Reaver Pro Demo Video
Friday, January 6, 2012 at 15:04 UPDATE: Reaver Pro now available on the HakShop!
TNS Reaver Pro Demo from Tactical Network Solutions on Vimeo.
Reaver Now Goes to 11
Monday, January 2, 2012 at 14:41 UPDATE: Reaver Pro now available on the HakShop!
The decision has been made to open source the Reaver command line tool. The commercial version will contain all the features the open source command-line tool has along with a web based client, support, and service options.
This means that the open source version of Reaver will have much requested features, such as identification of WPS enabled networks and pause/resume functionality.
This also means that Reaver will have the ability to specify specific options for a given model inside a database. In other words, if it is known that certain options are required or helpful when attacking XYZ router, you can put them in the database and they will be automatically applied whenever you target that model router. How often the FOSS database will be updated remains to be seen, obviously those paying for the support plan will take priority.
The latest Reaver release (1.3) now also implements the short DH key optimizations described in the original vulnerability release paper, which reduces computation time on the target AP and increases the attack speed.
open source, reaver, wpa, wps in Reaver Official Reaver Screencast
Friday, December 30, 2011 at 14:53 Cracking WPS with Reaver from Zach on Vimeo.
Cracking WiFi Protected Setup with Reaver
Wednesday, December 28, 2011 at 12:51 UPDATE: Reaver Pro now available on the HakShop!
Yesterday, Stefan over at .braindump released a white paper detailing vulnerabilities in the WiFi Protected Setup (WPS) protocol that allows attackers to recover WPA/WPA2 passphrases in a matter of hours.
This is a capability that we at TNS have been testing, perfecting and using for nearly a year. But now that this vulnerability has been discussed publicly we have decided to announce and release Reaver, our WPS attack tool, to the open source community. Reaver is capable of breaking WPS pins and recovering the plain text WPA/WPA2 passphrase of the target access point in approximately 4-10 hours (attack time varies based on the access point).
While we have released Reaver as an open source project, we also offer a commercial version with additional features and functionality as well as a support plan. Since nearly all access points manufactured in the past few years have WPS support enabled by default, attacking WPS provides several advantages over attacking WPA directly:
- Cracking the WPS pin is, obviously, much faster.
- Once you have the WPS pin you can instantly recover the WPA passphrase, even if the owner changes the passphrase.
- Access points with multiple radios (2.4/5GHz) can be configured with multiple WPA keys. Since the radios use the same WPS pin, knowledge of the pin allows an attacker to recover all WPA keys.
Of course the disadvantage is that WPS can be disabled. However, in our experience even security experts with otherwise secure configurations neglect to disable WPS; further, some access points don't provide an option to disable WPS, or don't actually disable WPS when the owner tells it to.
To learn more about Reaver, visit our product page, or the open source project on Googlecode.