Reaver | Cracking WPS Pin To Recover WPA & WPA2 WiFi Passwords!
In this tutorial, we’ll use Reaver for cracking WPS Pin so that we can recover WiFi passwords of WPA2 and WPA wireless networks.
PREREQUISITE: First Read Basics of WiFi Hacking & Security!
Table of Contents [Quick Links]
About Reaver
Reaver is an opensource tool whose source code is available at Google Code. It implements a brute force attack against WiFi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 password.
Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations.
On average Reaver will recover the target AP’s plain text WPA/WPA2 password in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the WiFi password.
Steps | Attacking WPS Enabled WiFi
When nothing works – we just need reaver. Sometimes WPA/WPA2 password is too strong that offline brute-forcing is meaningless. But we can always hack a WiFi if WPS is enabled there.
Step 1: I believe you are already running Kali. So, open the terminal and run the following programs with commands:
Step 2: Choose a WiFi target from result show by wash program, Now run the reaver tool to crack the WPS pin.
Now reaver will start WPS attack on the WiFi access point with MAC Address 00:90:4C:C1:AC:21.
If you already know the pin then just use the argument -p [PIN]. Just add -p 12345670 (this is example pin number) to your previous command.
And here are few important points if you are using this tool:
- To know about more this tool just type reaver into the terminal and hit enter.
- AP’s which are locked (as shown by wash) are difficult to brute-force.
- You need to be very close to the WiFi source, low signal strength make it too difficult to actively brute-force.
Video Tutorial: Reaver in Action
So, I searched and watched several videos online found a video on How to Crack WiFi Password of WPA and Embedded here for you. This video will make the instruction more clear!
Handling Issues:
Some routers now come with WPS Pin lock down that means you might have hard time cracking WPS pin. In this case here are few options you can try:
If 10 consecutive unexpected WPS errors are encountered, a warning message will be shown. This may be a sign that the AP is rate limiting pin attempts. A waiting command can be issued whenever these warning messages appear. Use the following command:
The default receive timeout period is 5 seconds. This timeout period can be set manually if necessary (minimum timeout period is 1 second):
The default delay period between pin attempts is 1 second. This value can be increased or decreased to any value. Please note that 0 means no delay:
Countermeasures |Protect You WiFi
We had already talked about protecting our WiFi in several tutorials e.g. basics of WiFi Hacking and Security. Here are some countermeasures especially for WPS security:
- Disable WPS: Audit your WiFi security and analyze whether you WPS is secure or not.
- Increase WPS timeout period: For advanced routers, we can increase the Receive timeout to slow down the attack
- WPS Lock: Set the WPS Lock time to a large value. That means after certain fail attempts, the router should lock WPS feature for longer.
- MAC Filtering: One of the oldest way but sometimes can protect against script kiddies.
- Physically Secure the Router!
But as mentioned by sviehb.wordpress.com in WPS research (PDF linked below), a determined attacker might still be able to successfully attack a WPS-enabled AP. This attack is low-cost and has a high success guarantee compared to cracking WPA/WPA2-PSK.
External Resources
Recommended Books
Here are recommended books on WiFi hacking that includes reaver tool.
(121) 
(135) 