Hack WI-FI With Kali Linux : WPS Reaver Attack
Hack WI-FI With Kali Linux : WPS Reaver Attack
Reaver Bruteforce the wifi with WPS Pin
Reaver has been designed to brute-force the WPA handshaking process remotely, even if the physical button hasn’t been pressed on the access point.
Note: To be clear, WPS is the vulnerable system in this case, not WPA. If a network has WPS disabled (which they should, given the existence of tools such as this), it will be immune to the following attack.
--------------------------------------------------------------------------------------------------------------------------
You Must have Kali Linux Installed or You can Also Run It Live
Also You need
Monitor Mode capable wifi card
If you Don't have Monitor Mode capable wifi card
than you have to buy an external wifi card
such as
Alfa Network AWUS036H
TP-LINK-WN722N USB
--------------------------------------------------------------------------------------
To check
Is your wireless card is capable to be on monitor mode or not
Type in Terminal
airmon-ng
It will show you driver and chipset
------------------------------------------------------------------------------------------
commands are
airmon-ng start wlan0
airmon-ng start kill / airmon-ng check kill
airodump-ng wlan0mon
reaver -i wlan0mon -b BSSID -vv -K 1
-------------------------------------------------------------------------------------
[full_width]
Installation:
Install Kali Linux, everything built into it. (Reaver-wps, libpcap and libsqlite3)
Usage:
Usually, the only required arguments to Reaver-wps are the interface name and the BSSID of the target AP:
The channel and SSID (provided that the SSID is not cloaked) of the target AP will be automatically identified by Reaver-wps, unless explicitly specified on the command line:
By default, if the AP switches channels, Reaver-wps will also change its channel accordingly. However, this feature may be disabled by fixing the interface’s channel:
The default receive timeout period is 5 seconds. This timeout period can be set manually if necessary (minimum timeout period is 1 second):
The default delay period between pin attempts is 1 second. This value can be increased or decreased to any non-negative integer value. A value of zero means no delay:
Some APs will temporarily lock their WPS state, typically for five minutes or less, when “suspicious” activity is detected. By default when a locked state is detected, Reaver-wps will check the state every 315 seconds (5 minutes and 15 seconds) and not continue brute forcing pins until the WPS state is unlocked. This check can be increased or decreased to any non-negative integer value:
For additional output, the verbose option may be provided. Providing the verbose option twice will increase verbosity and display each pin number as it is attempted:
The default timeout period for receiving the M5 and M7 WPS response messages is .1 seconds. This timeout period can be set manually if necessary (max timeout period is 1 second):
Some poor WPS implementations will drop a connection on the floor when an invalid pin is supplied instead of responding with a NACK message as the specs dictate. To account for this, if an M5/M7 timeout is reached, it is treated the same as a NACK by default. However, if it is known that the target AP sends NACKS (most do), this feature can be disabled to ensure better reliability. This option is largely useless as Reaver-wps will auto-detect if an AP properly responds with NACKs or not:
While most APs don’t care, sending an EAP FAIL message to close out a WPS session is sometimes necessary. By default this feature is disabled, but can be enabled for those APs that need it:
When 10 consecutive unexpected WPS errors are encountered, a warning message will be displayed. Since this may be a sign that the AP is rate limiting pin attempts or simply being overloaded, a sleep can be put in place that will occur whenever these warning messages appear:
More on Basic Usages
First, make sure your wireless card is in monitor mode:
To run Reaver, you must specify the BSSID of the target AP and the name of the monitor mode interface (usually ‘mon0’, not ‘wlan0’, although this will vary based on your wireless card/drivers):
You will probably also want to use -vv to get verbose info about Reaver’s progress:
Speeding Up the Attack
By default, Reaver-wps has a 1 second delay between pin attempts. You can disable this delay by adding ‘-d 0’ on the command line, but some APs may not like it:
Another option that can speed up an attack is –dh-small. This option instructs Reaver to use small diffie-hellman secret numbers in order to reduce the computational load on the target AP:
MAC Spoofing
In some cases you may want/need to spoof your MAC address. Reaver supports MAC spoofing with the –mac option, but you must ensure that you have spoofed your MAC correctly in order for it to work.
Changing the MAC address of the virtual monitor mode interface (typically named mon0) WILL NOT WORK. You must change the MAC address of your wireless card’s physical interface. For example:
Supported Wireless Drivers
The following wireless drivers have been tested or reported to work successfully with Reaver-wps:
Partially Supported
The following wireless drivers have had mixed success, and may or may not work depending on your wireless card (i.e., if you are having problems with these drivers/cards, consider trying a new card before submitting a trouble ticket):
Not Supported
The following wireless drivers/cards have been tested or reported to not work properly with Reaver:
Hack WI-FI With Kali Linux : WPS Reaver Attack
Reviewed by Haxbaba Tech
on
06:34
Rating:
No comments: