How to use Reaver to crack WPA2 Passwords with a 99 success rate.

Today I am going to teach you how to easily hack WPA/WPA2-PSK enabled network using reaver. But, for that the targeted router should support WPS WiFi Protected Setup which is supported by most of the router nowadays. WPS is an optional device configuration protocol for wireless access points which make it really easier to connect.

This feature exist in most of the router for the easy setup process through the WPS pin which is hard-coded into the wireless access point. Reaver takes the advantage of a vulnerability in WPS. Thanks to Craig Heffner for releasing an open-source version of this tool named Reaver that exploits the vulnerability. In simple tone, Reaver tries to bruteforce the pin; which in result reveal WPA or WPA2 password after enough time.

What You ll Need

You do not have to be a expert at Linux or in even using computer. The simple command-line console will do all the things. But you may need a lot of time for this process and also some luck. The brute force may take from 2 hours to more than 10 hours too sometimes. There are various ways to set up reaver but here are the requirement for this guide.

Backtrack OS. Backtrack is a bootable Linux distribution with lots of pen-testing tools. You can use various other Linux distribution but I prefer backtrack. If you don t know how to install backtrack then please check this link first.

A computer and wireless network card. I cannot guarantee if this will work with all the internal wireless card but i recommend a external wireless card.

A lot of Patience. The process is simple but brute forcing the PIN takes a lot of time. So you have to be patience. Kicking the Computer won t help you this time.

Let s Get Started

Now you should have a backtrack OS ready for action.

Step 1: Boot into BackTrack

You can use any method to boot into backtrack; like from live cd, VMware, dual boot, etc. So, just boot it first into the GUI mode and open up a new console command line which is in the taskbar. So just boot into backtrack. During the boot process, BackTrack will prompt you to to choose the boot options. Select BackTrack Text – Default Boot Text Mode and press Enter.

After some time Backtrack will take you into a command line prompt where you should type startx and press Enter. BackTrack will boot will into Graphical User Interface GUI mode.

Step 2: Install Reaver Skip this step if you are using BackTrack 5

Reaver should be already installed in the Backtrack 5 but if you are using older backtrack or any other Linux distribution you can install Reaver by using few steps below.

First Connect your BackTrack to the internet. For WiFi connection go to Application Internet Wicd Network Manager

Select your network and click connect and input your password if necessary, click OK and click CONNECT the second time.

Now that you are connected to internet its time to install Reaver. Click the terminal icon in the menu bar. And at the console type the following:

apt-get update

apt-get install reaver

Now if everything worked fine you will get a freshly installed Reaver tool. Now if you are testing it in your own system then please go to Wicd Network Manager and Disconnect yourself first.

Step 3 : Gather Information

Before launching the Reaver attack you need to know your target wireless network name, BSSID it is the series of unique letters and number of a particular router and its channel number. So to know this make your wireless card into monitor mode and gather the required information of the access points. So let us do all these things.

First lets find your wireless card. Inside terminal or console, type:

airmon-ng

Press Enter and there you should see a list of interface names of different devices. There should be a wireless device in that list you you have connected it to BackTrack. Probably it may be wlan0 or wlan1.

Note: To connect your wireless network card into WMware. Firstly, connect it to the USB and then you will see a small USB icon like in the figure in the top right of VMware. Then, right click on it and click connect. At last, USB sign will turn into green colour and start to glow.

Enable monitor mode. Supposing your wireless card interface name as wlan0, type this command in that same console.

airmon-ng start wlan0

This code will create a new monitor mode interface mon0 like in the screenshot below which you want to keep note of.

Search the BSSID of the Access Point router you want to crack. There are few ways to search for the Access Point BSSID but I prefer to use the inbuilt reaver search method which shows the list of WPS vulnerable BSSID only.

In the console type this following command and press enter:

wash -i mon0

You will see the list of wireless networks that support WPS which are vulnerable to Reaver as seen in the screenshot below. After few minutes you can stop the scan by pressing Ctrl C.

Step 4: Lets start Cracking

I suggest you to try to crack the ones which have WPS lock disabled or say NO in WPS Locked column. It may also work if it says YES but I am not sure of that. For that, copy the BSSID of the target AP and also keep note of its channel and in the console and type the following and Enter:

reaver -i monitormode -c channel -b targetbssid -vv

For My Case the monitor mode will be mon0 channel would be 1, targetbssid would be C8:3A:: and -vv is written to show the current statistic of the attack like percentage completed, currently brute forcing PIN and so on; so we will type the following and enter:

reaver -i mon0 -c 1 -b C8:3A:: -vv

Press Enter and if everything goes right then you will see the attack process like in the screenshot below. Please note that you will not get Restore previous session  like me because I have already tried to crack it so, it is prompting me to either to resume from that paused point or not. Your progress will also be saved if your press Ctrl C. It will prompt you the same if you again hit the same above command and you can resume it from there.

Now just wait or have some coffee and let Reaver do its magic. It might take from 2 hours to 10 hours or more. There are 8 numeric digits of WPS but due the fact that WPS authentication protocol cuts the pin in half and validates each half separately. Since the last digit of pin is a cheksum value which can be calculated on the basis of previous value there are 10 4 10,000 possible values for first half and then 10 3 1000 values for the last pin. So the WPS pin code can be calculated in 11,000 possible pin code. Some AP can check the WPS pin in the rate of 1 pin per second and some take more so the time depend upon the AP and even the network connection strength depends too.

When the PIN is successfully brute-forced Reaver will show you the WPS PIN and the plain password of the AP like in the below screenshot.

I recommend you to keep note of the WPS pin so that if the password is changed again you can hack that in few seconds the next time by using the following process.

reaver -i monitor interface -b BSSID -c channel --pin 8 digit pin -vv

Example:

reaver -i mon0 -b :: -c 1 --pin 12345678 -vv

So now the error part as you might get a bunch of error depending upon your conditions. You might get some timeout but it is normal but if you are getting other errors then see the below Error section for that

Error Section:

If you are getting the following error then check the corresponding solution for that.

If 10 consecutive unexpected WPS errors are encountered, a warning message will be shown. Since this may be a sign that the AP is rate limiting pin attempts, a waiting command can be issued that will occur whenever these warning messages appears by issuing the following command:

reaver -i mon0 -b :: --fail-wait 360

The default receive timeout period is 5 seconds. This timeout period can be set manually if necessary minimum timeout period is 1 second :

reaver -i mon0 -b :: -t 3

The default delay period between pin attempts is 1 second. This value can be increased or decreased to any value. Please note that 0 means no delay:

reaver -i mon0 -b :: -d 0

So here ends the tutorial on how to crack wireless network easily using reaver. Good Luck Hacking

Related.

Click Download Button to get WiFi Cracker Software and hack WiFi Passwords Latest 2.0 version of wifi hacker software is divided in to several modules.

Jul 07, 2011  I ll show you a way on how to get tough any kind of wifi using admin as a password.

Hi 39.000 IV s doesn t mean anything. Sometimes it only takes 5.000 IV s to crack WiFi password. The signal strength is very important because the stronger the signal.

How to Hack WPA WiFi Passwords by Cracking the WPS PIN. A flaw in WPS, or WiFi Protected Setup, known about for over a year by TNS, was finally exploited with proof.

My landlord was away for a long holiday and I just bought a new Smartphone with WiFi, and I forgot and lost the WEP / WPA password key he gave me.

How to Hack a satellite dish into a WiFi signal booster. There are many ways to recycle a satellite dish and this is one of them. In this video tutorial, you ll learn.

CooolerThanYOU

94

4,830,987 Views

9 months ago

Follow

An internet connection has become a basic necessity in our modern lives. Wireless hotspots commonly known as Wi-Fi can be found everywhere.

If you have a PC with a wireless network card, then you must have seen many networks around you. Sadly, most of these networks are secured with a network security key.

Have you ever wanted to use one of these networks. You must have desperately wanted to check your mail when you shifted to your new house. The hardest time in your life is when your internet connection is down.

Cracking those Wi-Fi passwords is your answer to temporary internet access. This is a comprehensive guide which will teach even complete beginners how to crack WEP encrypted networks, easily.

If it s WPA2-PSK passwords you need to crack, you can use aircrack-ng or coWPAtty.

How are wireless networks secured. What you ll need Setting up CommView for Wi-Fi Selecting the target network and capturing packets Waiting Now the interesting part CRACKING. Are you a visual learner.

Step 1: How Are Wireless Networks Secured.

In a secured wireless connection, internet data is sent in the form of encrypted packets. These packets are encrypted with network security keys. If you somehow manage to get hold of the key for a particular wireless network you virtually have access to the wireless internet connection.

Broadly speaking, there are two main types of encryptions used.

This is the most basic form of encryption. This has become an unsafe option as it is vulnerable and can be cracked with relative ease. Although this is the case many people still use this encryption.

This is the more secure alternative. Efficient cracking of the passphrase of such a network requires the use of a wordlist with the common passwords. In other words you use the old-fashioned method of trial and error to gain access. Variations include WPA-2 which is the most secure encryption alternative till date. Although this can also be cracked using a wordlist if the password is common, this is virtually uncrackable with a strong password. That is, unless the WPA PIN is still enabled as is the default on many routers.

Hacking WEP passwords is relatively fast, so we ll focus on how to crack them for this guide. If the only networks around you use WPA passwords, you ll want to follow this guide on how to crack WPA Wi-Fi passwords instead.

Step 2: What You ll Need A compatible wireless adapter:

This is by far the biggest requirement.The wireless card of your computer has to be compatible with the software CommVIew. This ensures that the wireless card can go into monitor mode which is essential for capturing packets. Click here to check if your wireless card is compatible

This software will be used to capture the packets from the desired network adapter. Click here to download the software from their website.

After capturing the packets this software does the actual cracking. Click here to download the software from their website.A little patience is vital.

Step 3: Setting Up CommView for Wi-FiDownload the zip file of CommView for Wi-Fi from the website. Extract the file and run setup.exe to install CommView for Wi-Fi. When CommView opens for the first time it has a driver installation guide. Follow the prompts to install the driver for your wireless card. Run CommView for Wi-Fi. Click the play icon on the top left of the application window.

Start scanning for wireless networks.

CommView now starts scanning for wireless networks channel by channel. After a few minutes you will have a long list of wireless networks with their security type and signal. Now it is time to choose your target network.

Step 4: Selecting the Target Network and Capturing Packets

A few things to keep in mind before choosing the target wireless network:This tutorial is only for WEP encrypted networks, so make sure you select a network with WEP next to its name. If you need to crack a WPA encrypted network, follow this tutorial instead. Choose a network with the highest signal. Each network will have its details in the right column. Make sure the WEP network you are choosing has the lowest dB decibel value.

Once you have chosen your target network, select it and click Capture to start capturing packets from the desired channel.

Now you might notice that packets are being captured from all the networks in the particular channel. To capture packets only from the desired network follow the given steps.Right click the desired network and click on copy MAC Address. Switch to the Rules tab on the top. On the left hand side choose MAC Addresses. Enable MAC Address rules. For Action select capture and for Add record select both. Now paste the mac address copied earlier in the box below.

We need to capture only data packets for cracking. So, select D on the bar at the top of the window and deselect M Management packets and C Control packets.

Now you have to save the packets so that they can be cracked later. To do this:Go to the logging tab on top and enable auto saving. Set Maximum Directory Size to 2000. Set Average Log File Size to 20.

Step 5: Waiting

Now the boring part- WAITING.

NOTE: The amount of time taken to capture enough data packets depends on the signal and the networks usage. The minimum number of packets you should capture should be 100,000 for a decent signal.

After you think you have enough packets at least 100,000 packets, you ll need to export them.Go to the log tab and click on concatenate logs. Select all the logs that have been saved. Do not close CommView for Wi-Fi. Now navigate to the folder where the concatenated logs have been saved. Open the log file. Select File- Export -Wire shark tcpdump format and choose any suitable destination. This will save the logs with a. cap extension to that location.

Step 6: Now the Interesting Part CRACKING.Download Aircrack-ng and extract the zip file. Open the folder and navigate to bin. Run Aircrack-ng GUI. Choose WEP. Open your. cap file that you had saved earlier. Click Launch. In the command prompt type in the index number of your target wireless network. Wait for a while. If everything goes fine, the wireless key will be shown.

You may also receive a request to try with more packets. In this case wait until more packets have been captured and repeat the steps to be performed after capturing packets.

BEST OF LUCK.

Step 7: Are You a Visual Learner.

Just in case you didn t understand, you can watch this video walk-through.

Cover image via Shutterstock 1, 2

See Also

Remember to Give Kudos, Tweet, Like, Share.