Hands-on: hacking WiFi (WPA/WPA2) Protected Setup with Reaver

I just got the reaver pro hardware

Simply hooked up to my laptop via lan and opened up web interface (192.168.69.1)

nice interface - simply hit a big play button and it scans for hackable routers

found a big list and first trying the one in my house. can also pause it if need be :)

will let you know how it goes on.....

Where can you buy a reaver from, since there availability I cant seem to find one anywhere. Cant wait to hear the results too

Tried doing mine at home (a Netgear DGN2000 with latest DGTeam firmware) and it found the WPS pin but never gave me the PSK - that was using Backtrack 5 R1 and a USB wireless dongle with the RT73 chipset.

I've just been down to PC World and picked up a Netgear WNA1100 USB dongle which was £14.99 and is supposed to work fine - I've got it into monitor mode and I'm retrying on my router now to see if it gets the same pin - it's definitely quicker than the old RT73 one! Now getting 12 pins a minute as opposed to 4!

It detects a load more networks than the old Edimax EW7318USG (RT73) I had - looks from using wash that most round here are old DG834GTs which don't support WPS anyway - bummer!

Quote:

---

Originally Posted by reverend

Tried doing mine at home (a Netgear DGN2000 with latest DGTeam firmware) and it found the WPS pin but never gave me the PSK - that was using Backtrack 5 R1 and a USB wireless dongle with the RT73 chipset.

I've just been down to PC World and picked up a Netgear WNA1100 USB dongle which was £14.99 and is supposed to work fine - I've got it into monitor mode and I'm retrying on my router now to see if it gets the same pin - it's definitely quicker than the old RT73 one! Now getting 12 pins a minute as opposed to 4!

It detects a load more networks than the old Edimax EW7318USG (RT73) I had - looks from using wash that most round here are old DG834GTs which don't support WPS anyway - bummer!

---

how long did it take on the old adapter to pick up the PIN Rev?

To be honest mate I kicked it off at about 9pm and it had finished when I'd woken up but there was no timestamp so not sure exactly how long it took - less than 10 hours though!

..:: Edit ::..
Actually just realised it does timestamp when it saves progress but I'd never scrolled back to take a look - I'll let you know when this one finishes mate :)

These are supposed to work as well (same chipset) and they're under 9 quid delivered :)

http://www.amazon.co.uk/gp/product/B...A3P5ROKL5A1OLE

Not too bad then, interested to hear how this one performs. Even £15 is cheap enough and I have to pass a currys/pcgirls on the way home so could easily pick one up (patience is not my strong point!)

Mine seems to show seconds a pin not pins a seconds, curious to why this is, using BT5R1 VM.

Quote:

---

Originally Posted by koola2

Mine seems to show seconds a pin not pins a seconds, curious to why this is, using BT5R1 VM.

---

That is normal mate, it's just me worked it out in my head in pins per minute :)

Right now it's running at 4 seconds per pin :)

Quote:

---

Originally Posted by Undertaker

mc.dodd - could be the wash program

only available on 1.4 i think

---

how do I run/use the wash program?

Quote:

---

Originally Posted by mc.dodd

how do I run/use the wash program?

---

It's just as follows mate:

wash -i mon0

That will then list the AP's found with WPS enabled and the version etc - if your interface is different to mon0 just change that bit.

If you get FCS errors reported then you can just add either -C or --ignore-fcs to the end of the command :)

Just to check your workflow (sorry if it's teaching you to suck eggs mate) - you boot say Backtrack 5 R1, update everything and install reaver, and then command wise you would do:

airmon-ng

This lists the interfaces - it's more than likely to be wlan0 you're after - then you would do:

airmon-ng start wlan0

This starts up monitor mode and adds mon[x] to the list of interfaces - once done you can use any of the tools such as wash

wash -i mon0

Then once you've got the MAC just do

reaver -i mon0 -b [bssid] -vv

I prefer the single 'v' you don't get as much verbose. Also I have been using -c <channel number> (to stop it jumping channels after 10 connection losses) and -d 0 for no delay (just speed it up)

i.e. reaver -i mon0 -b [bssid] -v -c [channel from wash] -d 0

I noticed some weird behaviour here - the pin that returned last night started 1995 but was different to what was under the router itself - tried various pins and it said they were all correct but did not give a password.

Just reread the changelog for my DGTeam firmware and they removed a lot of the WPS code from this router so I guess that's why it's weird!

Time to try someone else's now!

Just noticed as of 1.3 there's a --dh-small option which speeds things up too and reduces load on the remote access point to help prevent crashing etc.

Tried a few wireless cards with this now, the D-Link one, a TP-Link TL-WN722N and now an Alfa AWUS036NHR.

The Alfa is an absolute bitch to get working right in BT5R1 - in fact in the end it kept getting association errors and it's a known problem with BT5R1, it works fine in Ubuntu 10 or 11 with the same compat-wireless drivers.

If any of you are trying these then be careful - the current bleeding edge compat-wireless drivers have a problem with the rtlwifi driver as used in the Alfa and it won't compile, 24th of Jan works fine, I haven't had chance to drill into it a bit more and see which one broke it!

The Alfa card has an awesome signal (N mode doesn't work in monitor mode though) - I did find something saying that you can turn up the power of the other two cards I've got to 2mW but I've not tried that yet!

So far I haven't managed to hack a single network - the only routers where I live with WPS all have rate limiting so it's only doing around 150 - 200 keys a day - I might just leave it running in the background for a couple of days and see if it spits anything out!

I still can't get it to find a compatible network, the wireless dongle seems to be working correctly but when I scan for networks nothing shows up...the network is showing up as WPA/WPA2[WPS]
...wonder if i tried the TP-Link TL-WN722N it would make a difference. The dongle I'm using is a Ralink..

Any update Malty?

Quote:

---

Originally Posted by mc.dodd

...wonder if i tried the TP-Link TL-WN722N it would make a difference. The dongle I'm using is a Ralink..

---

Have to admit the TP-Link isn't the strongest of the ones I've tried -picked up an AWUS036H as everyone raves about those but after some hands on I've had better results with the AWUS036NHR so far so wouldn't bother with the TP-Link now, gave it to the mrs, with the Alfa I managed to hack the compat-wireless drivers from the 6th Feb up to 31dBM and it managed to sort out a couple of networks via Reaver as well as every WEP network it can see!

Got an AWUS051NH on the way now so that I can try that out and see if there are many networks on 5Ghz around these parts.

Backtrack 5 R2 made a big difference too, I was using Reaver with Ubuntu 10.04 before which I'm using my modified compat-wireless drivers with but Backtrack 5 R2 seems very stable with Reaver so they've sorted those issues out.

Quote:

---

Originally Posted by reverend

Have to admit the TP-Link isn't the strongest of the ones I've tried -picked up an AWUS036H as everyone raves about those but after some hands on I've had better results with the AWUS036NHR so far so wouldn't bother with the TP-Link now, gave it to the mrs, with the Alfa I managed to hack the compat-wireless drivers from the 6th Feb up to 31dBM and it managed to sort out a couple of networks via Reaver as well as every WEP network it can see!

Got an AWUS051NH on the way now so that I can try that out and see if there are many networks on 5Ghz around these parts.

Backtrack 5 R2 made a big difference too, I was using Reaver with Ubuntu 10.04 before which I'm using my modified compat-wireless drivers with but Backtrack 5 R2 seems very stable with Reaver so they've sorted those issues out.

---

ahh, right, I'll see if I can grab backtrack5 R2 and try that first.. bit of a noob with all this and just want to hack network next to work , it's the only one there!