How can I make Reaver better?

[Phreakdaline5]

I'm by no means a pro, but wireless juju is the realm of hacking that appeals to me the most, and it's what I've spent the most time toying with. I have some questions regarding Reaver. I HAVE been using it successfully, but as with any computer geek/gamer, I want it to go faster. =) Basically I'm trying to better understand exactly what factors affect the speed that Reaver attempts to crack WPS pins at. I know the obvious one, signal strength. Being further away from the AP, crappy wireless receivers and such will degrade the signal and make it more difficult to communicate. What I'm wondering is if that's all there is, or if there's a hardware component involved. On the surface, I'd think not, since it's a fairly small list of possible pins (when compared to the colossally more massive brute forcing of other types of passwords and keys), and it's going through them one by one. But like I said, I'm not an expert, so I figured I'd ask here and see if we can start a discussion about ways to optimize Reaver. I've read up a bit on toying with your options based on what types of security measures or limits might be in place on the router, causing timeouts and lockouts of course, still trying to get a grasp on what all is available there though.

1. Is there any real hardware component that affects reaver speeds at all?

2. Is there a base signal strength that is the "minimum" to even attempt? Or recommended? (for obvious cases when you can't physically sit on top of the AP)

3. Optimal recommendations for wireless adapters/antennae? Primarily in regards to speed, but also distance. (I currently use this [http://www.newegg.com/Product/Product.aspx?Item=9SIA3NY18R7732] but with a 9dBi omni.]

4. I know next to nothing about the advanced options in Reaver, any basic suggestions? (Obviously I can and will be researching and learning this on my own, so if you're one of those people who gets pissed off at anyone asking for info that can be found elsewhere, kindly ignore this portion, just trying to get peer feedback aside from a static web tutorial)

Thanks for taking the time to read this, I've been a lurker here for about 2 years, and I'm trying my best to learn more and hope to become more active. =)

Edited March 3, 2014 by Phreakdaline5

[Newbier]

Try changing it like in these examples, might help

By default, Reaver has a 1 second delay between pin attempts. You can disable this delay by adding '-d 0' on the command line, but some APs may not like it:

# reaver -i mon0 -b 00:01:02:03:04:05 -vv -d 0

Another option that can speed up an attack is --dh-small. This option instructs Reaver to use small diffie-hellman secret numbers in order to reduce the computational load on the target AP:

# reaver -i mon0 -b 00:01:02:03:04:05 -vv --dh-small

[Phreakdaline5]

Thanks for the response fernandoblazin. I am using --dh-small, seem to get about the same speeds whether I use it or not. I understand the concept of what it's supposed to do, so I know that doesn't make sense, but it's what I'm seeing. Also with removing the attempt delay altogether, I'd think that would lock me out of an AP much faster. I suppose if I had an AP that wasn't limiting rates at all it would be really nice, but one of my concerns is trying to avoid those timeouts of 60 seconds or more, which clearly slow things down quite a bit. I've tried even increasing the delay between attempts to a few seconds to try and circumvent that measure, but it seems that no matter what I do I get that "warning detected ap rate limiting waiting 60 seconds before re-checking" message that really bogs things down. Even if some measure I used increased the actual pin cracking time, if I could avoid that it'd speed me up in the long run. :D

[Craphoontio]

It really looks like it's AP-dependent. It probably slows you down after N bad tries, whether you are pushing that fast or not. If so, there's nothing you can do actually. Well, perhaps changing the MAC address to see if the slow-down is related only to your MAC or not, and if so, make a wrapper script that tries N pins, change MAC address, and start over.

[Phreakdaline5]

Hmm that would be an interesting little tool to work on my scripting ha ha. I did, after a good few hours of attempts, change my MAC just to try it out. No particular reason at the time, this is all for education after all so I figured why not. I didn't notice any increase in speed or performance change at all. Are you suggesting that it's a sort of MAC blacklisting or limiting based on the number of sequential attempts? If that's the case yeah I can see why that would be a problem, and one MAC change wouldn't necessarily help. Of course like you said, it could just be the AP, and there's not much I can do. Good stuff though, thanks for the response. Going to see now if I can make Python do what I tell it to. (Not likely =p)

[THCMinister]

Try using bully, I tend to have better luck with it over reaver. I have written similar scripts in bash for reaver/bully. Happy to assist.

[Phreakdaline5]

I've never used Bully, I'll check it out. I'd be interested to see a bash script for something like that, just to have a frame of reference for how to go about making my own.

[THCMinister]

Here is a start of a script I had written a while ago that I haven't had time to finish. It is designed to run on kali linux, it will not work on the pineapple unless altered due to it spawning a new gnome terminal. A bit more needs to be added and functions created to handle the looping, etc.. Hope this helps, I can assist you when I have time. Feel free to shoot me a message/post here.

Bully.sh

Edit: Code removed. I accidently posted test code, many error not to mention it wouldn't function, I will post as soon as I get time to locate my partially functioning script. Sorry.

Edited March 8, 2014 by THCMinister