Infiltrator Posted January 4, 2012 Share Posted January 4, 2012 The WiFi Protected Setup protocol is vulnerable to a brute force attack that allows an attacker to recover an access point’s WPS pin, and subsequently the WPA/WPA2 passphrase, in just a matter of hours. Reaver is a WPA attack tool developed by Tactical Network Solutions that exploits a protocol design flaw in WiFi Protected Setup (WPS). This vulnerability exposes a side-channel attack against Wi-Fi Protected Access (WPA) versions 1 and 2 allowing the extraction of the Pre-Shared Key (PSK) used to secure the network. With a well-chosen PSK, the WPA and WPA2 security protocols are assumed to be secure by a majority of the 802.11 security community. Usage is simple just specify the target BSSID and the monitor mode interface to use: # reaver -i mon0 -b 00:01:02:03:04:05 Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations.On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase. WPS allows users to enter an 8 digit PIN to connect to a secured network without having to enter a passphrase. When a user supplies the correct PIN the access point essentially gives the user the WPA/WPA2 PSK that is needed to connect to the network. Reaver will determine an access point's PIN and then extract the PSK and give it to the attacker. Web source: http://thehackernews.com/2011/12/reaver-brute-force-attack-tool-cracking.html Quote Link to comment Share on other sites More sharing options...
telot Posted January 4, 2012 Share Posted January 4, 2012 The WiFi Protected Setup protocol is vulnerable to a brute force attack that allows an attacker to recover an access point’s WPS pin, and subsequently the WPA/WPA2 passphrase, in just a matter of hours. Reaver is a WPA attack tool developed by Tactical Network Solutions that exploits a protocol design flaw in WiFi Protected Setup (WPS). This vulnerability exposes a side-channel attack against Wi-Fi Protected Access (WPA) versions 1 and 2 allowing the extraction of the Pre-Shared Key (PSK) used to secure the network. With a well-chosen PSK, the WPA and WPA2 security protocols are assumed to be secure by a majority of the 802.11 security community. Usage is simple just specify the target BSSID and the monitor mode interface to use: # reaver -i mon0 -b 00:01:02:03:04:05 Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations.On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase. WPS allows users to enter an 8 digit PIN to connect to a secured network without having to enter a passphrase. When a user supplies the correct PIN the access point essentially gives the user the WPA/WPA2 PSK that is needed to connect to the network. Reaver will determine an access point's PIN and then extract the PSK and give it to the attacker. Web source: http://thehackernews.com/2011/12/reaver-brute-force-attack-tool-cracking.html Anyone else trying this out and want to bounce some ideas around? I've been trying to successfully crack my test WAP here in my basement, to no avail. Either reaver just stops working after some random point, for example: [!] WARNING: Receive timeout occurred [+] 21.40% complete @ 12 seconds/attempt [+] Trying pin 98060122 [!] WARNING: Receive timeout occurred [+] Trying pin 98060122 ...and then it will just hang there for hours/days/weeks if I let it. OR it will bomb out repeating [!] WARNING: Receive timeout occurred [!] WARNING: Receive timeout occurred [!] WARNING: Receive timeout occurred [!] WARNING: Receive timeout occurred [!] WARNING: Receive timeout occurred [!] WARNING: Receive timeout occurred ...over and over again. I've messed with the -t and -d operators, but nothing conclusive. Putting -t to 3 or 4 seems to really expand the lifespan of the attack, and -d 0 seems to speed things up quite a bit, but they always end up failing before it reaches 100%. Any ideas would be greatly appreciated, as any documentation or anything at all really regarding this tool, is pretty sparse. Thanks for starting this thread Infiltrator - the tool really is pretty sweet...especially if I could get it working! PS: I'm rocking BT5R1 with the latest reaver beta 1.3 on a alfa realtek8180. telot Quote Link to comment Share on other sites More sharing options...
Vodmya Posted January 4, 2012 Share Posted January 4, 2012 roughly, how long did it take you to get to 21% ? Quote Link to comment Share on other sites More sharing options...
telot Posted January 4, 2012 Share Posted January 4, 2012 roughly, how long did it take you to get to 21% ? It happened sometime in the middle of the night last night. I started around 5pm, so roughly 4 to 12 hours. That was with a 10 second delay (-d 10). Thanks in advance if you have any insight Vodmya! telot Quote Link to comment Share on other sites More sharing options...
mreidiv Posted January 4, 2012 Share Posted January 4, 2012 It happened sometime in the middle of the night last night. I started around 5pm, so roughly 4 to 12 hours. That was with a 10 second delay (-d 10). Thanks in advance if you have any insight Vodmya! telot When this happened to me it was DoS-ing my router and put my router in a boot loop till i stopped it this attack has been know to DoS some routers Quote Link to comment Share on other sites More sharing options...
mreidiv Posted January 4, 2012 Share Posted January 4, 2012 When this happened to me it was DoS-ing my router and put my router in a boot loop till i stopped it this attack has been know to DoS some routers telot you are using an un supported driver see here for compatible driver Quote Link to comment Share on other sites More sharing options...
Vodmya Posted January 4, 2012 Share Posted January 4, 2012 @Telot forgot to ask make/model and fw ver of your router Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted January 4, 2012 Share Posted January 4, 2012 If this actually works it will finish off the job of completely undermining current wireless security protocols. *fingers crossed* Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted January 5, 2012 Author Share Posted January 5, 2012 Have you guys configured your AP to work with WPS. If its only using the normal security WPA 2 Personal + AES or PSK not going to work. It needs to be configured with WPS if not, Reaver is not going to be effective. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted January 5, 2012 Author Share Posted January 5, 2012 roughly, how long did it take you to get to 21% ? According the the Reaver creator, it should not take more than 10 hours to recover the password, if its taking way longer than there must be something wrong. Quote Link to comment Share on other sites More sharing options...
telot Posted January 5, 2012 Share Posted January 5, 2012 According the the Reaver creator, it should not take more than 10 hours to recover the password, if its taking way longer than there must be something wrong. I'm using the rtl8187 driver for the alfa usb 036H. The router I'm using is a crappy old WNDR2000 with WPS enabled. I'm thinking its something option in my command. sudo ./reaver -i mon0 -b XX:XX:XX:XX:XX -t 3 -d 10 -vv Anything in that command stand out as totally wrong? I've modified the -t to 4 and 5, and changed the -d from 0 to 15. And about the DoS'ing the router - I'm pretty sure that is what is happening. The router does NOT function as normal until I reset it (sometimes it requires pushing in the Full Restore hard reset button). Is this avoidable through the above operators (-d and -t)? I read somewhere (frantically searching for link, but cannot find it) that reaver can break crappier (slow, old, cheap) routers, but more robust routers handle the PIN trials just fine. Have any of you got it work on certain routers but not others? I agree with Bobbyb - this could be the exploit of the year/decade if it works out, particularly for us wifi scoundrels. Thanks for your comments thus far, and for any further insight you can share. telot Quote Link to comment Share on other sites More sharing options...
Vodmya Posted January 5, 2012 Share Posted January 5, 2012 This is a step in the right direction but will most likely fail against cheap/older routers that will just crap themselves and lock up requiring a hard reset. Also remember not everyone will enable or press their wps button on their routers. If I get time this weekend I will try it on a mid-range Netgear 3500 this weekend. Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted January 5, 2012 Share Posted January 5, 2012 I did a scan today just to see if I could find any WPA WPS networks, and like TKIP, I didn't see any. WPA PSK seems to be the norm. Quote Link to comment Share on other sites More sharing options...
realized Posted January 5, 2012 Share Posted January 5, 2012 Few things here. Though i haven't had much time to test but this can all be found online: 1) reaver has a feature to stop an attack and continue later (apparently you need to save the session somehow, though it might save itself?) 2) from arstechnica's review on it "The attack took about six hours to properly guess the PIN and return the SSID and password for the target network. During that time, the router locked up once under load, as I was putting normal levels of network traffic through it from other devices. Some routers will also lock out WPS requests for five minutes or so when they detect multiple failed PIN submissions—mine stopped responding occasionally, generating a string of warnings, but Reaver picked back up where it left off once the Linksys started responding again." 3) there is a new version (1.3) which apparently is a little faster (save a few minutes? lol), but it also includes a program called walsh to scan and detect devices which are exploitable - i can't get walsh to find anything on my system... =( i'll have more time to play with it later but im sure there are still lots of bugs being worked out. Also, there is another script which is apparently faster then reaver ... (once again, haven't tried it yet...) good luck and hopefully in the coming days we can figure out things a bit more! btw, this is my first post and i love hak5 =) Quote Link to comment Share on other sites More sharing options...
telot Posted January 5, 2012 Share Posted January 5, 2012 1. That session resume feature is included only in the commercial version. Which I just read (but havent confirmed) that the source for the commercial is now available as well. I'll give it a shot asap 2. So ars reset the router when needed? I guess if your attack wasn't working and there were other (legitimate) users on the access point, you could deauth them off with aireplay -0, though I'm not sure how the deauth would effect the reaver. If they a legit user was deauth'd for long enough, eventually the AP would get reset. Not sure how many times that will work though, and vastly increases the risk. So no reaver'ing after hours if thats the case. 3. 1.3 beta is what I have at the moment - I'll check to see if theres any updates when I get home (mobile right now). Fingers crossed! I agree, they are definitely working out the bugs, as reaver is hot off the presses. Its exciting to be using cutting edge tools though, gotta say. telot Quote Link to comment Share on other sites More sharing options...
PaulyD Posted January 6, 2012 Share Posted January 6, 2012 Yes, this is only for WPS Pins. I had a vulnerable Buffalo running DD-WRT. After disabling all WPS related options (also called AOSS on Buffalo), the only way in was the 256bit WPA2 key. Note:I did not run the tool, just changed the settings so that WPS wasn't an option that was offered when connecting. PD Quote Link to comment Share on other sites More sharing options...
realized Posted January 9, 2012 Share Posted January 9, 2012 the newest version (not in download section, download the svn) is v1.4 (type "svn checkout http://reaver-wps.googlecode.com/svn/trunk/") - configure/make/make install it - you need make install as it creates a folder and stuff for the sessions. this version i can confirm saves sessions and restores them. its all automatic.. start reaver again and it asks if you want to continue.. also, before this svn, reaver and walsh didn't work for me. now it appears to be working... will let you know in 10 hr... unless my computer/the router crashes before then lol Quote Link to comment Share on other sites More sharing options...
zyrax Posted January 15, 2012 Share Posted January 15, 2012 I have used Wash to see how many APs are vulnerable. Most of my nearby APs at home and at work is Apple Airport Extreme and they seem to be safe... But there is a lot of vulnerable wifi out there. Tried reaver at two of my friends houses and both of them took about 7-8 hours to retrieve the key. They will now disable WPS. ;) Version 1.4 via svn is to prefer thou. Had a bunch of strange errors before i went to the beta-version... Quote Link to comment Share on other sites More sharing options...
slack3r Posted January 22, 2012 Share Posted January 22, 2012 [+]Key cracked in 9377 seconds [+]WPS PIN: ********* [+]WPA PSK: ******** [+]AP SSID: ******* Confirmed working using BT 5 KDE VM on alienware m14x using Alfa USB card Using reaver v1.3 Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted January 22, 2012 Author Share Posted January 22, 2012 This is really fascinating. I didn't know this post would get this so many replies. Quote Link to comment Share on other sites More sharing options...
Vodmya Posted January 23, 2012 Share Posted January 23, 2012 Finally tried 1.3 over the weekend and didn't have much success. Too many receiving timeouts etc and patience wasn't my virtue. This ver did support resume. Couldn't get Wash to run properly (can get the WPS info out of the packets anyway using wireshark). Just installed 1.4. (110) of Reaver. Wash is running perfect and am just tweaking the timing and delays to find the sweet spot with my AP. Looks very promising. Impressed I am :-) Quote Link to comment Share on other sites More sharing options...
TAPE Posted January 23, 2012 Share Posted January 23, 2012 (edited) This is really fascinating. I didn't know this post would get this so many replies Maybe because your topic was mentioned WPA in 10 minutes... that gets everybody's attention :D Have to admnit this is a scary flaw indeed, I have been doing some checking and there are a LOT of vulnerable routers as far as Walsh / Wash is showing.. When this tool first came out I thought I wouldn't be in trouble as router did not have WPS configured.. but oohhh yes I was !! http://adaywithtape.blogspot.com/2012/01/cracking-wpa-using-wps-vulnerability.html By the way, I am having trouble with the v1.4, Wash works great, however when running reaver it seems to have problems associating.. Is there any limitation on that read only download ? v1.3 works fine, so I am a little confused... Edited January 23, 2012 by TAPE Quote Link to comment Share on other sites More sharing options...
Vodmya Posted January 27, 2012 Share Posted January 27, 2012 Been testing with 1.4 and am having a much better go with it. Timeouts/locks (varies by vendor) still occur but the resume feature makes up for potential lost time. Once it finds the 1st four digits its generally pretty quick after that. Some of the older routers are still using default pins and they take about 5 secs to crack. Even though I knew it was only a matter of time I was still kinda dumbstruck when the app spit my password out at me since I never expected to see it done so easily (even with various mutations this was a password that was not supposed to be presented in this manner ;-). This has been a valuable "hands on" week with Wireshark as well. Looking for a filter for WPS? try wlan_mgt.wfa.ie.type == 0x04 Quote Link to comment Share on other sites More sharing options...
telot Posted January 28, 2012 Share Posted January 28, 2012 Been testing with 1.4 and am having a much better go with it. Timeouts/locks (varies by vendor) still occur but the resume feature makes up for potential lost time. Once it finds the 1st four digits its generally pretty quick after that. Some of the older routers are still using default pins and they take about 5 secs to crack. Even though I knew it was only a matter of time I was still kinda dumbstruck when the app spit my password out at me since I never expected to see it done so easily (even with various mutations this was a password that was not supposed to be presented in this manner ;-). This has been a valuable "hands on" week with Wireshark as well. Looking for a filter for WPS? try wlan_mgt.wfa.ie.type == 0x04 Thanks very much for posting your research Vodmya. You motivated me to pick it up again (especially now that resumes working well! woo!). Did you happen to record which settings (I imagine -d and -t?) worked for which router models? Thanks again man telot Quote Link to comment Share on other sites More sharing options...
TAPE Posted February 4, 2012 Share Posted February 4, 2012 I just wanted to revert on the issues I have/had been experiencing with reaver v1.4 As previously mentioned reaver v1.3 was/is working fine on my test setup, however v1.4 failed to associate each and every time, no matter what I tried. I managed to bypass that issue by associating to the AP with aireplay-ng and then using the -A switch when running reaver v1.4 ; So first running the aireplay-ng fake auth on the router ; mon0 aireplay-ng mon0 -1 120 -a 98:FC:11:8E:0E:9C -e FUBAR then running reaver with the -A switch ; reaver -i mon0 -A -b 98:FC:11:8E:0E:9C -v That resulted in much better results ! updated blogpost ; http://adaywithtape.blogspot.com/2012/01/cracking-wpa-using-wps-vulnerability.html Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.