Hackers are using the ‘Reaver’ tool to exploit the WiFi Protected Setup (WPS) feature found on many WiFi routers and access points. This method involves remotely brute-forcing the WPS handshaking process to potentially crack a WPA network. Most networks will now be running the much more robust WiFi Protected Access (WPA), with WEP running mainly on the older systems that haven’t been updated or maintained. But while it’s not as trivial as breaking into a WEP network, WPA is not completely infallible.

The article provides insights into the vulnerabilities associated with WPS and demonstrates how Reaver can be utilized to expose these weaknesses. We’ll take a look at one of the methods used to crack into a WPA network, and some of the pitfalls you may encounter.

How a WPS pin attack works

An often overlooked feature on many WiFi routers and access points is WiFi Protected Setup (WPS). This is a convenient feature that allows the user to configure a client device against a wireless network by simultaneously pressing a button on both the access point and the client device (the client side “button” is often in software) at the same time. The devices trade information, and then set up a secure WPA link.

On the surface, this is a very clever feature. It allows less savvy users to establish a secure connection between their devices quickly and easily, and as it requires physical access to the hardware, it would seem relatively secure.

But a tool called Reaver has been designed to brute-force the WPA handshaking process remotely, even if the physical button hasn’t been pressed on the access point. While some newer devices are building in protection against this specific attack, the Reaver WPS exploit remains useful on many networks in the field.

Note: To be clear, WPS is the vulnerable system in this case, not WPA. If a network has WPS disabled (which they should, given the existence of tools such as this), it will be immune to the following attack.

What is the Reaver tool?

Reaver is a powerful tool designed for brute-force attacks on WiFi Protected Setup (WPS) to crack the WPA passphrase of a network. It targets the WPS PIN to gain network access, exploiting vulnerabilities in the WPS system. Reaver offers features like adjustable delay between PIN attempts, timeout settings, and mechanisms to handle locked WPS states. It logs progress, allowing for the attack to be paused and resumed as needed. However, the process can be lengthy, often taking many hours to complete.

Finding vulnerable networks

If you’ve read the previous tutorial on cracking into a WEP network, you’ll recognize the command used to get the hardware into monitor mode:

airmon-ng start wlan0

From here you could use airodump-ng to look for networks, but Reaver actually includes its own tool for finding vulnerable WPS implementations which is much more straightforward. To start it, run the following command:

wash -i mon0

The output will look something like this:

This shows two networks which are, at least in theory, vulnerable to the WPS brute force attack Reaver uses. Note the “WPS Locked” column; this is far from a definitive indicator, but in general, you’ll find that APs which are listed as unlocked are much more likely to be susceptible to brute forcing. You can still attempt to launch an attack against a network which is WPS locked, but the chances of success aren’t very good.

Guide to launching Reaver

Once you’ve found a network you wish to run the attack against, operating Reaver is very straightforward. The basic command needs only the local interface, channel, and ESSID to be specified. The command to launch Reaver against the “linksys” network above would look like this:

reaver -i mon0 -c 6 -b 00:23:69:48:33:95 -vv

The only part of the above command that might not be immediately obvious is “-vv”; this enables verbose output which greatly helps when trying to gauge how well Reaper is (or is not) progressing.

Once you’ve started Reaver, you’ll start seeing output like this:

This output shows that WPS pins are successfully being tried against the target (here we see 12345670 and 00005678 are being tested), and Reaver is operating normally.

Advanced options for Reaver

Ideally, the basic command works and the attack progresses as expected. But in reality, different manufacturers have been trying to implement protections against Reaver-style attacks, and additional options may be required to get the attack moving.

As an example, the following command adds a few optional switches that can help to get Reaver working on more picky devices:

reaver -i mon0 -c 6 -b 00:23:69:48:33:95  -vv -L -N -d 15 -T .5 -r 3:15

The core command hasn’t changed, the additional switches just change how Reaver behaves:

-L

Ignore locked WPS state.

-N

Don’t send NACK packets when errors are detected.

-d 15

Delay 15 seconds between PIN attempts.

-T

Set timeout period to half a second.

-r 3:15

After 3 attempts, sleep for 15 seconds

This is by no means an exhaustive list of Reaver options, but it gives an idea on what kind of things you might want to try.

How long does Reaver take to crack WPS?

Even under ideal conditions, Reaver can take a very long time to complete its run. There is an element of chance involved, the brute forcing could theoretically discover the PIN very quickly, but in general it is going to take many hours to even make a dent in the possible pool of PINs.

Luckily, Reaver keeps a progress log file automatically, so you can stop the attack at any time and resume whenever it’s convenient. Spending a few hours a day running Reaver against the same network should uncover its PIN and through that the WPA passphrase… eventually.

Interested in finding more vulnerabilities within your organization? Discover vulnerabilities within your applications with Outpost24’s Pen Testing as a Service solution.