Info

Contact us today to discuss how we can help you successfully achieve your mission-critical objectives!

Tactical Network Solutions, LLC
8825 Stanford Blvd, Suite 308
Columbia, MD 21045-4761

Email: sales [@] tacnetsol.com
Phone: 443-276-6990

Twitter
« Official Reaver Screencast | Main | TNS Partners to Present at the 6th Cyberwatch Mid-Atlantic Collegiate Cyber Defense Competition »

Cracking WiFi Protected Setup with Reaver

UPDATE: Reaver Pro now available on the HakShop

Yesterday, Stefan over at .braindump released a white paper detailing vulnerabilities in the WiFi Protected Setup (WPS) protocol that allows attackers to recover WPA/WPA2 passphrases in a matter of hours.

This is a capability that we at TNS have been testing, perfecting and using for nearly a year. But now that this vulnerability has been discussed publicly we have decided to announce and release Reaver, our WPS attack tool, to the open source community. Reaver is capable of breaking WPS pins and recovering the plain text WPA/WPA2 passphrase of the target access point in approximately 4-10 hours (attack time varies based on the access point).

While we have released Reaver as an open source project, we also offer a commercial version with additional features and functionality as well as a support plan. Since nearly all access points manufactured in the past few years have WPS support enabled by default, attacking WPS provides several advantages over attacking WPA directly:

 

  1. Cracking the WPS pin is, obviously, much faster.
  2. Once you have the WPS pin you can instantly recover the WPA passphrase, even if the owner changes the passphrase.
  3. Access points with multiple radios (2.4/5GHz) can be configured with multiple WPA keys. Since the radios use the same WPS pin, knowledge of the pin allows an attacker to recover all WPA keys.

 

Of course the disadvantage is that WPS can be disabled. However, in our experience even security experts with otherwise secure configurations neglect to disable WPS; further, some access points don't provide an option to disable WPS, or don't actually disable WPS when the owner tells it to.

To learn more about Reaver, visit our product page, or the open source project on Googlecode.

References (68)

References allow you to track sources for this article, as well as articles that were written in response to this article.
  • Response
    Response: Cialis rezeptfrei
    Thanks
  • Response
    Response: Cialis bestellen
    Thanks
  • Response
    Response: Reductil kaufen
    Thanks
  • Response
    Response: Tadalafil 20mg
    Thanks for letting us know
  • Response
    Response: Reductil bestellen
    fdgsfdgsdfgvs
  • Response
    Response: game cheats
    [...]Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver[...]
  • Response
    Response: True
    I like the theme and the content. Its so nice.
  • Response
    Response: Aileen
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Response: Gold ira
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
  • Response
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Response: cwMJOkOg
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Response: SEO Los Angeles
  • Response
  • Response
  • Response
  • Response
    Response: dentist utica ny
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Response: this hyperlink
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Response: product
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Response: systèmes de paris
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Response: product
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Response: systèmes de paris
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Response: NCR Printing
    Dani
  • Response
  • Response
    Response: try what she says
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Response: Bolig
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Response: curtis debord
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Response: Handverkere
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Response: curtis debord
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Response: Handverkere
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Response: Bolig
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Response: link k schwartz
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Response: link schwartz
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Response: link schwartz
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Response: Kate Dircksen
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Response: link k schwartz
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
  • Response
  • Response
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Response: Interior
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Response: Virtual Router
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
  • Response
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Tactical Network Solutions - News - Cracking WiFi Protected Setup with Reaver
  • Response
    Response: Cassatt
  • Response
    Response: Cheesecake

Reader Comments (20)

Hello, interesting article yours; I was wondering if in my WIFI router (configuration): Huawei BM635 this setting may be fix by selecting: WEP in security configure field?

There is no button or feature to disable WPA but selecting WEP instead of it.

Thank you.

December 30, 2011 | Unregistered Commentercypherinfo

To the person above with the Huawei BM635, you would be better off with no wifi, than stepping down to WEP. WEP can be cracked in under 5 minutes with the right wireless card and aircrack. Manually setup your connections and don't use the WPS sync button to do the connections for you. Also, WPA handshakes are trivial to intercept, but take longer to crack with long passphrases over 14 characters. Nothing is fullproof, just time consuming. Wireless in itself is broken for consumers. Radius would be a better solution.

December 30, 2011 | Unregistered CommenterDigiP

What about of you have wpa2/aes enabled? Still breakable in minutes?

December 30, 2011 | Unregistered CommenterGlenn

We highly recommend not using WEP to secure your wireless connection. I think the confusion here is in the acronyms-- Reaver exploits a vulnerability in WPS (Wifi Protected Setup) not WPA. Disable WPS on your router to secure it, and maintain strong passphrase encrypted WPA2.

December 30, 2011 | Registered CommenterTactical Network Solutions

Also maybe consider using something other than Chinese state-sponsored networking gear.
http://en.wikipedia.org/wiki/Huawei#Security_concerns

December 30, 2011 | Unregistered CommenterZach

How do I get reaver-wps to work on a Mac?

December 30, 2011 | Unregistered CommenterMyK

It's not designed for the Mac. You obviously didn't read the installation instructions in the README file. It clearly states, "Reaver is only supported on the Linux platform..."

December 30, 2011 | Unregistered CommenterTee Bone Jones

I've now got Linux, how do I get it to work?

December 30, 2011 | Unregistered CommenterMyK

When trying to run Reaver after it's been compiled, I get a "Failed to initialize interface 'mon0'" immediately after being run. I've set my card into monitor mode using both airmon-ng and iwconfig and ifconfig shows mon0 as an active virtual NIC. Airmon-ng/Aircrack have no problem, and libpcap is installed. Any suggestions?

December 30, 2011 | Unregistered CommenterTrikk

Official video should clear things up. Run as root where appropriate.
http://www.tacnetsol.com/news/2011/12/30/official-reaver-screencast.html

December 30, 2011 | Unregistered CommenterZach

I have it setup and appears to run up to a point. I've watched the video on the googlecode project understand what should happen but it doesn't. To be specific, I get [+] Associated with C0:83:0A:8D:BF:11 (ESSID: 2WIRExxx) as the last line of output and it just stops. How long before it should start attempting PINS? If it doesn't start attempting PINS, what does indicate?

Thanks!

December 30, 2011 | Unregistered Commenterslefevre

Great work guys! I feel sorry your comment page has turned into a help needed ad for people trying to hack their neighbour Wi-Fi. A Chain is only as strong as it's weakest link. Well done!

-B

January 1, 2012 | Unregistered CommenterFBi

Please could somebody develop in the next version Reaver a way for the program to select a smaller range of pins to scan. ie currently program selects 10 or so default pins (eight digit) then goes from 00000000 to 99999999. I have noticed that some of the newer routers are using pins above 70000000. However the scanneee has to go through all the numbers before this. If by the process of elimination before AP limiting you have discounted in your session 1, all the pins before 70000000 and you believe the target AP is above, plus maybe ia AP limiting lockout has occurred, it would be good to come back for session 2 on a fresh reboot. But how to start the new session from 70000000, to get the last raw 30% of pins. ie 7000xxxx to 9999xxxx. Noted this is relevant for Cisco which is above 70000000 but is giving me a hard time with AP limiting. (As at Jan 2014.)

January 7, 2014 | Unregistered CommenterGhostly

I've now got Linux, how do I get it to work?

by http://jualhajarjahanamcair.com

January 8, 2014 | Unregistered CommenterJual hajar jahanam

To the person above with the Huawei BM635, you would be better off with no wifi, than stepping down to WEP. WEP can be cracked in under 5 minutes with the right wireless card and aircrack. Manually setup your connections and don't use the WPS sync button to do the connections for you. Also, WPA handshakes are trivial to intercept, but take longer to crack with long passphrases over 14 characters. Nothing is fullproof, just time consuming. Wireless in itself is broken for consumers. Radius would be a better solution.

January 15, 2014 | Unregistered Commenterparallels discount

To the person above with the Huawei BM635, you would be better off with no wifi, than stepping down to WEP. WEP can be cracked in under 5 minutes with the right wireless card and aircrack. Manually setup your connections and don't use the WPS sync button to do the connections for you. Also, WPA handshakes are trivial to intercept, but take longer to crack with long passphrases over 14 characters. Nothing is fullproof, just time consuming. Wireless in itself is broken for consumers. Radius would be a better solution.

parallels discount

January 15, 2014 | Unregistered Commenterparallels discount

Great work guys! I feel sorry your comment page has turned into a help needed ad for people trying to hack their neighbour Wi-Fi. A Chain is only as strong as it's weakest link. Well done!

March 9, 2014 | Unregistered Commenterdaftar harga

I have used bcmon working well,
Also got aircrack gui woeking, found many wep wpa keys,
got reaver with bcmon working best,
I have cm7 wid bcm4329 chipset,

But,only one query is, one dlink router changes wps pin randomly, even after 10 unsuccessful pin attempt error seen " eapol start request fail" ,after change mac, other 10 pin become possible,

In reaver, I tried all option, like -x , -N ,-L ,-r ,-A -w,

So, if anyone have some guide line, plz reply,
Its not rom issue, I think its the router complex security,

So, any smart way? ?

March 9, 2014 | Unregistered Commenteraceking

Great work guys! I feel sorry your comment page has turned into a help needed ad for people trying to hack their neighbour Wi-Fi. A Chain is only as strong as it's weakest link. Well done!
Grosir Sprei Murah Berualitas
Grosir Sprei Murah Berualitas
Grosir Sprei Murah Berualitas

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>