Now hacking WPA/WPA2 is a very tedious job in most cases. A dictionary attack may take days, and still might not succeed. Also, good dictionaries are huge. An exhaustive bruteforce including all the alphabets (uppercase lowercase) and numbers, may take years, depending on password length. Rainbow tables are known to speed things up, by completing a part of the guessing job beforehand, but the output rainbow table that needs to be downloaded from the net is disastrously large (can be 100s of GBs sometimes). And finally the security folks were at peace. But it was not over yet, as the new WPA technology was not at all easy for the users to configure. With this in mind, a new security measure was introduced to compliment WPA. Wifi Protected Setup (WPS). Now basically it was meant to make WPA even tougher to crack, and much easier to configure (push a button on router and device connects). However, it had a hole, which is now well known, and tools like reaver can exploit it in a single line statement. It still might take hours, but it is much better than the previous scenario in which months of brute-forcing would yield no result.
Here’s what wikipedia says about WPS-
Created by the Wi-Fi Alliance and introduced in 2006, the goal of the protocol is to allow home users who know little of wireless security and may be intimidated by the available security options to set up Wi-Fi Protected Access, as well as making it easy to add new devices to an existing network without entering long passphrases. Prior to the standard, several competing solutions were developed by different vendors to address the same need. A major security flaw was revealed in December 2011 that affects wireless routers with the WPS feature, which most recent models have enabled by default. The flaw allows a remote attacker to recover the WPS PIN in a few hours with a brute-force attack and, with the WPS PIN, the network’s WPA/WPA2 pre-shared key. Users have been urged to turn off the WPS feature, although this may not be possible on some router models.
Working Of WPS
- The 8th digit is a checksum of first 7 digits. 10^7 possibilities, i.e. one-tenth time. Two months, still a way to go.
- The pin number for verification goes in two halves, so we can independently verify the first four and the last four digits. And believe me, its easy to guess 4 digits correct two times, than to guess 8 correct digits at once. Basically, the first half would take 10^4 guess and the second would take 10^3.
How to carry out the attack
reaver -i -b
And if you are already familiar with hacking WEP, then just go to your Kali Linux terminal and type the above command (replacing what needs to be replaced). Leave your machine as is, come back 10 mins later, check the progress (must be 1% or something), and go take a nap. However, if you’re a newbie, then tag along.
- Does it have WPS enabled. If not, then the attack will not work.
- The BSSID of the network.
- Set your wireless interface in monitor mode-
airmon-ng start wlan0
- Use wash (easy but sometimes unable to detect networks even when they have wps enabled). If any network shows up there, it has WPS enabled.
wash -i mon0
|This will show all the networks with WPS enabled|
|This is an error which I haven’t figured out yet. If you see it, then you’ll have to do some howework, or move on to airodump method. Update : wash -i mon0 –ignore-fcs might solves the issue.|
- Use airodump-ng. It will show all networks around you. It tells which of them use WPA. You’ll have to assume they have WPS, and then move to next steps.
|None of them has WPS enabled, just saying.|
BSSID of the network – Now irrespective of what you used, you should have a BSSID column in the result that you get. Copy the BSSID of the network you want to hack. That’s all the information you need.
So by now you must have something like XX:XX:XX:XX:XX:XX, which is the BSSID of your target network. Keep this copied, as you’ll need it.
Now finally we are going to use Reaver to get the password of the WPA/WPA2 network. Reaver makes hacking very easy, and all you need to do is enter-
reaver -i mon0 -b XX:XX:XX:XX:XX:XX
Explanation = i – interface used. Remember creating a monitor interface mon0 using airmon-ng start wlan0. This is what we are using. -b species the BSSID of the network that we found out earlier.
This is all the information that Reaver needs to get started. However, Reaver comes with many advanced options, and some are recommended by me. Most importantly, you should use the -vv option, which increases the verbosity of the tool. Basically, it writes everything thats going on to the terminal. This helps you see whats happening, track the progress, and if needed, do some troubleshooting. So final command should be-
reaver -i mon0 -b XX:XX:XX:XX:XX:XX -vv
After some hours, you will see something like this. The pin in this case was intentionally 12345670, so it was hacked in 3 seconds.
WPA PSK : X
X is the password of the wireless network.
Here is an extra section, which might prove useful.
Known problems that are faced – Troubleshooting
- As in the pic above, you saw the first line read “Switching wlan0 to channel 6”. (Yours will be mon0 instead of wlan0). Sometimes, it keeps switching interfaces forever.
- Sometimes it never gets a beacon frame, and gets stuck in the waiting for beacon frame stage.
- Sometimes it never associates with the target AP.
- Sometimes the response is too slow, or never comes, and a (0x02) or something error is displayed.
- Something wrong with wireless card.
- AP is very choosy, won’t let you associate.
- The AP does not use WPS.
- You are very far from the AP.
- Rate Limiting implemented in the router (most new router have this)
- Sometimes, killing naughty processes helps. (see pictures below)
- Move closer to target AP
- Do a fakeauth using aireplay-ng (Check speeding up WEP hacking) and tell Reaver not to bother as we are already associated using -A (just add -A at the end of your normal reaver code)
- If you are using Kali Linux in Vmware, try booting into Kali using USB. I don’t know why, but sometimes internal adapters work wonders, and can’t be used from inside of a VM. In my case, booting up from USB and using internal adapter increased the signal strength and speeded up the bruteforce process. Update : It has nothing to do with internal adapter. I have verified this with many others, and it is now a known problem with Reaver. It does not work well inside Virtual machines. It is recommended that you do a live boot.
- As far as rate limiting is concerned, there are few workarounds available in forums across the web, but nothing seems to work with 100% certainty. Here is a relevant discussion of gitlab, here is a solution on hack5 forums which has a script and uses mdk3 tool (it doesn’t work for me, it’s supposed to DOS the router and reset the ban temporarily), and here is a thread on Kali Forums on the same issue, which has various possible solutions listed (including a method which changes your MAC address regularly [sorry if the download link on the thread there doesn’t work] and hence allows reaver to work against routers which lock the particular MAC address which is attacking them and don’t lock down completely).
- Update: For some people the reason Reaver is not working is because the version of Libpcap you are using is not compatible with the version of Kali you are using.
|processes causing problems|
|Kill ’em all|
Can’t get it to work
- If you were following the tutorials one by one in the order shown in the top navigation bar (Hack With Kali -> Wireless Hacking), then you have learnt all you needed in this tutorial (even if you failed to get WPA-PSK), and can move to the next ones.
- If you just want to see if you can hack a WPA network, then there are three posts below which will help you with that without relying on WPS vulnerability.