Close

Page 1 of 2 12 LastLast
Results 1 to 20 of 37
  1. #1
    DF Founder Raptor's Avatar
    Join Date
    Oct 2000
    Location
    USA
    Posts
    79,515
    Thanks
    295
    Thanked:        1,311
    Karma Level
    4897

    result Hands-on: hack1ng WiFi (WPA/WPA2) Protected Setup with Reaver


    The MAC address and WiFi Protected Setup PIN for the router attacked in our Reaver test.


    WiFi hack1ng has long been a favorite pastime of hackers, penetration testers, and people too cheap to pay for their own Internet connection. And there are plenty of targets out there for would-be hackers and war drivers to go after—just launch a WiFi scanner app in any residential neighborhood or office complex, and you're bound to find an access point that's either wide open or protected by weak encryption. Fortunately (or unfortunately, if you're the one looking for free WiFi), those more blatant security holes are going away through attrition as people upgrade to newer routers or network administrators hunt down vulnerabilities and stomp them out. But as one door closes, another opens.

    Last week, security researchers
    , an optional device configuration protocol for wireless access points. WPS lets users enter a personal identification number that is hard-coded into the access point in order to quickly connect a computer or other wireless device to the network. The structure of the WPS PIN number and a flaw in the protocol's response to invalid requests make attacking WPS relatively simple compared to cracking a WiFi Protected Access (WPA or WPA2) password. On December 28,
    released an open-source version of an attack tool, named Reaver, that exploits the vulnerability.

    To find out just how big the hole was, I downloaded and compiled Reaver for a bit of New Years geek fun. As it turns out, it's a pretty big one—even with WPS allegedly turned off on a target router, I was able to get it to cough up the SSID and password. The only way to block the attack was to turn on Media Access Control (MAC) address filtering to block unwanted hardware.
    My target was a Cisco Linksys WRT54G2 Wireless-G Broadband Router, an older but fairly common residential WiFi router. The PIN for the router is printed on the bottom, along with its MAC address; in WPS mode, a computer can use that PIN to retrieve the network configuration information without the user having to worry about remembering a long password or otherwise mess with the router's administrative interface. Normally, to get the PIN, you'd need to have physical access to the router.

    For my attack platform, I used an aging Toshiba Satellite A135 running Ubuntu 11.10. In order to compile Reaver, I also had to install
    , the network traffic capture library, through Ubuntu's Software Center. With libcap configured, Reaver compiled without a hitch, and it was time to start beating on the door.

    The first step in mounting an attack on a WiFi router is to identify the target's MAC address. While I was able to read it right off the router, the address was also easy to grab using a WiFi scanning application. (The scanner also revealed that most of my neighbors' WiFi networks were also potentially vulnerable to Reaver, or that they were still running older routers using only WEP security—and some had no security in place at all.) With the MAC of my target recorded, I prepared to unleash Reaver.

    Before launching a brute-force PIN hack1ng effort with Reaver, the attack platform's wireless adapter needs to be put into "monitor" mode. In Linux, that's done from the command line using ifconfig (an interface configuration tool) and iwconfig (which controls the configuration of wireless interfaces); both need to be run as the root user. After making sure I was disconnected from any other WiFi network, I went into an Ubuntu terminal window and entered:

    sudo ifconfig wlan0 down
    sudo iwconfig wlan0 mode monitor
    sudo ifconfig wlan0 up


    With the wireless adapter now ready to perform packet capture, I launched Reaver.
    is a command-line tool; Tactical Network Solutions also sells a commercial version that includes a Web-based client and software support. While I used version 1.2 of Reaver, a 1.4 version was released on January 23, and it can speed up attacks. It does so by reducing the size of the "secret number" used to create the shared encryption key used to pass requests—this cuts the crypto workload on the access point and reduces the time needed between attempts.
    Reaver only requires two inputs to launch an attack: the interface to use to launch them, and the MAC address of the target. Because it accesses the wireless adapter directly, it needs to be run as root:

    sudo reaver -i wlan0 -b 00:01:02:03:04:05

    I went with this default approach, but there are a number of other parameters that can be used to tweak the attack for different routers, such as setting the tool to pause when the access point stops responding, and adding a response back to the access point to clear out failed attempts (this is not required by most routers). The results:




    The attack took about six hours to properly guess the PIN and return the SSID and password for the target network. During that time, the router locked up once under load, as I was putting normal levels of network traffic through it from other devices. Some routers will also lock out WPS requests for five minutes or so when they detect multiple failed PIN submissions—mine stopped responding occasionally, generating a string of warnings, but Reaver picked back up where it left off once the Linksys started responding again.

    Having demonstrated the insecurity of WPS, I went into the Linksys' administrative interface and turned WPS off. Then, I relaunched Reaver, figuring that surely setting the router to manual configuration would block the attacks at the door. But apparently Reaver didn't get the memo, and the Linksys' WPS interface still responded to its queries—once again coughing up the password and SSID.

    The tool also managed to repeatedly cause the router to stop responding to other computers on the network, essentially creating a denial of service attack—a great thing to remember for the next time my neighbors have a loud, all-night Call of Duty session.

    In a phone conversation, Craig Heffner said that the inability to shut this vulnerability down is widespread. He and others have found it to occur with every Linksys and Cisco Valet wireless access point they've tested. "On all of the Linksys routers, you cannot manually disable WPS," he said. While the Web interface has a radio button that allegedly turns off WPS configuration, "it's still on and still vulnerable."
    MAC filtering doesn't help either— that's "easily circumvented," he said. All an attacker has to do is use a network monitoring tool to detect the MAC address of a system that has an existing connection to the router, and set that as the address of their attack platform.

    Six to eight hours seems like a lot of time to spend trying to hack into someone's residential WiFi. But considering how many small and medium-sized businesses use access points like the Linksys—and the kinds of data that could be exposed by gaining access to the computers on even the average home network—there's plenty of potential damage to be done by those who run the tool, or something similar of their own devising. And the attack could be carried out unattended, using a device left near the target network and controlled remotely.

    The bottom line is that, while WPS was designed for simple security, there is no such thing as simple security. The only way to be absolutely sure that someone can't gain access to your wireless network with the WPS hack is to make sure you use a router that doesn't support the protocol.

    5 Thanks given to Raptor

    ka$h (25th January 2012), muttleymacclad (25th January 2012), Northernbloke (25th January 2012), Over carl (24th January 2012), reverend (24th January 2012) 


  2. #2
    DF Founder Raptor's Avatar
    Join Date
    Oct 2000
    Location
    USA
    Posts
    79,515
    Thanks
    295
    Thanked:        1,311
    Karma Level
    4897

    Default Re: Hands-on: hack1ng WiFi (WPA/WPA2) Protected Setup with Reaver

    FYI I just bought one of these so i'll report my findings:



    2 Thanks given to Raptor

    chesser (25th January 2012), prezzy (24th January 2012) 


  3. #3
    DF Moderator BIG-TED's Avatar
    Join Date
    May 2001
    Location
    Leics UK
    Posts
    1,680
    Thanks
    222
    Thanked:        470
    Karma Level
    317

    Default Re: Hands-on: hack1ng WiFi (WPA/WPA2) Protected Setup with Reaver

    Does this still to have one of a few specific cards to work or is pretty much working on any ?

    Ted
    Run your wife a nice hot bath, light some candles & pour some wine. Then you've at least 40 mins on the xbox plus a clean wife.

    My mate just spent 30 on a chicken that doesn't even lay eggs.
    Cock.

  4. #4
    DF VIP Member losttoy's Avatar
    Join Date
    Feb 2002
    Location
    1066
    Posts
    366
    Thanks
    41
    Thanked:        64
    Karma Level
    191

    Default Re: Hands-on: hack1ng WiFi (WPA/WPA2) Protected Setup with Reaver

    Might have a mess about with this later 6-8 hours is amazing. You'll need a card capable of injection most atheros chips are good you'll find a complete list on the backtrack site

  5. #5
    DF Super Moderator DJ Overdose's Avatar
    Join Date
    Jul 2001
    Location
    On da decks.
    Posts
    8,522
    Thanks
    569
    Thanked:        1,296
    Karma Level
    987

    Default Re: Hands-on: hack1ng WiFi (WPA/WPA2) Protected Setup with Reaver

    Quote Originally Posted by Raptor View Post
    FYI I just bought one of these so i'll report my findings:



    Wow!

    If that works as good as it claims to be, then it's one cool bit of kit even for $600!


    DJ OD

  6. #6
    DF Super Moderator
    evilsatan's Avatar
    Join Date
    Jul 2004
    Location
    Essex
    Posts
    18,444
    Thanks
    783
    Thanked:        2,403
    Karma Level
    1391

    Default Re: Hands-on: hack1ng WiFi (WPA/WPA2) Protected Setup with Reaver

    Inflator is a Reaver Command generator.

    Demo:


    Not sure if the download link is allowed but it looks like there is a custom Backtrack package which contains inflator.

    EDIT: Actually looks like Inflator has to be added to Backtrack.
    Last edited by evilsatan; 25th January 2012 at 10:40 AM.
    Asus P8Z68-V Pro/GEN3
    Intel i5-2500k @ 4.6Ghz
    16GB G.Skill RipjawsX
    256GB Crucial M4 SSD
    Win 7 Ultimate / VMWare OSX Mountain Lion


  7. #7
    DF VIP Member Undertaker's Avatar
    Join Date
    Nov 2000
    Location
    Earth
    Posts
    2,462
    Thanks
    28
    Thanked:        126
    Karma Level
    373

    Default Re: Hands-on: hack1ng WiFi (WPA/WPA2) Protected Setup with Reaver

    interesting, been awhile since I last looked at backtrack

    solution is to disable wps, but look likes some routers cannot do this, may need firmware update

    anyway what were they thinking when they invented WPS. Not surprised its been attacked.

  8. #8
    DF Moderator mc.dodd's Avatar
    Join Date
    Mar 2004
    Location
    Wrecsam
    Posts
    3,178
    Thanks
    972
    Thanked:        242
    Karma Level
    490

    Default Re: Hands-on: hack1ng WiFi (WPA/WPA2) Protected Setup with Reaver

    Quote Originally Posted by evilsatan View Post
    Inflator is a Reaver Command generator.

    Demo:


    Not sure if the download link is allowed but it looks like there is a custom Backtrack package which contains inflator.

    EDIT: Actually looks like Inflator has to be added to Backtrack.
    I've downloaded Backtrack 5 but there isn't an option for inflator under the WLAN Eploitation Tools menu?..
    is there another version out there?..
    PS3: mcd_dodd



  9. #9
    DF Super Moderator
    evilsatan's Avatar
    Join Date
    Jul 2004
    Location
    Essex
    Posts
    18,444
    Thanks
    783
    Thanked:        2,403
    Karma Level
    1391

    Default Re: Hands-on: hack1ng WiFi (WPA/WPA2) Protected Setup with Reaver

    Quote Originally Posted by mc.dodd View Post
    I've downloaded Backtrack 5 but there isn't an option for inflator under the WLAN Eploitation Tools menu?..
    is there another version out there?..
    You need to add inflator to backtrack, I'm not sure how to do this. Search for inflator to get the package, I saw it on ibeini blog. I have put backtrack 5 on my multi boot USB so not sure if any additions will be saved.
    Asus P8Z68-V Pro/GEN3
    Intel i5-2500k @ 4.6Ghz
    16GB G.Skill RipjawsX
    256GB Crucial M4 SSD
    Win 7 Ultimate / VMWare OSX Mountain Lion

    Thanks to evilsatan

    mc.dodd (26th January 2012) 


  10. #10
    DF VIP Member iNSPECTA's Avatar
    Join Date
    Dec 2005
    Location
    UK
    Posts
    1,564
    Thanks
    215
    Thanked:        252
    Karma Level
    249

    Default Re: Hands-on: hack1ng WiFi (WPA/WPA2) Protected Setup with Reaver

    To add Inflator to backtrack do the following:
    1. Download
    (Homepage:
    )
    2. Extract the zip to be left with inflator1.0-backtrack5r1-gnome-bit32.deb
    3. Place inflator1.0-backtrack5r1-gnome-bit32.deb in the root folder within Backtrack
    4. Open a terminal window and type: dpkg -i inflator1.0-backtrack5r1-gnome-bit32.deb

    To add Reaver do the following......
    Do all of the following in a terminal window:
    # wget
    (requires active net connection)
    Extract the download using:
    # tar zxvf reaver-1.4.tar.gz
    Browse to Reaver dir
    # cd reaver-1.4/src
    Configure Command
    # ./configure
    Make Command
    # make
    Make Install Command
    # make install

    Now you are good to go......

    To save your session hit ctrl+c (don't do this during a timeout if you get 10 bad connections, it'll result in a segmentation fault), to resume your session simply attack the same bssid.
    For those using a live distro you will have to do the above on each boot.
    Reaver saves it's sessions in: # /usr/local/etc/reaver/<<bssid>>.wpc, copy this file somewhere safe then place it back after each boot.

    It's still pretty buggy, it works, some trial and error required for different routers, does have a habit of just freezing and doing nothing, happens to me roughly every 1-2hrs so you need to keep your eye on it.

    5 Thanks given to iNSPECTA

    JonEp (26th January 2012), mc.dodd (26th January 2012), raelmadrid (26th January 2012), reverend (1st February 2012), Undertaker (1st February 2012) 


  11. #11
    DF Moderator mc.dodd's Avatar
    Join Date
    Mar 2004
    Location
    Wrecsam
    Posts
    3,178
    Thanks
    972
    Thanked:        242
    Karma Level
    490

    Default Re: Hands-on: hack1ng WiFi (WPA/WPA2) Protected Setup with Reaver

    do I need the Reaver install?.. I'm trying to make a bootable Live USB to try this on..
    which folder do I drop Inflator into on the USB, casper or isolinux or just to the root of the USB?
    many thanks for help in advance
    mcd
    PS3: mcd_dodd



  12. #12
    DF VIP Member iNSPECTA's Avatar
    Join Date
    Dec 2005
    Location
    UK
    Posts
    1,564
    Thanks
    215
    Thanked:        252
    Karma Level
    249

    Default Re: Hands-on: hack1ng WiFi (WPA/WPA2) Protected Setup with Reaver

    Yeah you need both, Inflator is just a front-end GUI for Reaver.
    What I did was download the two, kept them in a folder on the c:\ of the host machine. When I booted into Backtrack live it would mount the c:\ and I'd copy the files from there into the root folder of Backtrack. (All this was done in the graphical interface, booted with the startx command).
    Once I'd copied them there I'd use terminal to do the unpack and install.

    Became too much of a ball ache to keep doing so I just installed BackTrack 5 on my laptop using the installer, I dual boot with Win7 and my backtrack installs and config stay permanent.

    Thanks to iNSPECTA

    mc.dodd (1st February 2012) 


  13. #13
    DF Jedi reverend's Avatar
    Join Date
    Feb 2006
    Location
    On the couch
    Posts
    2,423
    Thanks
    142
    Thanked:        351
    Karma Level
    303

    Default Re: Hands-on: hack1ng WiFi (WPA/WPA2) Protected Setup with Reaver

    Have dug the old RT73 USB dongle out for this, looking forward to giving it a go later thanks guys

  14. #14
    DF Moderator mc.dodd's Avatar
    Join Date
    Mar 2004
    Location
    Wrecsam
    Posts
    3,178
    Thanks
    972
    Thanked:        242
    Karma Level
    490

    Default Re: Hands-on: hack1ng WiFi (WPA/WPA2) Protected Setup with Reaver

    Quote Originally Posted by iNSPECTA View Post
    Yeah you need both, Inflator is just a front-end GUI for Reaver.
    What I did was download the two, kept them in a folder on the c:\ of the host machine. When I booted into Backtrack live it would mount the c:\ and I'd copy the files from there into the root folder of Backtrack. (All this was done in the graphical interface, booted with the startx command).
    Once I'd copied them there I'd use terminal to do the unpack and install.

    Became too much of a ball ache to keep doing so I just installed BackTrack 5 on my laptop using the installer, I dual boot with Win7 and my backtrack installs and config stay permanent.
    okay, I'll try that but which folder do I drop the inflator & Reaver files to please?
    PS3: mcd_dodd



  15. #15
    DF VIP Member iNSPECTA's Avatar
    Join Date
    Dec 2005
    Location
    UK
    Posts
    1,564
    Thanks
    215
    Thanked:        252
    Karma Level
    249

    Default Re: Hands-on: hack1ng WiFi (WPA/WPA2) Protected Setup with Reaver

    When you start backtrack up there is a folder called 'root', stick the .deb and .tar files there then run the terminal commands.

    Thanks to iNSPECTA

    mc.dodd (1st February 2012) 


  16. #16
    DF VIP Member Undertaker's Avatar
    Join Date
    Nov 2000
    Location
    Earth
    Posts
    2,462
    Thanks
    28
    Thanked:        126
    Karma Level
    373

    Default Re: Hands-on: hack1ng WiFi (WPA/WPA2) Protected Setup with Reaver

    if trying to run on ubuntu or other distros

    chmod 777 the inflator.desktop file then run

    Thanks to Undertaker

    mc.dodd (1st February 2012) 


  17. #17
    DF Moderator mc.dodd's Avatar
    Join Date
    Mar 2004
    Location
    Wrecsam
    Posts
    3,178
    Thanks
    972
    Thanked:        242
    Karma Level
    490

    Default Re: Hands-on: hack1ng WiFi (WPA/WPA2) Protected Setup with Reaver

    thanks, got it running but the AP cannot be found, oh well, it did come up once with WPS protected setup but that seems to have gone..back to the drawing board for now..
    PS3: mcd_dodd



  18. #18
    DF VIP Member Undertaker's Avatar
    Join Date
    Nov 2000
    Location
    Earth
    Posts
    2,462
    Thanks
    28
    Thanked:        126
    Karma Level
    373

    Default Re: Hands-on: hack1ng WiFi (WPA/WPA2) Protected Setup with Reaver

    mc.dodd - could be the wash program

    only available on 1.4 i think

    Thanks to Undertaker

    mc.dodd (1st February 2012) 


  19. #19
    DF Moderator mc.dodd's Avatar
    Join Date
    Mar 2004
    Location
    Wrecsam
    Posts
    3,178
    Thanks
    972
    Thanked:        242
    Karma Level
    490

    Default Re: Hands-on: hack1ng WiFi (WPA/WPA2) Protected Setup with Reaver

    Quote Originally Posted by Undertaker View Post
    mc.dodd - could be the wash program

    only available on 1.4 i think
    I have installed version 1.4 pal.. I just think the WPS option may have been disabled?.. it was showing up at one point..
    PS3: mcd_dodd



  20. #20
    DF Jedi doughboy's Avatar
    Join Date
    Jul 2001
    Location
    Beckenham
    Posts
    1,961
    Thanks
    44
    Thanked:        46
    Karma Level
    291

    Default Re: Hands-on: hack1ng WiFi (WPA/WPA2) Protected Setup with Reaver

    Very interesting.

    Have just run a live BT5R1 with reaver 1.4 and it presented me with my 39 character wpa2 password

Page 1 of 2 12 LastLast

Similar Threads

  1. [HELP] Wifi hack1ng on iphone
    By dannoble82 in forum Apple Mobile Devices
    Replies: 6
    Last Post: 4th August 2011, 11:09 PM
  2. wifi hack1ng using a nanostation M5 ?!?!
    By dave11674 in forum System Security
    Replies: 2
    Last Post: 23rd October 2010, 11:31 PM
  3. [HELP] N900 and wifi hack1ng..?
    By mc.dodd in forum Handsets & Device Discussion
    Replies: 3
    Last Post: 14th April 2010, 01:14 PM
  4. any wifi hack1ng experts here
    By lancsladuk in forum System Security
    Replies: 12
    Last Post: 22nd December 2007, 03:37 PM
  5. Wi-Fi Protected Setup Details Announced
    By marcode in forum DSL or Cable Broadband, Networking & Wireless
    Replies: 0
    Last Post: 8th January 2007, 09:23 PM

Social Networking Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •