Hands-on: hacking WiFi (WPA/WPA2) Protected Setup with Reaver

[Raptor]

I just got the reaver pro hardware

Simply hooked up to my laptop via lan and opened up web interface (192.168.69.1)

nice interface - simply hit a big play button and it scans for hackable routers

found a big list and first trying the one in my house. can also pause it if need be

will let you know how it goes on.....

[subplay]

Where can you buy a reaver from, since there availability I cant seem to find one anywhere. Cant wait to hear the results too

[reverend]

Tried doing mine at home (a Netgear DGN2000 with latest DGTeam firmware) and it found the WPS pin but never gave me the PSK - that was using Backtrack 5 R1 and a USB wireless dongle with the RT73 chipset.

I've just been down to PC World and picked up a Netgear WNA1100 USB dongle which was £14.99 and is supposed to work fine - I've got it into monitor mode and I'm retrying on my router now to see if it gets the same pin - it's definitely quicker than the old RT73 one! Now getting 12 pins a minute as opposed to 4!

It detects a load more networks than the old Edimax EW7318USG (RT73) I had - looks from using wash that most round here are old DG834GTs which don't support WPS anyway - bummer!

[ka$h]

Tried doing mine at home (a Netgear DGN2000 with latest DGTeam firmware) and it found the WPS pin but never gave me the PSK - that was using Backtrack 5 R1 and a USB wireless dongle with the RT73 chipset.

I've just been down to PC World and picked up a Netgear WNA1100 USB dongle which was £14.99 and is supposed to work fine - I've got it into monitor mode and I'm retrying on my router now to see if it gets the same pin - it's definitely quicker than the old RT73 one! Now getting 12 pins a minute as opposed to 4!

It detects a load more networks than the old Edimax EW7318USG (RT73) I had - looks from using wash that most round here are old DG834GTs which don't support WPS anyway - bummer!

how long did it take on the old adapter to pick up the PIN Rev?

[reverend]

To be honest mate I kicked it off at about 9pm and it had finished when I'd woken up but there was no timestamp so not sure exactly how long it took - less than 10 hours though!

..:: Edit ::..
Actually just realised it does timestamp when it saves progress but I'd never scrolled back to take a look - I'll let you know when this one finishes mate

These are supposed to work as well (same chipset) and they're under 9 quid delivered

http://www.amazon.co.uk/gp/product/B...A3P5ROKL5A1OLE

[ka$h]

Not too bad then, interested to hear how this one performs. Even £15 is cheap enough and I have to pass a currys/pcgirls on the way home so could easily pick one up (patience is not my strong point!)

[koola2]

Mine seems to show seconds a pin not pins a seconds, curious to why this is, using BT5R1 VM.

[reverend]

Mine seems to show seconds a pin not pins a seconds, curious to why this is, using BT5R1 VM.

That is normal mate, it's just me worked it out in my head in pins per minute

Right now it's running at 4 seconds per pin

[mc.dodd]

mc.dodd - could be the wash program

only available on 1.4 i think

how do I run/use the wash program?

[reverend]

how do I run/use the wash program?

It's just as follows mate:

wash -i mon0

That will then list the AP's found with WPS enabled and the version etc - if your interface is different to mon0 just change that bit.

If you get FCS errors reported then you can just add either -C or --ignore-fcs to the end of the command

Just to check your workflow (sorry if it's teaching you to suck eggs mate) - you boot say Backtrack 5 R1, update everything and install reaver, and then command wise you would do:

airmon-ng

This lists the interfaces - it's more than likely to be wlan0 you're after - then you would do:

airmon-ng start wlan0

This starts up monitor mode and adds mon[x] to the list of interfaces - once done you can use any of the tools such as wash

wash -i mon0

Then once you've got the MAC just do

reaver -i mon0 -b [bssid] -vv

[koola2]

I prefer the single 'v' you don't get as much verbose. Also I have been using -c <channel number> (to stop it jumping channels after 10 connection losses) and -d 0 for no delay (just speed it up)

i.e. reaver -i mon0 -b [bssid] -v -c [channel from wash] -d 0

[reverend]

I noticed some weird behaviour here - the pin that returned last night started 1995 but was different to what was under the router itself - tried various pins and it said they were all correct but did not give a password.

Just reread the changelog for my DGTeam firmware and they removed a lot of the WPS code from this router so I guess that's why it's weird!

Time to try someone else's now!

Just noticed as of 1.3 there's a --dh-small option which speeds things up too and reduces load on the remote access point to help prevent crashing etc.

[reverend]

Tried a few wireless cards with this now, the D-Link one, a TP-Link TL-WN722N and now an Alfa AWUS036NHR.

The Alfa is an absolute bitch to get working right in BT5R1 - in fact in the end it kept getting association errors and it's a known problem with BT5R1, it works fine in Ubuntu 10 or 11 with the same compat-wireless drivers.

If any of you are trying these then be careful - the current bleeding edge compat-wireless drivers have a problem with the rtlwifi driver as used in the Alfa and it won't compile, 24th of Jan works fine, I haven't had chance to drill into it a bit more and see which one broke it!

The Alfa card has an awesome signal (N mode doesn't work in monitor mode though) - I did find something saying that you can turn up the power of the other two cards I've got to 2mW but I've not tried that yet!

So far I haven't managed to hack a single network - the only routers where I live with WPS all have rate limiting so it's only doing around 150 - 200 keys a day - I might just leave it running in the background for a couple of days and see if it spits anything out!

[mc.dodd]

I still can't get it to find a compatible network, the wireless dongle seems to be working correctly but when I scan for networks nothing shows up...the network is showing up as WPA/WPA2[WPS]
...wonder if i tried the TP-Link TL-WN722N it would make a difference. The dongle I'm using is a Ralink..

[BigBrand]

Any update Malty?

[reverend]

...wonder if i tried the TP-Link TL-WN722N it would make a difference. The dongle I'm using is a Ralink..

Have to admit the TP-Link isn't the strongest of the ones I've tried -picked up an AWUS036H as everyone raves about those but after some hands on I've had better results with the AWUS036NHR so far so wouldn't bother with the TP-Link now, gave it to the mrs, with the Alfa I managed to hack the compat-wireless drivers from the 6th Feb up to 31dBM and it managed to sort out a couple of networks via Reaver as well as every WEP network it can see!

Got an AWUS051NH on the way now so that I can try that out and see if there are many networks on 5Ghz around these parts.

Backtrack 5 R2 made a big difference too, I was using Reaver with Ubuntu 10.04 before which I'm using my modified compat-wireless drivers with but Backtrack 5 R2 seems very stable with Reaver so they've sorted those issues out.

[mc.dodd]

Have to admit the TP-Link isn't the strongest of the ones I've tried -picked up an AWUS036H as everyone raves about those but after some hands on I've had better results with the AWUS036NHR so far so wouldn't bother with the TP-Link now, gave it to the mrs, with the Alfa I managed to hack the compat-wireless drivers from the 6th Feb up to 31dBM and it managed to sort out a couple of networks via Reaver as well as every WEP network it can see!

Got an AWUS051NH on the way now so that I can try that out and see if there are many networks on 5Ghz around these parts.

Backtrack 5 R2 made a big difference too, I was using Reaver with Ubuntu 10.04 before which I'm using my modified compat-wireless drivers with but Backtrack 5 R2 seems very stable with Reaver so they've sorted those issues out.

ahh, right, I'll see if I can grab backtrack5 R2 and try that first.. bit of a noob with all this and just want to hack network next to work , it's the only one there!