Jump to content

Is Reaver totally dead?


michael_kent123
 Share

Recommended Posts

I have experimented with Reaver over the past few days. In my opinion, this tool is dead.

The first reason is that only a percentage of routers can be WPS attacked. Compare the outputs from airodump-ng and wash. There might be 20 WPA networks shown in airodump-ng but only 8 will be WPS crackable as shown by wash.

The second reason is that all (?) routers now have WPS locking.

I have spent considerable time with Reaver's various options such as -E (eap-terminate), -L (ignore WPS locks), -t (timeout period), -A (no associate; do so via aireplay-ng), and -d (set delays between pin attempts).

Without fail, I always get either:

[!] WARNING: Detected AP rate limiting, waiting 60 seconds before re-checking [or any other length I set]

WPS transaction failed (code: 0x02), re-trying last pin

I have tried the ReVdK3-r1.sh script. This did not work as it prevented Reaver from associating with APs. I also tried running mdk3 manually with Reaver on. Again, same problem: no association.

I have used mdk3 in the past to unlock a locked router. However, once I tried Reaver again, after a few attempts the router just locked itself as before.

The issue is how to prevent locking in the first place. My impression is that there is no way to avoid this. If the router is designed to lock, it will lock.

So, I ask the simple question. Is Reaver 100% dead? If not, is there any viable way to use it?

Can anyone paste options that have been shown to work recently?

Thanks.

Link to comment
Share on other sites

Depending on your use case I'd say it won't be 100% dead for a long time.

From a security tester point of view, a lot of companies will buy an AP, deploy it and then forget about it. Locking and all other protections are good but if the AP was deployed a few years ago and never touched then the company will be vulnerable till the AP dies and someone goes out and buys a new one with the new protections in place.

Link to comment
Share on other sites

Well heres the thing i noticed down here in my location with WPS networks is when ever a customer upgrades or downgrades or moves or the equipment dies or the ISP claims the device is dead customers get a new modem what i noticed in my area is recently is alot of these xfinitywifi are popping up which tells me these customers have recently had their hardware upgraded so likely a WPS attack on them would not be worth it.

Heres the thing unless you can stay at that spot for days using a slow attack on more secure WPS networks then you're wasting your time.

Myself if im out i'll give a WPS attack a try let it run if it hasn't gotten the pin within 15 minutes or i know that the network is likely protected i won't even waste my time.

Heres another thing i learned i've learned that i now can tell if a network is vulnerable or not just by looking at the SSID name.

How you ask?

Well lets just say that comcast customers who have a SSID that starts with HOME-#### likely have a bundled Cable Modem and Router package i myself had this before i bought my own doc 3.0 cable modem online and using my own router i bought anyways before i upgraded my stuff when i had the service put in my SSID name was HOME-#### the #'s are either a letter or a number or both i tried attacking my own router and WPS would lock after 3 fail pin trys so unless you're gonna preform a slow attack and be willing to wait days then its a complete waste of time.

I wanna mention to it appears that some comcast techs who install a customers service set the customers WPA password to the customers phone number thats normally the default password unless the customer changes it most people never do.

Link to comment
Share on other sites

Dead yes...no. Reaver specifically, maybe....WPS still has it's nefarious uses, even if it locks out. Seeing as how most home users/small business owners don't seem to know it exists, it still has it's uses for persistence on the network. Seeing how WPS was built for convenience, yet know one seems to ever use it. It's my personal opinion, that WPS is an epic failure overall. But picture this scenario, asshat gains access, then gains access to admin pages. Asshat then copies down WPS pin, and enables it if it's not already enabled. Owner suspects router compromised for one reason or another. Could be the sluggishness of the network from our friendly neighborhood asshat's excessive torrent usage. Owner changes WPA PSK. Asshat uses WPS to retrieve WPA PSK. Wash rinse repeat. Wow, neat treat?

As far as "reaver is dead" goes... as far as I know the developer dropped the project. So it's old unsupported software that targets old unsupported routers. There may be some changes to WPS on newer routers, I haven't really looked into it. In that case, someone might fork reaver(doubtful).

And by the way, it's not just comcast techs. I've seen Frontier techs doing the same thing. It's another one of those things that will probably never go away. Like password1, and cookie reuse. BTW, who ever got a pin in the first 15 minutes? Must have been nice.

What I'm actually kind of curious about now, since I haven't had Comcast lately, is the use of that username and password for their hotspot portals. Are those creds used anywhere else? Because if something that I feel would be easily harvested could be used to access anything else, it would deter me from using Comcast again.

Link to comment
Share on other sites

I just find it interesting that people feel they are too inconvenienced by having to enter a long random password once per device, ever to the point where they demanded something like WPS to be integrated to make it easier for them to gain access. The end user is, was and always will be the largest liability to any device.

On the router I got, the password is printed on a label on the device and it's a truckload of junk, 16 characters long (I think) and I truly believe my ISP doesn't have it on record because when I claimed to have accidentally washed the label off, could they perhaps tell me what it is or even reset it for me, they offered to send me a new one at substantial cost to me. Which, I might add, is the only appropriate response.

The password to the management interface on the device however is as standard and predictable as can be. Never bothered to see if I should change it - I've set things up such that this device doesn't matter. As far as my network is concerned, it's an external proxy. Nice for internet, but not required and certainly not trusted.

Link to comment
Share on other sites

I just find it interesting that people feel they are too inconvenienced by having to enter a long random password once per device, ever to the point where they demanded something like WPS to be integrated to make it easier for them to gain access. The end user is, was and always will be the largest liability to any device.

On the router I got, the password is printed on a label on the device and it's a truckload of junk, 16 characters long (I think) and I truly believe my ISP doesn't have it on record because when I claimed to have accidentally washed the label off, could they perhaps tell me what it is or even reset it for me, they offered to send me a new one at substantial cost to me. Which, I might add, is the only appropriate response.

The password to the management interface on the device however is as standard and predictable as can be. Never bothered to see if I should change it - I've set things up such that this device doesn't matter. As far as my network is concerned, it's an external proxy. Nice for internet, but not required and certainly not trusted.

Some of us actually change the password every now and then.

Link to comment
Share on other sites

Some of us actually change the password every now and then.

Of course you do. But how many companies and households can you think of that don't regularly (if at all) change their AP password? That number must be above 0.

Shit, a former neighbor of mine moved house and left his AP stuck to the wall (he'd opened up the case, drilled holes in it and screwed it onto the wall like that) for the new owners to use. Gave the password and everything. To this very day I can get on their network using the original password. The new owners probably saw a password that was a pile of gobbledigook, assumed that was secure enough for their needs and kept on using it as is. That is now 2 years ago.

Link to comment
Share on other sites

Rever works in some uses cases,

however if you have the MFR info of the router , offten you can get Precomputed rainbow tables.

or use Pryrit.... with a good GPU/s to take the mac information and or compute the tables.....

as well thiers a gui for doing wifi pentests , if you can deduce user habbits you can also kick them De-auth ..... some send 5

1-2 is good.... you can capture the reconects....

Fern-Wifi-Cracker can use reaver or a number of them , I've also found a few nice py's on github that do it.

https://github.com/derv82/wifite

http://spike-pentesting.org/

At present we have very Alpha Quality ISO's mainly artwork , to Do.....

however Installing Sabayon Linux and adding the Spike Overlay Bin repo to Entropy

Equo up

equo repo mirrorsort sabayon.org

Sabayon is Gentoo with a Bin pm , and a package gui.... it offers the ease of Debian Synaptic (RIGO)

however for power users install layman

layman -L , layman -a your fav gentoo repos

the build box already mirriors pentoo into our build bot repo.... then makes the packages ,

Deadbeef is still testing....... Damex of funtoo is making it a few ebuild fixes to port to tree....

Link to comment
Share on other sites

Rever works in some uses cases,

however if you have the MFR info of the router , offten you can get Precomputed rainbow tables.

or use Pryrit.... with a good GPU/s to take the mac information and or compute the tables.....

as well thiers a gui for doing wifi pentests , if you can deduce user habbits you can also kick them De-auth ..... some send 5

1-2 is good.... you can capture the reconects....

Fern-Wifi-Cracker can use reaver or a number of them , I've also found a few nice py's on github that do it.

https://github.com/derv82/wifite

http://spike-pentesting.org/

At present we have very Alpha Quality ISO's mainly artwork , to Do.....

however Installing Sabayon Linux and adding the Spike Overlay Bin repo to Entropy

Equo up

equo repo mirrorsort sabayon.org

Sabayon is Gentoo with a Bin pm , and a package gui.... it offers the ease of Debian Synaptic (RIGO)

however for power users install layman

layman -L , layman -a your fav gentoo repos

the build box already mirriors pentoo into our build bot repo.... then makes the packages ,

Deadbeef is still testing....... Damex of funtoo is making it a few ebuild fixes to port to tree....

What do these tools do that Reaver cannot do?

Link to comment
Share on other sites

  • 4 weeks later...

I recently used a Windows tool called Dumpper (correct spelling) which claims to know the default WPS pins for a variety of routers.

See: http://sourceforge.net/projects/dumpper/

To say that it did not work, is an understatement.

I would think that if there were default WPS pins then there would be no need for a tool like Reaver.

Does anyone know more about this? Do / did certain routers ever have default pins?

Link to comment
Share on other sites

  • 1 month later...

Well heres the thing i noticed down here in my location with WPS networks is when ever a customer upgrades or downgrades or moves or the equipment dies or the ISP claims the device is dead customers get a new modem what i noticed in my area is recently is alot of these xfinitywifi are popping up which tells me these customers have recently had their hardware upgraded so likely a WPS attack on them would not be worth it.

Heres the thing unless you can stay at that spot for days using a slow attack on more secure WPS networks then you're wasting your time.

Myself if im out i'll give a WPS attack a try let it run if it hasn't gotten the pin within 15 minutes or i know that the network is likely protected i won't even waste my time.

Heres another thing i learned i've learned that i now can tell if a network is vulnerable or not just by looking at the SSID name.

How you ask?

Well lets just say that comcast customers who have a SSID that starts with HOME-#### likely have a bundled Cable Modem and Router package i myself had this before i bought my own doc 3.0 cable modem online and using my own router i bought anyways before i upgraded my stuff when i had the service put in my SSID name was HOME-#### the #'s are either a letter or a number or both i tried attacking my own router and WPS would lock after 3 fail pin trys so unless you're gonna preform a slow attack and be willing to wait days then its a complete waste of time.

I wanna mention to it appears that some comcast techs who install a customers service set the customers WPA password to the customers phone number thats normally the default password unless the customer changes it most people never do.

Hi ZaraByte,

Can you elaborate on what you mean by slow attack (willing to wait days). The HOME-#### routers that actually allowed me to associate with them and responded to the PIN attempts would lock up every 3 attempts. mdk3 attacks did not result in resets. So just waiting for them to reset on their own was the only option. They would open up sometimes in a few minutes, sometimes in hours. After making all the way to 0.30% in about 4 days it seems like ALL the routers turned OFF WPS for good (they dont even show in the wash list). Seemed odd too because the other routers were not close to 0.30% as i only tried the others for a few days. Its like they communicated to each other. Its also not MAC based as i changed the MAC and even tried another device.

Anyway, i tried -d for over 5 minutes and -r for 10 minute delays every 2 attempts. Also put in re-try delays for an hour is the WPS locked itself. And it still locked itself. How much slower can it get? By my calucation it would take months not days to get anywhere.

Is this method futile?

Link to comment
Share on other sites

  • 2 weeks later...

First off im no pro, not a programmer, or a computer science major, just a computer security enthusiast.
so heres my two cents feel free to disregard it

IMO:
If the AP is vulnerable to WPS attacks and your close enough Reaver works fine, and is quite a bit simpler than aircrack, and in ideal conditions a WPS attack is almost certain to be successful, whereas your dictionary bruteforce attack may never find the proper password for the AP, if its not in your dictionary list your SOL, and with WPS pins i think it something like 11,000 possible combinations?
So my answer IS NO its not dead. Its effective for the right target. Although you might not find a lot of AP vulnerable to this atack if you do come across one, and lets say have permission to perform this action its a good choice.

Not to mention I love how once you start an attack you can stop it, leave go home come back the next day, and resume right where you left off.


Link to comment
Share on other sites

  • 4 months later...

Is reaver dead?

No. Depending on your willingness to invest time, reaver is still very much worth using; or using WPS as a vector altogether. If the attack is dragnetting for easy targets, it would make sense that lockouts would frustrate their efforts. In which case, reaver might be suited to the task.

In cases where the time investment is a worthwhile prerequisite for ingress, there are options that can be tailored to certain AP's where you avoid a majority of the lockouts. Setting a wide berth with Time outs and interspersing pin attempts will slow down the process, but it will still be a gain in time if compared to a locked-out state of a router.

The best scenario for an attack is using multiple mobile and concealable devices (like the pineapple) while dedicating each one to a single AP. Although it might take you three days to crack several AP's, their pivot and deploy nature makes them agile tools.

If you're receiving excessive timeouts, spend time with the tool. Adjust the values until you can proceed without being locked out a majority of the time. You can automate mac rotation with a shell script and cron, which helps against certain AP's that track time outs to MAC addresses. Each brand of device is unique and they each have unque behaviors.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...