Breaking News
You are here: Home / Hacking / WEP, WPA & WPA2 PSK CRACKING WITH REAVER IN BACKTRACK

WEP, WPA & WPA2 PSK CRACKING WITH REAVER IN BACKTRACK

 

INTRODUCTION
Reaver performs a brute force attack against an access point’s WiFi Protected Setup pin number. Once the WPS pin is found, the WPA PSK can be recovered and alternately the AP’s wireless settings can be reconfigured.While Reaver does not support reconfiguring the AP,this can be accomplished with wpa_supplicant once the WPS pin is known.
DESCRIPTION
 
Reaver performs a brute force attack against an access point’s WiFi Protected Setup pin number. Once the WPS pin is found, the WPA PSK can be recovered and alternately the AP’s wireless settings can be reconfigured.While Reaver does not support reconfiguring the AP, this can be accomplished with wpa_supplicant once the WPS pin is known. Reaver targets the external registrar functionality mandated by the WiFi Protected Setup specification.

Access points will provide authenticated registrars with their current wireless configuration (including the WPA PSK), and also accept a new configuration from the registrar.
In order to authenticate as a registrar, the registrar must prove its knowledge of the AP’s 8-digit pin number. Registrars may authenticate themselves to an AP at any time without any user interaction. Because the WPS protocol is conducted over EAP, the registrar need only be associated with the AP and does not need any prior knowledge of the wireless encryption or configuration.

Reaver performs a brute force attack against the AP, attempting every possible combination in order to guess the AP’s 8 digit pin number. Since the pin numbers are all numeric, there are 10^8 (100,000,000) possible values for any given pin number. However, because the last digit of the pin is a check sum value, which can be calculated based on the previous 7 digits, that key space is reduced to 10^7 (10,000,000) possible values.

INSTALLATION
Reaver is only supported on the Linux platform, requires the libpcap and libsqlite3 libraries, and  can be built and installed by running:
Downloaded and installed Reaver (as of this date 18-01-2012 reaver v1.3)

http://code.google.com/p/reaver-wps/

tar -xzf reaver-1.3
cd reaver-1.3
cd src/
./configure
make && make install

And use reaver’s included  ‘wash’ to check my AP (Access point)
 WASH 
 

WASH OPTIONS

Carried out a quick scan with wash to get the details of my (now committed to the shelf of shame..) router.Using a wireless adapter with Realtek RTL8187L chipset with rtl8187 driver in this case.
Started the wireless interface on the channel of my AP (Channel 11)
(I was having issues with aireplay-ng when I had not specified the channel that should be used

airmon-ng start wlan0 11
wash -i mon0 –C

COMMAND TO GET DETAILS OF WPS (Wi-Fi Protected Setup) NETWORK

Start Reaver v1.4 with the -A switch, to not have Reaver associate with the router itself, in a
separate terminal window.

reaver -i mon0 –bssid (bssid of target WPS network) -c (channel) -e (essid of target WPS network) – vv

Now we have to wait until it matches pin and after that it will show you which pin matched out and works.

PIN MATCHING PROCESS

In this way we are able to crack the WPS Network.
Next part of the article will be coming soon.
Till then cheers,HAPPY HACKING

Leave a Reply