Reaver brute force attack Tool, Cracking WPA in 10 Hours

[co4ie]

The WiFi Protected Setup protocol is vulnerable to a brute force attack that allows an attacker to recover an access point’s WPS pin, and subsequently the WPA/WPA2 passphrase, in just a matter of hours.

Reaver is a WPA attack tool developed by Tactical Network Solutions that exploits a protocol design flaw in WiFi Protected Setup (WPS). This vulnerability exposes a side-channel attack against Wi-Fi Protected Access (WPA) versions 1 and 2 allowing the extraction of the Pre-Shared Key (PSK) used to secure the network. With a well-chosen PSK, the WPA and WPA2 security protocols are assumed to be secure by a majority of the 802.11 security community.

Usage is simple just specify the target BSSID and the monitor mode interface to use:

    # reaver -i mon0 -b 00:01:02:03:04:05

Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations.On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase.

WPS allows users to enter an 8 digit PIN to connect to a secured network without having to enter a passphrase. When a user supplies the correct PIN the access point essentially gives the user the WPA/WPA2 PSK that is needed to connect to the network. Reaver will determine an access point's PIN and then extract the PSK and give it to the attacker.

Get open source version of Reaver at Google Code

Sursa

Voi face un video cu POC al acestei metode ... sper sa fie ceea ce asteptam toti !!

Edited December 29, 2011 by co4ie

[Flubber]

Dupa cele spuse, pare valid doar daca Access Point-ul suporta metoda pentru PIN. Teoretic, in schimb, la un asemenea bruteforce (online), se genereaza mult trafic avand in vedere ca trebuie sa verifice daca acel PIN este corect si apoi sa il incerce pe urmatorul daca nu, verificand daca i s-a dat PSK-ul sau nu.

Astept PoC-ul tau co4ie, iar daca se poate, pune si un listener (wireshark w/e) sa se vada in dump cat trafic este generat catre AP si daca reaver foloseste verificare la fiecare PIN incercat online, sau daca reuseste prin vreo metoda sa faca offline.

Daca am gresit cu ceva (sunt doar teorii nu am testat ce am scris), corectati-ma.

[co4ie]

Mda... POC-ul va trebui sa mai astepte ... nu mai am pe ce sa fac teste si pe routerele vecinilor ori nu au wps ori reaver nu se poate autentifica cu AP-ul ... ramane sa mai testez sau daca vreti puteti testa voi !!

[pacealik]

sa zicem ce reaver imi gaseste psk sau pinu da? ce fac cu el? il bag in loc de parola cand ma conectez?

[securityfocus.eu]

Salut,

Am incercat Reaver pe un router de la Virgin Media UK (Netgear) si merge perfect.

A durat cam 5 ore si ceva dar a mers. M-am gandit sa fac un tutorial dar inca nu am avut timp.

C ya

[bruttus139]

Mai nou vad ca si in BT 5 a fost introdus,si are si modulul Inflator.Nu stiu cum merge in BT dar in distributia noastra spaniola wifiway 3.4 din 3 nexturi incepe si isi face treaba singur.

Mie mi-a scos la vreo 24 de ore o WPA PSK dar in reprize de citeva ore pe zi.