The WiFi Protected Setup protocol is vulnerable to a brute force attack that allows an attacker to recover an access point’s WPS pin, and subsequently the WPA/WPA2 passphrase, in just a matter of hours.
This is something that I’ve been testing and using for a while now, but Stefan over at .braindump beat me to publication. Such is life. 
Stefan’s code isn’t quite ready for release yet, so I’ve open-sourced Reaver, my WPS attack tool. Reaver is stable and has been tested against a variety of access points and WPS implementations.
Usage is simple; just specify the target BSSID and the monitor mode interface to use:
# reaver -i mon0 -b 00:01:02:03:04:05
For those interested, there is also a commercial version available with more features and speed improvements.
Pingback: 穷举PIN码——是Wi-Fi保护技术WPS的软肋吗? | iBeini
Pingback: .:[ d4 n3wS ]:. » WiFi : Le WPS cassé !
Does it require a dictionary? Is it only susceptible to routers with WPS enabled? ~How long does it take to crack a 15 character password?
You should read the paper I linked to from .braindump. There is no dictionary, and yes, it only works on routers with WPS enabled. The length and strength of the WPA passphrase is irrelevant.
Thank you, great answer!
it’s a 4 digits pin x 2 that is being cracked, not a password
yes, but once you crack the 4 digit pin x 2 the router gives you its password. It matters not how good your password is…
Whene testing reaver, i’ve got this warning message: [!] WARNING: Failed to associate with aa:bb:cc:dd:ee:ff (essid:test)..is this normal ?
never mind it will keep on giving u this type of message just ignore it and remember that ur wifi antina must be near the router coz the nearer the antina the fast will be the progress
Pingback: Rompiendo WPA en 10 horas (o menos) | CyberHades
So I got the thing compiled, on linux. And it looks like it isn’t merely tied to linux (that’s what you’re using pcap for, because it provides _portable_ capturing?) but more or less tied to your computer. You really should try and compile it on a different unix, fix all the includes linux silently adds but other unices don’t, heck even run that README through a text-formatter set to less than 80 characters wide, do some cross-testing and all that.
Some sort of verbose reporting would be nice too. I just ran the thing for a night on two different wifi interfaces presumably in monitor mode (let kismet do the heavy lifting there) but all it did was say once “waiting for beacon” and sit there until eternity. Kismet sees beacons, your software doesn’t. Well, useful.
As much as I dislike the hype around python, I think I’ll wait for Stefan’s code as it looks like having a better shot at actually working on systems not equal to the author’s.
Could you be more specific? What in the code is specifically tied to my computer? It is plainly stated that Reaver is only supported on Linux, so building on other unixes is not supported. But it is open source, so if you want to add support for others, feel free to submit patches on the google code page (which is really where these complaints should be going anyway).
And there is a verbose option. It’s -v, as shown in the help output.
Very interesting! I will pay more attention on this article and do some test for this software. Cheers, for WPA being cracked!
WPA is not cracked, WPS is. Which, if you have WPS enabled, results in the same outcome, but is not the same thing.
I agree with you, the title of the post is wrong.
WPA is not cracked, the attack is on WPS.
It’s showing [!] WARNING: Failed to associate with aa:bb:cc:dd:ee:ff
after 5 mins on CISCO router which is very slow I guess, at this rate it will take more than a month to run 10^4 iterations.
@all:
The failed association issues have been fixed in the latest subversion check-in.
Does failed association happens normally? Does it indicate a attempt?
I’ve downloaded the latest version and tried it on a cisco router and it’s showing “Warning failed to associate with xx:xx” but this time it is very fast
Any tips for when it seems that a PIN wont iterate? Like, it seems that after about 2% of pins are tried, it simply recieves timeouts an retries the same pin over an over. Im assuming its a lockout or somesuch, but I figure it’s reasonable to ask you about it.
How long did it run for? If a packet gets dropped or corrupted the AP may remain in its WPS state waiting for a the next message for up to 2 minutes until it allows new WPS attempts again.
It could be locked, but reaver usually identifies locks and warns you about them (run with -vv).
I’m running -vv, but it seems I may have been blacklisted from the AP. Reaver tried about 2% of pins before i began recieving timeouts. Now, all I get is timeouts (WARNING: Recieved timeout occured) from this particular AP. I tried giving it a few minutes to recover, but nothing changed. I changed my HW address to something different, thinking that may solve it and allow me to continue the brute force, but no beans. I can still associate with the AP, so it seems the device is up, but perhaps I’ve exhausted the PIN attempts maybe? I’m letting it sit for about a half hour and then I’ll be trying again. I’ll let you know more specifics then.
Im having the same issue. I tried restarting it and it just kept trying the same pin with many timeouts…. however, just as im typing this its just gone through a few more pins before getting stuck on another one. Maybe im justs too far away.
Oh, forgot to answer your question. It runs for about 15 minutes before this occurs. I’m using an alfa 500mw card, with mon0 (airomon-ng) as my listener device.
I also encountered such issue. Reaver runs for about 19 hours (with -vv option). At 90.90% it started to repeat the same PIN (it does that for more that 30 min). I get occasional timeouts, but they appeared from the beginning.
I tried the attack again on the same TP-Link router and Reaver v1.2 again at 90.90% started to repeat a PIN (different from the previous one). I tried Reaver on two other TP-Link routers and it found successfully their WPS PINs for less than 10 hours.
Depends on your TP-Link. I’ve found that many of the TP-Links have memory leaks that cause them to partially lock up after a certain number of attempts, this may be what has happened to you. Usually requires a reboot of the AP.
I wrote a little scripts to try and curb the time reaver takes re-trying duplicate pins over and over again. Although I could not totally eradicate the issue I was able to get reaver to run allot more smoothly , check it out:
#!/bin/sh
airmon-ng stop wlan3
sleep 2
airmon-ng stop mon0
sleep 2
ifconfig wlan0 down
sleep 2
ifconfig wlan3 down
sleep 2
macchanger -r
sleep 2
airmon-ng start
sleep 2
reaver -i -b -vv -a -d 4 -g 13 -r 7:30
###END
Let me know how it works for you…
Forgot to add the the script has to be looped….
Also, cant this method be improved N fold with multiple cards? I’d assume so. Just have 5 or 6 alfa cards all controlled by the same app, trying various pins etc.
No. Multiple WPS attacks usually screw up the AP’s internal WPS state machine, and even when it doesn’t you still don’t get an N fold increase in speed because the speed bottleneck is on the AP side anyway.
So multiple different hw addresses can’t try different pins at the same time? It’s limited to one HW address at a time?
Essentially, yes. Although some APs can handle multiple WPS registrars from different hw addresses, you still don’t see much speed improvement due to the limited resources of the AP.
Fair enough. It’ll be interesting to see how the development community approaches the optimization in exploiting this particular weakness. This seems like something that could be logarithmically shared as tasks between hw resources. Also, thanks for the hard work. Appreciate the code.
Tried this on a fresh Netgear router but all I seem to get is “segmentation fault” after one PIN is tried.Running it on Ubuntu 10.04, with a Alpha USB AWUS036H card. I put the card into monitor mode (mon0) and the card can be used with other LInux/Ubuntu wi-fi tools so I’m assuming this is ok? Router supports WPS and is turned on.
Not sure what I’m doing wrong/where to go next? Could the author put up some working examples of where this has worked?
Run it in GDB and when it crashes, type “bt”. This’ll create a stacktrace that would be usable to the dev.
This is a known issue that’s been reported on the project page. Only seems to affect some users and not others – I can’t reproduce it myself. The latest SVN code should fix the seg fault though.
I tried the 1.1 (subversion) and it fails to associate. Latest Debian/kernel x64 with the AWUS036H and rtl8187 driver.
Finally it seems to work, the problem was that the APs didn’t let me associate (auth always succeed).
So to try first if the association is allowed you can run aireplay-ng with -1.
Now the question is, why can we authenticate but not associate to an Access Point ? Does it have something to do with WPS ? Because, in my neighbor almost none of the APs (WPA/WPA2) let me associate … It’s like 2 on 20.
Ok finally even the 2 on 20 fail. “[!] WARNING Receive timeout occured”. In the end, 0 on 20.
Same problem here but on a Belkin router
Pingback: Уязвимость в WPS, протоколе упрощенной настройки WiFi | AllUNIX.ru — Всероссийский портал о UNIX-системах
Pingback: Уязвимость в WPS, протоколе упрощенной авторизации WiFi | AllUNIX.ru — Всероссийский портал о UNIX-системах
All I’m getting is:
Waiting for beacon from xx:xx:xx:xx:xx:xx
Switching wlan0 to channel 2
Switching wlan0 to channel 3
Switching wlan0 to channel 4
Switching wlan0 to channel ….
Am I missing something?
Yes you’re missing a brain.
Thanks for your help. Is it just that my wireless driver’s not supported? It works fine for aircracking WEP with injection.
I don’t know what card you are using, but usually when you put the card into monitor mode using airmon-ng (which is what I assume you used), it creates a second interface, usually named mon0. You have to specify mon0 as the interface to Reaver since that is the interface that is actually in monitor mode.
I have the same problem with mon0, any ideas?
Pingback: Protecção WPS (Wireless Protected Setup) quebrada « (in) My Tech
I have another problem, the process proceeds very slowly after about an hour advances 0.36%. Active możepotrwać ~ 200 hours. Does płatnejj version goes faster?
http://pastebin.com/yhLXDBFq
Why are you publishing information which will almost certainly result in someone else suffering a loss because of it?
The exploit has been available for some time, releasing the code will force manufacturers to fix the hole.
Cause bugs are to be fixed and not just “hidden away and forgotten”
What are reasons reaver cannot associate itself with base station?
OK my mistake, from what I see depends on the speed of wifi card model.
Please tell me what models you used, what you recommend for best performance?
Now I have a 0.85% / 10min on Airlive wl-1600
Pingback: Уязвимость в WPS, протоколе упрощенной авторизации WiFi
Pingback: With The Release Of Reaver, Now Anyone Can Exploit Wi-Fi Protected Setup Flaw Freely; Reaver Releases As Open Source Software | EssayBoard
How can you scan to see if a router is using wps?
Also, if you crack the wps, can this be used on wpa2 or wpa2-psk?
thank you
WPS is independent of the WPA protocol in use. So if you get the WPS pin you can recover the WPA key if you are using WPA or WPA2.
APs broadcast support for WPS in their beacon packets. You can look for the WPS information element in wireshark.
Pingback: Pesquisadores demonstram falha em segurança de rede sem fio WPS | Agência pre7
Pingback: Your WiFi is (Possibly) No Longer Secure! - Forbes
Pingback: WPS-Designfehler macht WLAN-Router angreifbar | Der News Blog von Steve
Hi Craig,
Thanks for your tool, I used by i have this problem: Any idea?
Perhaps the router is not vulnerate ??
reaver -i mon0 -b 5C:33:8E:XX:XX:XX -vv
Reaver v1.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner
[+] Waiting for beacon from 5C:33:8E:XX:XX:XX
[+] Switching mon0 to channel 2
[+] Switching mon0 to channel 3
[+] Switching mon0 to channel 4
[+] Switching mon0 to channel 5
[+] Switching mon0 to channel 6
[+] Switching mon0 to channel 6
[+] Associated with 5C:33:8E:XX:XX:XX (ESSID: Orange-xxxx)
[+] Trying pin 31716925
[+] Trying pin 54326927
[!] WARNING: Failed to associate with 5C:33:8E:XX:XX:XX (ESSID: Orange-xxxx)
[+] Switching mon0 to channel 7
[!] WARNING: Failed to associate with 5C:33:8E:XX:XX:XX (ESSID: Orange-xxxx)
[+] Switching mon0 to channel 8
Considering you had at least one pin that got a response I’d say the AP is vulnerable. The problem is you are having trouble associating with it, which is usually an indication of poor signal strength or a lot of interference.
Thanks for the response Craig,
But in this case i don´t think that, because the router is very near from me, the Signal Strenght is > 95%.
I used for the test, Backtrack 4 r2 and only install your tool version 1.2 any other idea?
Thanks a lot, Craig.
Hi Craig,
I follow your recomendation, I put my wiifi card more near to de AP. Now have this problem:
root@bt:~/reaver-1.2/src# reaver -i mon0 -b 5C:33:8E:XX:XX:XX -vv
Reaver v1.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner
[+] Waiting for beacon from 5C:33:8E:XX:XX:XX
[+] Switching mon0 to channel 6
[+] Associated with 5C:33:8E:XX:XX:XX (ESSID: Orange-xxxx)
[+] Trying pin 86481762
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
…….
My chipset is Ralink RT2870/3070 and driver rt2800usb..
Any idea? Do you think the AP is vulnerable?
Thanks…
Happy New Year Craig !!
Same things – i’ve try different SSID’s but same result, and reaver going to crack same PIN again and again, What a reason?
I use same chipset ra2870, adaptor TL 7200ND
Ralink RT2870/3070 is not supported
Pingback: Pesquisadores demonstram falha em segurança de rede sem fio WPS |
Pingback: Pesquisadores demonstram falha em segurança de rede sem fio WPS
Same AP, same PSK, Different results. Please see your twitter. Thanks!
Fantastic project man! Tested on my AP at home and was humbled to say the least.
Had to do a couple of patches to the drivers as the association with the AP kept failing. At closer inspection, I noticed that mon0 was pinned to fixed channel -1 when using aireplay to get the association. The fix can be found on the aircrack site if any other users experience the same problem. Once that was sorted let it run and four hours later there was my epic psk in plain text :O
Thanks for the release of Reaver, it’s really a good tool and I was able to set it up fine in my BackTrack.
Hi, great tool thanks.
I have two talktalk APs, it worked very well with one but with the other it instantly returns the incorrect pin, I think rtstanif in issue 16 is also seeing the same thing: http://code.google.com/p/reaver-wps/issues/detail?id=16 … thought I’d let you know.
Is there any way to check router whether the PIN feature is enabled or not?
with the wash app
Pingback: Pesquisadores demonstram falha em segurança de rede sem fio WPS « Canal Engenharia RMC
Very nice tool! Some routers actually expose their PIN number in their factory set SSID. For instance, one Sitecom router here has six hex digits in its SSID. After converting those to seven decimal digits and modifying reaver1.2 a little bit, the PSK was recovered in just a few seconds.
Pingback: Nicht alle Router anfällig für WPS-Lücke | Tuxxnet.de - Mit Sicherheit einen Schritt voraus!
This tool is exceptional, and i hope they are working it into backtrack 6….. It took all of 7 hours, but eventually i got into my neighbors wifi (w/ permission). . . it DOES crack the wpa psk…. It returns it to you in a non hexadec key…….. No more deauthing…. handshakes.,,.,etc HA
only prob tho…… the ap would ban my mac for exactly 5mins every so often…. so if this tool could be made to spoof your mac every 3-4 mins to keep the router from banning, that could decrease time.
Glad to hear it’s working well.
Unfortunately the lock outs are not usually done on a per-MAC basis, they just lock everyone out for a pre-defined period of time. So changing MACs won’t help (at least this is how all the implementations that I’ve seen work).
I have a (hopefully not stupud) question. In Stephan Viehbock’s white paper on this, it says this:
“An attacker can derive information about the correctness of parts the PIN from the AP´s responses. If the attacker receives an EAP-NACK message after sending M4, he knows that the 1st half of the PIN was incorrect. If the attacker receives an EAP-NACK message after sending M6, he knows that the 2nd half
of the PIN was incorrect.
This form of authentication dramatically decreases the maximum possible authentication attempts needed from 10^8 (=100.000.000) to 10^4 + 10^4(=20.000). As the 8th digit of the PIN is always a checksum of digit one to digit seven, there are at most 10^4 + 10^3 (=11.000) attempts needed to find the correct PIN.”
I’ve noticed, using Reaver, that in the PIN attempts the second half of the PIN is reused quite frequently, sometimes 3 times out of 5 in a row. Is this because the the second half of the PIN cannot be tested until the 1st half has been successfully identified? After re-reading the paper I think this is the case, but I was hoping for confirmation.
That is correct. Basically, you only have a 7 digit pin since the last digit is a checksum, so the first three digits of second half of the pin will always be the same in Reaver until the first half of the pin is cracked.
So you’ll see something like:
12345670
43215674
98705672
Where the first four digits are the first half of the pin being brute forced, the next 3 digits are the second “half” of the pin which doesn’t change (until the first half is broken), and the last digit is a check sum.
No problems. I’m running in -vv mode and it’s not showing me the pins it is trying, only 2.50% complete @ 131 seconds/attempt, then 2.51% etc etc but like I said just not showing the pins it is trying to use. And what does seconds/attempt mean? Thanks. I’m having lots of fun testing this tool!
My stuck at a number like 1.3% and over again and again and again.
backtrack vmware and alfa 036h, does someone know the problem?
If the first 1/2 of the PIN is known (ie 1723), can this be used with the -p switch
ex: reaver -i mon0 -b BSSID -p 1723 -vv
Yes, if you specify only the first four digits, Reaver will use those and begin brute forcing the last four digits. You may need to use the code from the SVN repository though, IIRC 1.3 has a bug in it when only specifying a 4 digit pin.
Pingback: Vulnerabilidade WPS – Caso de estudo « Tecnologia Segura
Olá, eu li toda postagens e vi até parecida com o que vou perguntar mas ainda não sei oq fazer, Utilizando no Back track5 correndo vv retorna a mensagem: ! warning: failed to associate with. O que devo fazer? é problema meu ou do programa?
STILL gives “[!] WARNING: Receive timeout occurred” IF it actually makes the association. This is nothing more than buggy POC code. You should have waited and released a working code because this has had 3 releases and still does not work.
You can always contribute back to this open source project that you paid nothing for by troubleshooting your problems, properly submitting your issues on the Google code project page, and submitting patches back to the project.
Ignore the above troll, nice work on the code to date
Pingback: 穷举PIN码——是Wi-Fi保护技术WPS的软肋吗?
Works with antenna 802.11 g usb ralink? I’m having success gives error of association. Thank you!
This goes out to all of you who are bitching!
You are pissing on a guy who put his time and effort into developing something
that is free! If you wanto learn and develop your own tools, start by improving the code for the reaver, you’ll see you learn a lot, and you step away from scrip-kiddie mentality. Keep learning, you’ll die a fool, but a little less of a fool then most…
Yes Reaver is excellent tool but we can’t find many APs vulnerable to the WPS attack. So traditional wordlist attack is still useful.
Agree with the above – maybe 20% of APs tested so far have been vulnerable but definitely speeds matters up when they are >> Just cracked a 26 character PSK in under 7hrs.
Great work on this
I have a question about walsh/wash: after probing about 30 APs with WPA/WPA2 enabled, I found that no-one of them has WPS. My router has WPS, but no configuration at all in the panel (it’s an ISP-provided), and I am sure only about the button-enabled WPS, unsure about external registrar. By the way, I’m pretty sure that two routers in my range support it. They also respond to reaver’s attempts, but they don’t show up in wash’s output. What may be happening? Am I doing wrong? My card’s driver are patched for injection and I use it seamlessly for other WiFi tests.
After searching around a question came to my mind
Do i need to generate rainbow table in order to successfully launch the reaver attack ?
if yes how i can do that.
Thanks
Pingback: Behind The Hacker News (thehackernews.com) | ProjectX Blog – Information Security Redefined
Yesssss! You are the man!!! Very impressed and have a massive smile on my face
All i see is
[+] Waiting for beacon from 06:1C:DF:04:A7:86
[+] Associated with 06:1C:DF:04:A7:86 (ESSID: WiFi – 2012)
and then it sits there for an eternity. Is there anything i’m doing wrong?
You can save yourself a lot of time by ascertaining which APs are vulnerable to this attack:
the command ‘ wash -i mon0 ‘ this will list all the APs in range that are using WPS
I’ve had the best results with the following command (and I tried a lot of variations):
reaver -i mon0 -b XXXXXXXXXX -c1 -d 0 (where c1 is the channel and -d 0 is no delay between PIN attempts).
reaver works like a charm for me; average cracking of WPA is 2 to 3 hours). Thank God–goodbye to wordlists.
So for all you people out there that are still having issues with repeating pins and ap lock-up. Check out this script, you will have to loop this in order for it to crack the AP properly. The script is as followed, not looped:
airmon-ng stop
sleep 5
airmon-ng stop mon0
sleep 5
ifconfig down
sleep 5
macchanger -r
sleep 5
airmon-ng start
sleep 5
reaver -i mon0 -b -a -vv -d 4 -g 15 -r 7:30 -T 0.5
How do i loop the script?
In configure script there is checking for libpcap. It fails when you don’t have sqlite3-dev installed – with message that libpcap is not installed. I think this shoud be fixed, to show message about sqlite3, because it’s confusing now (I had to modify config script, to display test err file to find why this test failed).
I run Back Track off of usb all of the lib drivers are already installed no installing stuff its all setup for you…
Reaver/walsh works great on Sabayon Linux with a Realtek-chipset card I bought for about $13.
My roommate was bitching about high Internet bills and blamed me for the bills.
I have a wired connection and I *do* use Torrents a fair bit. My roommate uses a wireless connection (despite being less than 20 feet from the router, as the crow flies) and insisted I was the cause of the high bill, but I know damned well I wasn’t responsible. We have another roommate who watches YouTube *endlessly*, but I got the blame.
“And, you have an unnecessary wireless network, in a household where not one of us uses wireless devices.”
“Dude, nobody can hack it because I have a very long and complicated password! I used a car’s VIN number!”
Yeah, well, his Pontiac’s VIN, read through the windshield, wasn’t it.
Reaver did it. “987654321abc” was his super-complicated password. Jesus, a password guessing program might have done it.
Reaver cracked it in about 4 hours.
Thank you. He no longer bitches at me. Even admitted that I know more about computers than he does (my degree in Electrical Engineering from a Canadian University kind of trumps his time spent at the counter of a car-rental company, I would have thought…)
Pingback: WiFi: come effettuare un Hack | MyRXUS
I still get:
[!] WARNING: Failed to associate with …
Running v1.4
How do I fix this?
crack wpa reaver i see this massage How do I fix this
WARNING: Failed to associate
i just keep getting 12345670 sending rec 0.0% a few times then time out retrying last pin 12345670 again and again im using a belkin dongle i got with my router always 0.0%
Hi I have placed the dongle ontop of the router i am getting 85% signal & these are the results
[+] switching mon0 to channel 11
[+] waiting for beacon from xx:xx:XX:xx:xx:xx
[+] associated with xx:xx:xx:xx:xx:xx (essid: virginmediaxxxxxxx)
[+] trying pin 12345670
[+] sending EAPOL START request
[+] sending identity request
[+] sending identity response
[+] warning: receive timeout occurred
[+] trying pin 12345670
it dose this a few time then says
[+] sending EAPOL START request
[+] sending identity request
[+] sending identity response
[+] warning: receive timeout occurred
[+] 25 successive start failfailures
[+] sending EAPOL HACK
[+] WPS TRANSACTION FAILED (CODE: 0X02) re-trying last pin
[+] trying pin 12345670
[+] sending EAPOL START request
Pingback: WarFlying: UAVs and Wi-Fi Hacking « cmu95752
Keep getting ap rate limiting every 5 pin trys for five mins am at 10% after 24 hrs times no prob but is there anything I can do to speed it up and does reaver have to finish 100% first or can it find the pin at say 40%
admin
reaver -i mon0 -b XX:XX:XX:XX:XX:XX -vv
switching to channel 1
[!] WARNING: Failed to associate with XX:XX:XX:XX:XX:XX (ESSID: XXXXX-XXXX)
[!] WARNING: Failed to associate with XX:XX:XX:XX:XX:XX (ESSID: XXXXX-XXXX)
[!] WARNING: Failed to associate with XX:XX:XX:XX:XX:XX (ESSID: XXXXX-XXXX)
[!] WARNING: Failed to associate with XX:XX:XX:XX:XX:XX (ESSID: XXXXX-XXXX)
[!] WARNING: Failed to associate with XX:XX:XX:XX:XX:XX (ESSID: XXXXX-XXXX)
i got this problem at my home network
what i have to do
my athk9 adapter athero
windows7,64 bit
intel i3 processor
wow today for the first time I followed your tutorial and wrote about my experience, well cracking wpa/2 has become super easy
reaver on ubuntu
higher cower stronger cooler
hope write a tools reaver 9.9 may connect two,three,nine network card brue together
Pingback: I have no net Episode II – Cracking WPS/WPA(2) « Siwhine's blog
An amazingly simple and effective tool! A genuine, heartfelt thanks to the author and the guys who thought of looking at WPS. You’ve made me aware how vulnerable I am and I just replaced my router because of the knowledge I gained with this program. I have been tweaking the -d, -a, -N and -A options on several attempts at my router to discover how quickly it could fall. Is there a recommended guideline for the parameter values of these options given the operational environments (ie: signal power, AP feedback, etc.)?
Hi guys. Using reaver trying to test my own AP. Installed reaver fine, but when it’s time to ./wash it cant find wash.
Any help would be appreciated.
J
Hi,
It depends on what adapter you are using, for me the best adapter is alfa awus036h rt8187 chipset. From my experience……
Can reaver crack wpa if my wpa password is not in digit form or longer than 8 digit?
reaver cracks WPS. if you have WPS Pin activated and reaver cracked it. the attacker gets the wpa-key from the router.
if u deactivate the wps-pin-mode it isnt possible to get your wpa -key with this method
GREAT WORK CRAIG!!!
IS IT ALSO POSSIBLE TO DECODE THE WPA TKIP ROUTER? CAUSE I TRIED REAVER IN WPA CCMP ROUTER AND IT WORKS…… BUT WHEN I TRIED TO WPA TKIP ITS NOT WORKING….
THANKS!!!
Use the parameter -S
it will increase speed through using small RSA Keys
24 hours working and nothing just this messages, any help?
(!) WPS transaction failed (code: 0×02) re-trying last pin
(!) WARNING 10 failed connections in a row
(+)Trying pin 12345670
(+)Sending EAPOL START request
(+) WARNING: Receive timeout occured
(+)Sending EAPOL START request
(+) WARNING: Receive timeout occured
(+)Sending EAPOL START request
(+) WARNING: Receive timeout occured
(!) WARNING 25 sucessive start failures
(+) Nothing done nothing to save
(+) 0.00% complete @ date ( 0 seconds pin)
(+)Trying pin 12345670
(+)Sending EAPOL START request
(+) WARNING: Receive timeout occured
(+)Sending EAPOL START request
Reaver can’t establish an EAP session with the AP. Either the AP is ignoring EAPOL START packets (MAC filtering?) or you need to get a better signal from the AP.
here you can get beini..no need dictionary to crack WPA…i will update new beini…just stay check my blog…http://karnaintrack.org/2012/04/beini-1-2-3-iso/
new update XiaoPan 0.4.2.2 http://karnaintrack.org/2012/05/xiaopan-0-4-2-2-english-version-hack-wepwpa/
@Craig What is a solid sec/pin to fall into the 10 hour window. I’m playing around with this now and I have 13% after 6 hours at 25sec/pin … ? I’m assuming this is slow ? What metric would you want to see here ?
I got 25% after 4 hours at 4 seconds/pin so I assume you just chose a slow AP