Crack WPA/WPA2 with Reaver

WPA/WPA2 has become less secure. Within a matter of hours you can retrieve the WiFi password thanks to a useful tool called Reaver. A team named Tactical Network Solutions found a weakness in WPA that allows for an attacker to brute force against the Wifi Protected Setup Pins and recover an access points password within 4-10 hours. The tool we are going to be using with this method is called Reaver. This method may only be used if the WiFi network is using PSK (Public Shared Key) as the authentication method.

In this tutorial I will be using Backtrack 5 RC3. You can use any type of modern Linux Distro though.

In order to do this attack, you will require a wireless adapter that can be put into monitor mode. I recommend the Realtek RTL8187. Alfa cards will also do the job and you can find either one of these online for pretty cheap.

Step 1: Open a terminal window and find your wireless adapter.

Type in airmon-ng and this will display the wireless adapters you have connected.

Notice the interface in the screenshot above is “wlan0″. I will use this in the next step.

Step 2: Put your Wireless Adapter into monitor mode.

You can do this by typing: airmon-ng start wlan0

(Yours may be different than wlan0, make sure to get the interface from the first step.)

Monitor mode basically lets your wireless adapter monitor all traffic received.

After this is complete, you will see at the bottom: “monitor mode enabled on mon0″. This ensures that your Wireless Adapter has been set to monitor mode.

Step 3: Determine which Access Point to attack.

In this step we will find out the BSSID of the access point you want to attack. This is the unique identifier for the access point.

Type: airodump-ng mon0

This will list all of the access points that are in your area and give their BSSIDs:

For this tutorial, I will be using that top network “linksys”

Under “Auth” you will see PSK (Public Shared Key). This cracking process will only work if the network is using PSK. Take note of the BSSID and the Channel number.

Step 4: Let’s get cracking

We will now use Reaver to target the specific BSSID and Channel number to retrieve the password from the router.

The command you will type in is:

reaver -i mon0 -c 6 -b 80:96:B1:AA:A3:92 -vv

The 6 and the 80:96:B1:AA:A3:92 will be different for you of course, depending on the channel and BSSID you are targeting.

-i = The interface you wish to use.

-c = The channel number

-b = The BSSID of the access point.

-vv = Very verbose, it gives detailed information along the way but it is not required.

As you can see, Reaver starts by trying pin 12345670 against the Public Shared Key. It will keep trying pins until the correct one is found. When it is found, the access points password will be shown to you! 

*This process can take roughly 4-10 hours.