Cracking WiFi Protected Setup with Reaver
Wednesday, December 28, 2011 at 12:51 UPDATE: Reaver Pro now available on the HakShop!
Yesterday, Stefan over at .braindump released a white paper detailing vulnerabilities in the WiFi Protected Setup (WPS) protocol that allows attackers to recover WPA/WPA2 passphrases in a matter of hours.
This is a capability that we at TNS have been testing, perfecting and using for nearly a year. But now that this vulnerability has been discussed publicly we have decided to announce and release Reaver, our WPS attack tool, to the open source community. Reaver is capable of breaking WPS pins and recovering the plain text WPA/WPA2 passphrase of the target access point in approximately 4-10 hours (attack time varies based on the access point).
While we have released Reaver as an open source project, we also offer a commercial version with additional features and functionality as well as a support plan. Since nearly all access points manufactured in the past few years have WPS support enabled by default, attacking WPS provides several advantages over attacking WPA directly:
- Cracking the WPS pin is, obviously, much faster.
- Once you have the WPS pin you can instantly recover the WPA passphrase, even if the owner changes the passphrase.
- Access points with multiple radios (2.4/5GHz) can be configured with multiple WPA keys. Since the radios use the same WPS pin, knowledge of the pin allows an attacker to recover all WPA keys.
Of course the disadvantage is that WPS can be disabled. However, in our experience even security experts with otherwise secure configurations neglect to disable WPS; further, some access points don't provide an option to disable WPS, or don't actually disable WPS when the owner tells it to.
To learn more about Reaver, visit our product page, or the open source project on Googlecode.
References (46)
References allow you to track sources for this article, as well as articles that were written in response to this article.
-
WiFi hacking has long been a favorite pastime of hackers, penetration testers, and people too cheap to
-
Response: diaita astrapithanks for sharing..
-
Response: Celular MexicoYesterday, Stefan over at .braindump released a white paper detailing vulnerabilities in the WiFi Protected Setup (WPS) protocol that allows attackers to recover WPA/WPA2 passphrases in a matter of hours.
-
Response: dui lawyersThis one helped me for a thesis which I am writing. Thank you for giving me another point of view on this difficult situation. Now I can easily complete my article. Thanks
-
Response: Mike SweenyI would like to thank you for your nicely written post, its informative and your writing style encouraged me to read it till end. Thanks
-
Response: Septic Tank Pumping Michigan
-
Response: restroom trailers michigan
-
Response: water damage
-
Response: water damage leads
-
Response: zumba
-
Response: real estate agent brighton mi
-
Response: how do you start an seo business
-
Response: water damage baltimore md
-
Response: water damage Wilmington de
-
Response: loyalty cardsThere are a lot of sites and articles out there on this particular point, but you have captured another side of the subject. This is good content thank you for adding it here.
-
Response: how to lose weight fastThis is a terrific article, and I would like more information if you have any. I am fascinated with this topic and your post has been one of the best I have read.
-
Response: locksmith miamiI am researching this topic for use in a future business I am thinking about starting. Thank you for this information, it has been educational and helpful to me.
-
Response: pool cleaning sarasotaI am interested in this subject matter and would like to explore out some more information as my colleague need information on this topic. Do you have any other post on this? Cheers!
-
Response: neueseo.comYour post had provided me with another point of view on this topic. I had no idea that things can work in this manner as well. Thank you for sharing your perspective.
-
Response: Wifi hackerTactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
-
Response: Peoria bankruptcy lawyerI would like to thank you for your nicely written content, its useful and your writing style helped me to read it without any difficulty. Thanks
-
Response: personalised usb sticksYour post contains useful information on this point as I am working on a college project. Thank you posting relative information and its now becoming easier to complete this topic.
-
Response: mold testing
-
Response: you can have eye twitchI am about to complete a university thesis on this topic and your post has helped me with the facts and figures I needed to accomplish it. Cheers!
-
Response: Vapor Blogger.comI would like to thank you for your best written post, its informative and your writing style helped me to read it till end. Thanks man!
-
Response: websiteI have been searching for quite some time for information on this topic and no doubt your website saved my time and I got my desired information. Your post has been very helpful. Thanks.
-
Response: leak services Dallas
-
Response: used cars in irelandWow! I really appreciate the thought that you put into this article. This topic has been something I have been looking into for a few hours and your post is one of the best I have read.
-
Response: online doctorThis topic has always been one of my favorite subjects to read about. I have found your post to be very rousing and full of good information. I will check your other articles shortly.
-
Response: fat loss factor review
-
Response: Brighton CleanerYour site contains useful information on this topic as I am working on a school project. Thank you posting relative information and its now becoming easier to complete this topic.
-
Response: she became a cna and is really happyAs part of a college thesis for research I have to search sites with relevant information on given topic and provide them to teacher our opinion and the article. Your article helped me a lot.
-
Response: printing companies athens gaI am doing a report on this subject. Your article is full of really useful information. I will make sure to come back to check out your posts for my next report. Cheers
-
Response: SanowiczI like the way you described the topic with such clarity. This is something I have been thinking about for a long time and you really captured the essence of the subject.
-
-
Response: Adonis Golden Ratio
-
Response: tablet pc with simYour article is very exciting and informational. I am trying to decide on a career move and this has helped me with one aspect. Thank you so much!
-
Response: modeladores yogaAs part of an assignment for research I have to find an article with relevant information on this topic and give the teacher our opinion and the article. Your article helped me a lot.
-
Response: water damage company
-
Response: www.worldofsolar.comI am in the middle of working on a school report on this topic and your post has helped me with the information I needed to complete it. Thanks.
-
Response: replica phillip limWhat's up to every one, the contents existing at this website Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver are genuinely awesome for people knowledge, well, keep up the nice work fellows.
-
Response: click hereI am currently teaching a class and part of the curriculum involves this subject matter. Do you have any other posts I can look at regarding this?
-
Response: hack wifi androidTactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
-
Response: curing hemmerhoids
-
Response: fire damage cleanup
-
Response: Duluth MN Workers Compensation Attorney
Reader Comments (36)
Hello, interesting article yours; I was wondering if in my WIFI router (configuration): Huawei BM635 this setting may be fix by selecting: WEP in security configure field?
There is no button or feature to disable WPA but selecting WEP instead of it.
Thank you.
To the person above with the Huawei BM635, you would be better off with no wifi, than stepping down to WEP. WEP can be cracked in under 5 minutes with the right wireless card and aircrack. Manually setup your connections and don't use the WPS sync button to do the connections for you. Also, WPA handshakes are trivial to intercept, but take longer to crack with long passphrases over 14 characters. Nothing is fullproof, just time consuming. Wireless in itself is broken for consumers. Radius would be a better solution.
What about of you have wpa2/aes enabled? Still breakable in minutes?
We highly recommend not using WEP to secure your wireless connection. I think the confusion here is in the acronyms-- Reaver exploits a vulnerability in WPS (Wifi Protected Setup) not WPA. Disable WPS on your router to secure it, and maintain strong passphrase encrypted WPA2.
Also maybe consider using something other than Chinese state-sponsored networking gear.
http://en.wikipedia.org/wiki/Huawei#Security_concerns
How do I get reaver-wps to work on a Mac?
It's not designed for the Mac. You obviously didn't read the installation instructions in the README file. It clearly states, "Reaver is only supported on the Linux platform..."
I've now got Linux, how do I get it to work?
When trying to run Reaver after it's been compiled, I get a "Failed to initialize interface 'mon0'" immediately after being run. I've set my card into monitor mode using both airmon-ng and iwconfig and ifconfig shows mon0 as an active virtual NIC. Airmon-ng/Aircrack have no problem, and libpcap is installed. Any suggestions?
Official video should clear things up. Run as root where appropriate.
http://www.tacnetsol.com/news/2011/12/30/official-reaver-screencast.html
I have it setup and appears to run up to a point. I've watched the video on the googlecode project understand what should happen but it doesn't. To be specific, I get
[+] Associated with C0:83:0A:8D:BF:11 (ESSID: 2WIRExxx)as the last line of output and it just stops. How long before it should start attempting PINS? If it doesn't start attempting PINS, what does indicate?Thanks!
Great work guys! I feel sorry your comment page has turned into a help needed ad for people trying to hack their neighbour Wi-Fi. A Chain is only as strong as it's weakest link. Well done!
-B
From your Products HP: "However, Reaver is not restricted by the limitations of traditional dictionary-based attacks. Reaver is able to extract the WPA PSK from the access point within 4 - 10 hours ...".
No kidding ...? A WPA/PSK TKIP key with 63 hex values?
I'd say that would take about 4 - 10 times the age of the Universe.
^ You've missed the point.
Reaver DOESN'T crack WPA directly - it cracks WPS (8 digits). Once that's cracked and they're in THEN the WPA key is easily retrieved afterwards regardless of its length or complexity.
Game Over.
That's a relief.
I read what they wrote as: Reaver could crack the WPA/PSK TKIP key. "Reaver is able to extract the WPA PSK from the access point ...".
Maybe it should read: Reaver is able to extract the WPA PSK from the access point by cracking the WPS PIN within 4 - 10 hours.
Excellent work! Guess it's time to reconfigure some routers!
Hello, do you think product as Private WIFI: http://www.privatewifi.com/ may protect from an attack? Thank you.
Well nice work!
Didn't even know it was possible to bruteforce the WPS "wirelessly"
@Trikk: Use sudo
Your statement that "roughly 95% of modern consumer-grade access points ship with WPS enabled by default" sounds like a security vendor promoting their own services. WPS didn't really hit the market significantly until 2009. The real question is how much of the "market" has WPS active, not how devices today ship. Removing from the equation those running open networks, WEP, older APs with WPA, older APs with WPA2, and those who have customized their WPS-capable systems, we're probably down to a much lower number like 15%. However that is still a heck of a lot of vulnerable access points.
Greetings.
I am using Ubuntu 64 bits and the time of compilation of Reaver 1.3 with. / Configure I get the message Permission denied.
Backtrack installed correctly on 32-bit 5 Gnome livecd but both my virtual machine in ubuntu gives the denial that I mentioned.
Help please.
@reninho you probably ran tar as root and are trying to access files as root from a normal user. Either "sudo -s" so you can stay as root or run "sudo" before all of your commands. See the Reaver README or the many Reaver howtos and videos on the Internet for instructions.
First - Thank you for posting this captivating information. What a discovery to make! Smart people out there for sure!
Second - A matter of clarification please. Some WAP manufacturers separate out a WAP from a Wireless Router. Netgear makes this distinction for one. Yet I am under the impression that a WAP is a Wireless Router, as is a wireless printer port, as is a wireless repeater, and etc… Is not any Wireless Router using WPS and a PIN is subject to this security lapse?
Third - I am aware of this problem because I subscribe to US - CERT bulletins. However, cruising through the mainstream media I cannot find any other mention of this problem. That surprises me as I consider this breach a 'clear and present' danger to probably millions of unsuspecting WAP users. While more sophisticated users will be able to update the firmware, or skirt around using the PIN with WPS, I have a multitude of clients that would rather jump off a cliff as opposed to messing about in their WAPs internal settings. Further, despite the shift of security threats away from the 16 year old kid down the block to cadres of professional Russian and Chinese hackers, this particular breach could cause a resurgence of 'neighborhood hacking' by the kid(s) down the street or one street over. Once they discover that the wireless router belonging to Mr. Johnson can be hacked in a matter of hours they will be all over it.
Am I overstating the potential for abuse here? Am I missing something? It seems that outside of the inner circles no one seems to give a hoot. Netgear certainly has not posted anything about it.
What gives?
Thank you all again.
Mike
If the WAP is utilizing Access Control based on device MAC, does this preserve its integrity or just present another obstacle?
The article says "Of course the disadvantage is that WPS can be disabled.” What does disabling WPS means? Is the WiFi still secured?
Great work,
To answer some of the above, if it gets to [+] Associated with C0:83:0A:8D:BF:11 (ESSID: 2WIRExxx) and stops this is a good indication that you dont have WPS enabled on your access point. Which is a good thing in as much as you cant be exploited via this. If its starts trying pins then WPS is enabled and the chances are within the 4-10 hours it will crack it. Id personal test this on your corporate /home access points and then disable WPS functionality if you find that you have it enabled. No disadvantages to disabling it other than retrieving your WPA key via it wont work for you if ever you forgot it.