reaver-wps
Brute force attack against Wifi Protected Setup
Overview:
Reaver-wps performs a brute force attack against an access point’s
WiFi Protected Setup pin number. Once the WPS pin is found, the WPA PSK
can be recovered and alternately the AP’s wireless settings can be
reconfigured.
While Reaver-wps does not support reconfiguring the AP, this can be accomplished with wpa_supplicant once the WPS pin is known.
Description:
Reaver-wps targets the external registrar functionality mandated by
the WiFi Protected Setup specification. Access points will provide
authenticated registrars with their current wireless configuration
(including the WPA PSK), and also accept a new configuration from the
registrar.
In order to authenticate as a registrar, the registrar must prove its
knowledge of the AP’s 8-digit pin number. Registrars may authenticate
themselves to an AP at any time without any user interaction. Because
the WPS protocol is conducted over EAP, the registrar need only be
associated with the AP and does not need any prior knowledge of the
wireless encryption or configuration.
Reaver-wps performs a brute force attack against the AP, attempting
every possible combination in order to guess the AP’s 8 digit pin
number. Since the pin numbers are all numeric, there are 10^8
(100,000,000) possible values for any given pin number. However, because
the last digit of the pin is a checksum value which can be calculated
based on the previous 7 digits, that key space is reduced to 10^7
(10,000,000) possible values.
The key space is reduced even further due to the fact that the WPS
authentication protocol cuts the pin in half and validates each half
individually. That means that there are 10^4 (10,000) possible values
for the first half of the pin and 10^3 (1,000) possible values for the
second half of the pin, with the last digit of the pin being a checksum.
Reaver-wps brute forces the first half of the pin and then the second
half of the pin, meaning that the entire key space for the WPS pin
number can be exhausted in 11,000 attempts. The speed at which Reaver
can test pin numbers is entirely limited by the speed at which the AP
can process WPS requests. Some APs are fast enough that one pin can be
tested every second; others are slower and only allow one pin every ten
seconds. Statistically, it will only take half of that time in order to
guess the correct pin number.
Installation:
Install Kali Linux, everything built into it. (Reaver-wps, libpcap and libsqlite3)
Usage:
Usually, the only required arguments to Reaver-wps are the interface name and the BSSID of the target AP:
# reaver -i mon0 -b 00:01:02:03:04:05
The channel and SSID (provided that the SSID is not cloaked) of the
target AP will be automatically identified by Reaver-wps, unless
explicitly specified on the command line:
# reaver -i mon0 -b 00:01:02:03:04:05 -c 11 -e linksys
By default, if the AP switches channels, Reaver-wps will also change
its channel accordingly. However, this feature may be disabled by fixing
the interface’s channel:
# reaver -i mon0 -b 00:01:02:03:04:05 --fixed
The default receive timeout period is 5 seconds. This timeout period
can be set manually if necessary (minimum timeout period is 1 second):
# reaver -i mon0 -b 00:01:02:03:04:05 -t 2
The default delay period between pin attempts is 1 second. This value
can be increased or decreased to any non-negative integer value. A
value of zero means no delay:
# reaver -i mon0 -b 00:01:02:03:04:05 -d 0
Some APs will temporarily lock their WPS state, typically for five
minutes or less, when “suspicious” activity is detected. By default when
a locked state is detected, Reaver-wps will check the state every 315
seconds (5 minutes and 15 seconds) and not continue brute forcing pins
until the WPS state is unlocked. This check can be increased or
decreased to any non-negative integer value:
# reaver -i mon0 -b 00:01:02:03:04:05 --lock-delay=250
For additional output, the verbose option may be provided. Providing
the verbose option twice will increase verbosity and display each pin
number as it is attempted:
# reaver -i mon0 -b 00:01:02:03:04:05 -vv
The default timeout period for receiving the M5 and M7 WPS response
messages is .1 seconds. This timeout period can be set manually if
necessary (max timeout period is 1 second):
# reaver -i mon0 -b 00:01:02:03:04:05 -T .5
Some poor WPS implementations will drop a connection on the floor
when an invalid pin is supplied instead of responding with a NACK
message as the specs dictate. To account for this, if an M5/M7 timeout
is reached, it is treated the same as a NACK by default. However, if it
is known that the target AP sends NACKS (most do), this feature can be
disabled to ensure better reliability. This option is largely useless as
Reaver-wps will auto-detect if an AP properly responds with NACKs or
not:
# reaver -i mon0 -b 00:01:02:03:04:05 --nack
While most APs don’t care, sending an EAP FAIL message to close out a
WPS session is sometimes necessary. By default this feature is
disabled, but can be enabled for those APs that need it:
# reaver -i mon0 -b 00:01:02:03:04:05 --eap-terminate
When 10 consecutive unexpected WPS errors are encountered, a warning
message will be displayed. Since this may be a sign that the AP is rate
limiting pin attempts or simply being overloaded, a sleep can be put in
place that will occur whenever these warning messages appear:
# reaver -i mon0 -b 00:01:02:03:04:05 --fail-wait=360
More on Basic Usages
First, make sure your wireless card is in monitor mode:
# airmon-ng start wlan0
To run Reaver, you must specify the BSSID of the target AP and the
name of the monitor mode interface (usually ‘mon0′, not ‘wlan0′,
although this will vary based on your wireless card/drivers):
# reaver -i mon0 -b 00:01:02:03:04:05
You will probably also want to use -vv to get verbose info about Reaver’s progress:
# reaver -i mon0 -b 00:01:02:03:04:05 -vv
Speeding Up the Attack
By default, Reaver-wps has a 1 second delay between pin attempts. You
can disable this delay by adding ‘-d 0′ on the command line, but some
APs may not like it:
# reaver -i mon0 -b 00:01:02:03:04:05 -vv -d 0
Another option that can speed up an attack is –dh-small. This option
instructs Reaver to use small diffie-hellman secret numbers in order to
reduce the computational load on the target AP:
# reaver -i mon0 -b 00:01:02:03:04:05 -vv --dh-small
MAC Spoofing
In some cases you may want/need to spoof your MAC address. Reaver
supports MAC spoofing with the –mac option, but you must ensure that you
have spoofed your MAC correctly in order for it to work.
Changing the MAC address of the virtual monitor mode interface
(typically named mon0) WILL NOT WORK. You must change the MAC address of
your wireless card’s physical interface. For example:
# ifconfig wlan0 down
# ifconfig wlan0 hw ether 00:BA:AD:BE:EF:69
# ifconfig wlan0 up
# airmon-ng start wlan0
# reaver -i mon0 -b 00:01:02:03:04:05 -vv --mac=00:BA:AD:BE:EF:69
Supported Wireless Drivers
The following wireless drivers have been tested or reported to work successfully with Reaver-wps:
ath9k
rtl8187
carl19170
ipw2000
rt2800pci
rt73usb
Partially Supported
The following wireless drivers have had mixed success, and may or may
not work depending on your wireless card (i.e., if you are having
problems with these drivers/cards, consider trying a new card before
submitting a trouble ticket):
ath5k
iwlagn
rtl2800usb (using the latest compat-wireless drivers has
b43 fixed many user's problems, hint hint...)
Not Supported
The following wireless drivers/cards have been tested or reported to not work properly with Reaver:
iwl4965
RT3070L
Netgear WG111v3
Enjoy.
