Reaver would sometimes experience a timeout, sometimes get locked in a loop trying the same PIN repeatedly, and so on. I just let it keep on running, and kept it close to the router, and eventually it worked its way through.
Also of note, you can also pause your progress at any time by pressing Ctrl+C while Reaver is running. This will quit the process, but Reaver will save any progress so that next time you run the command, you can pick up where you left off-as long as you don't shut down your computer (which, if you're running off a live DVD, will reset everything).
How Reaver Works
Now that you've seen how to use Reaver, let's take a quick overview of how Reaver works. The tool takes advantage of a vulnerability in something called Wi-Fi Protected Setup, or WPS. It's a feature that exists on many routers, intended to provide an easy setup process, and it's tied to a PIN that's hard-coded into the device. Reaver exploits a flaw in these PINs; the result is that, with enough time, it can reveal your WPA or WPA2 password.
Read more details about the vulnerability at Sean Gallagher's excellent post on Ars Technica.
How to Protect Yourself Against Reaver Attacks
Since the vulnerability lies in the implementation of WPS, your network should be safe if you can simply turn off WPS (or, even better, if your router doesn't support it in the first place). Unfortunately, as Gallagher points out as Ars, even with WPS manually turned off through his router's settings, Reaver was still able to crack his password.
In a phone conversation, Craig Heffner said that the inability to shut this vulnerability down is widespread. He and others have found it to occur with every Linksys and Cisco Valet wireless access point they've tested. "On all of the Linksys routers, you cannot manually disable WPS," he said. While the Web interface has a radio button that allegedly turns off WPS configuration, "it's still on and still vulnerable.
So that's kind of a bummer. You may still want to try disabling WPS on your router if you can, and test it against Reaver to see if it helps.
You could also set up MAC address filtering on your router (which only allows specifically whitelisted devices to connect to your network), but a sufficiently savvy hacker could detect the MAC address of a whitelisted device and use MAC address spoofing to imitate that computer.
THINGS TO NOTE:
You may see the percentage in reaver output go from 2% to 90% just like that. This is normal when it finds the first half of the PIN. This is also why you will notice the second half of the PIN as noted above as 222 remains constant before it finds the first half.Errors are a common thing to see and caused by many variables.
WARNING: Receive timeout occurred
WARNING: 10 failed connections in a row
WARNING: Out of order packet received, re-trasmitting last message
Just let it run.
If I forgot something I will add it in or attempt to explain in better detail. Hope this helps.
No comments:
Post a Comment
Confused?.Not working ,Link Ghosted??!!! Feel Free to Request Any Bot Cracks n Get answer in ur Direct Mail Inbox