Cracking WiFi Protected Setup with Reaver
Wednesday, December 28, 2011 at 12:51 Yesterday, Stefan over at .braindump released a white paper detailing vulnerabilities in the WiFi Protected Setup (WPS) protocol that allows attackers to recover WPA/WPA2 passphrases in a matter of hours.
This is a capability that we at TNS have been testing, perfecting and using for nearly a year. But now that this vulnerability has been discussed publicly we have decided to announce and release Reaver, our WPS attack tool, to the open source community. Reaver is capable of breaking WPS pins and recovering the plain text WPA/WPA2 passphrase of the target access point in approximately 4-10 hours (attack time varies based on the access point).
While we have released Reaver as an open source project, we also offer a commercial version with additional features and functionality as well as a support plan. Since nearly all access points manufactured in the past few years have WPS support enabled by default, attacking WPS provides several advantages over attacking WPA directly:
- Cracking the WPS pin is, obviously, much faster.
- Once you have the WPS pin you can instantly recover the WPA passphrase, even if the owner changes the passphrase.
- Access points with multiple radios (2.4/5GHz) can be configured with multiple WPA keys. Since the radios use the same WPS pin, knowledge of the pin allows an attacker to recover all WPA keys.
Of course the disadvantage is that WPS can be disabled. However, in our experience even security experts with otherwise secure configurations neglect to disable WPS; further, some access points don't provide an option to disable WPS, or don't actually disable WPS when the owner tells it to.
To learn more about Reaver, visit our product page, or the open source project on Googlecode.
References (3)
-
WiFi hacking has long been a favorite pastime of hackers, penetration testers, and people too cheap to
-
Response: diaita astrapithanks for sharing..
-
Response: Celular MexicoYesterday, Stefan over at .braindump released a white paper detailing vulnerabilities in the WiFi Protected Setup (WPS) protocol that allows attackers to recover WPA/WPA2 passphrases in a matter of hours.
Reader Comments (26)
Hello, interesting article yours; I was wondering if in my WIFI router (configuration): Huawei BM635 this setting may be fix by selecting: WEP in security configure field?
There is no button or feature to disable WPA but selecting WEP instead of it.
Thank you.
To the person above with the Huawei BM635, you would be better off with no wifi, than stepping down to WEP. WEP can be cracked in under 5 minutes with the right wireless card and aircrack. Manually setup your connections and don't use the WPS sync button to do the connections for you. Also, WPA handshakes are trivial to intercept, but take longer to crack with long passphrases over 14 characters. Nothing is fullproof, just time consuming. Wireless in itself is broken for consumers. Radius would be a better solution.
What about of you have wpa2/aes enabled? Still breakable in minutes?
We highly recommend not using WEP to secure your wireless connection. I think the confusion here is in the acronyms-- Reaver exploits a vulnerability in WPS (Wifi Protected Setup) not WPA. Disable WPS on your router to secure it, and maintain strong passphrase encrypted WPA2.
Also maybe consider using something other than Chinese state-sponsored networking gear.
http://en.wikipedia.org/wiki/Huawei#Security_concerns
How do I get reaver-wps to work on a Mac?
It's not designed for the Mac. You obviously didn't read the installation instructions in the README file. It clearly states, "Reaver is only supported on the Linux platform..."
I've now got Linux, how do I get it to work?
When trying to run Reaver after it's been compiled, I get a "Failed to initialize interface 'mon0'" immediately after being run. I've set my card into monitor mode using both airmon-ng and iwconfig and ifconfig shows mon0 as an active virtual NIC. Airmon-ng/Aircrack have no problem, and libpcap is installed. Any suggestions?
Official video should clear things up. Run as root where appropriate.
http://www.tacnetsol.com/news/2011/12/30/official-reaver-screencast.html
I have it setup and appears to run up to a point. I've watched the video on the googlecode project understand what should happen but it doesn't. To be specific, I get
[+] Associated with C0:83:0A:8D:BF:11 (ESSID: 2WIRExxx)as the last line of output and it just stops. How long before it should start attempting PINS? If it doesn't start attempting PINS, what does indicate?Thanks!
Great work guys! I feel sorry your comment page has turned into a help needed ad for people trying to hack their neighbour Wi-Fi. A Chain is only as strong as it's weakest link. Well done!
-B
From your Products HP: "However, Reaver is not restricted by the limitations of traditional dictionary-based attacks. Reaver is able to extract the WPA PSK from the access point within 4 - 10 hours ...".
No kidding ...? A WPA/PSK TKIP key with 63 hex values?
I'd say that would take about 4 - 10 times the age of the Universe.
^ You've missed the point.
Reaver DOESN'T crack WPA directly - it cracks WPS (8 digits). Once that's cracked and they're in THEN the WPA key is easily retrieved afterwards regardless of its length or complexity.
Game Over.
That's a relief.
I read what they wrote as: Reaver could crack the WPA/PSK TKIP key. "Reaver is able to extract the WPA PSK from the access point ...".
Maybe it should read: Reaver is able to extract the WPA PSK from the access point by cracking the WPS PIN within 4 - 10 hours.
Excellent work! Guess it's time to reconfigure some routers!
Hello, do you think product as Private WIFI: http://www.privatewifi.com/ may protect from an attack? Thank you.
Well nice work!
Didn't even know it was possible to bruteforce the WPS "wirelessly"
@Trikk: Use sudo
Your statement that "roughly 95% of modern consumer-grade access points ship with WPS enabled by default" sounds like a security vendor promoting their own services. WPS didn't really hit the market significantly until 2009. The real question is how much of the "market" has WPS active, not how devices today ship. Removing from the equation those running open networks, WEP, older APs with WPA, older APs with WPA2, and those who have customized their WPS-capable systems, we're probably down to a much lower number like 15%. However that is still a heck of a lot of vulnerable access points.
Greetings.
I am using Ubuntu 64 bits and the time of compilation of Reaver 1.3 with. / Configure I get the message Permission denied.
Backtrack installed correctly on 32-bit 5 Gnome livecd but both my virtual machine in ubuntu gives the denial that I mentioned.
Help please.
@reninho you probably ran tar as root and are trying to access files as root from a normal user. Either "sudo -s" so you can stay as root or run "sudo" before all of your commands. See the Reaver README or the many Reaver howtos and videos on the Internet for instructions.
First - Thank you for posting this captivating information. What a discovery to make! Smart people out there for sure!
Second - A matter of clarification please. Some WAP manufacturers separate out a WAP from a Wireless Router. Netgear makes this distinction for one. Yet I am under the impression that a WAP is a Wireless Router, as is a wireless printer port, as is a wireless repeater, and etc… Is not any Wireless Router using WPS and a PIN is subject to this security lapse?
Third - I am aware of this problem because I subscribe to US - CERT bulletins. However, cruising through the mainstream media I cannot find any other mention of this problem. That surprises me as I consider this breach a 'clear and present' danger to probably millions of unsuspecting WAP users. While more sophisticated users will be able to update the firmware, or skirt around using the PIN with WPS, I have a multitude of clients that would rather jump off a cliff as opposed to messing about in their WAPs internal settings. Further, despite the shift of security threats away from the 16 year old kid down the block to cadres of professional Russian and Chinese hackers, this particular breach could cause a resurgence of 'neighborhood hacking' by the kid(s) down the street or one street over. Once they discover that the wireless router belonging to Mr. Johnson can be hacked in a matter of hours they will be all over it.
Am I overstating the potential for abuse here? Am I missing something? It seems that outside of the inner circles no one seems to give a hoot. Netgear certainly has not posted anything about it.
What gives?
Thank you all again.
Mike
If the WAP is utilizing Access Control based on device MAC, does this preserve its integrity or just present another obstacle?
The article says "Of course the disadvantage is that WPS can be disabled.” What does disabling WPS means? Is the WiFi still secured?
Great work,
To answer some of the above, if it gets to [+] Associated with C0:83:0A:8D:BF:11 (ESSID: 2WIRExxx) and stops this is a good indication that you dont have WPS enabled on your access point. Which is a good thing in as much as you cant be exploited via this. If its starts trying pins then WPS is enabled and the chances are within the 4-10 hours it will crack it. Id personal test this on your corporate /home access points and then disable WPS functionality if you find that you have it enabled. No disadvantages to disabling it other than retrieving your WPA key via it wont work for you if ever you forgot it.