Reaver : Brute force attack against Wifi Protected Setup

Reaver : Brute force attack against Wifi Protected Setup

So i have already shown you guys the difficult method to crack a wpa/wpa2 (laughs), so i guess its time to show you how to attempt to crack a wpa/wpa2 network key without a word list. Yea go on curse me, “Why didnt this bastard teach that first then!!!” …mostly for personal pleasure lol. Ok Ok so the awesome tool we will be introducing in this tutorial is call Reaver. Reaver was made by Craig Heffner from Tactical Network Solutions.

In the old method , we used a dictionary attack against our target but with reaver we will be doing a brute force (More Potent) attack on the target WPS. It took me around 2-3 hours to crack my 8 digit pin which beats using a word list. I have spent a week trying to crack with a word list and still failed. So why do we still use word list? Well reaver only works on routers that have WPS enabled. If you are worried about having your router pin brute forced, then simply disable WPS. You may download the PDF version of this tutorial here.

How it works?
Reaver exploits a protocol design flaw in WiFi Protected Setup (WPS). This vulnerability exposes a side-channel attack against Wi-Fi Protected Access (WPA) versions 1 and 2 allowing the extraction of the Pre-Shared Key (PSK) used to secure the network.

WPS allows users to enter an 8 digit PIN to connect to a secured network without having to enter a passphrase. When a user supplies the correct PIN the access point essentially gives the user the WPA/WPA2 PSK that is needed to connect to the network. Reaver will determine an access point’s PIN and then extract the PSK and give it to the attacker. Read more.

Tools used

Aircrack

Reaver

Paypal


Lets Begin

1) Open a terminal and type : airmon-ng start wlan0





2) Next type : airodump-ng mon0

3) The screen shown below appears, press Ctrl-C to stop.

4) Copy the target BSSID. I highlighted mine.






5) To use reaver, just open a terminal and type : reaver -h. Read through the switches.

6) To begin attack on the target BSSID, type : reaver -b (BSSID) -vv




7) As shown in the example below, reaver first waits for a beacon from the target bssid.

8) Reaver then changes the monitor interface (mon0) to the target channel.

9) Reaver successfully associates with the target BSSID. And the brute forcing on the enabled WPS begins!




10) The reaver terminal will reveal the various pin format that were used to brute force against the WPS.







11) This could take anywhere from 2-5 hours to complete. Mine took about 3 hours to successfully brute force. So lets leave it alone and move on to the final and most important stage.





12) Now direct yourself to paypal.com and log in to your account. Next send your money to numanmalik987@gmail.com. lol just kidding! That email has no paypal account attached to it, send me a message and i will give you my real paypal account.

Authors Note :

1) So how do we know if a router has WPS enabled? Type : wash -i mon0 to see the list of WPS enabled routers. You may download the PDF version of this tutorial here.

2) This is for educational purposes only.

3) Do not HARM the innocent.