WirelessDomination.comComplete guide on wireless hacking!!

Hack WiFi How to crack WPA2 WiFi password using reaver (99% chance) !!

« How to see who is using your wireless network (Windows)

How to crack WPA2 WiFi passwordusing reaver (99% chance) !! 5

3 May 2014 | Hack WiFi

Today I am going to teach you how to easily hack WPA/WPA2­PSK enabled network usingreaver. But, for that the targeted router should support WPS(WiFi Protected Setup) which issupported by most of the router nowadays. WPS is an optional device configuration protocolfor wireless access points which make it really easier to connect.

This feature exist in most of the router for the easy setup process through the WPS pinwhich is hard­coded into the wireless access point. Reaver takes the advantage of avulnerability in WPS. Thanks to Craig Heffner for releasing an open­source version of thistool named Reaver that exploits the vulnerability. In simple tone, Reaver tries to bruteforcethe pin; which in result reveal WPA or WPA2 password after enough time.

What You’ll Need

You do not have to be a expert at Linux or in even using computer. The simple command­line (console ) will do all the things. But you may need a lot of time for this process and alsosome luck. The brute force may take from 2 hours to more than 10 hours too sometimes.There are various ways to set up reaver but here are the requirement for this guide.

Backtrack OS. Backtrack is a bootable Linux distribution with lots of pen­testing tools.You can use various other Linux distribution but I prefer backtrack. If you don`t knowhow to install backtrack then please check this link first.A computer and wireless network card. I cannot guarantee if this will work with all theinternal wireless card but i recommend a external wireless card.A lot of Patience. The process is simple but brute forcing the PIN takes a lot of time.So you have to be patience. Kicking the Computer won’t help you this time.

Let’s Get Started

Now you should have a backtrack OS ready for action.

Step 1: Boot into BackTrack

You can use any method to boot into backtrack; like from live cd, VMware, dual boot, etc.So, just boot it first into the GUI mode and open up a new console(command line) which is inthe taskbar. So just boot into backtrack. During the boot process, BackTrack will prompt youto to choose the boot options. Select “BackTrack Text – Default Boot Text Mode” and pressEnter.

After some time Backtrack will take you into a command line prompt where you shouldtype startx and press Enter. BackTrack will boot will into Graphical User Interface (GUI)mode.

Step 2: Install Reaver(Skip this step if you are using BackTrack 5)

Reaver should be already installed in the Backtrack 5 but if you are using older backtrack orany other Linux distribution you can install Reaver by using few steps below.

1. First Connect your BackTrack to the internet. For WiFi connection go to Application >Internet > Wicd Network Manager

2. Select your network and click connect and input your password if necessary, click OKand click CONNECT the second time.

Now that you are connected to internet its time to install Reaver. Click the terminal icon inthe menu bar. And at the console type the following:

Like Us!!Hack Wifi

11,218 people like Hack Wifi.

Facebook social plugin

Like

Hack WiFi Install BackTrack Other Cool Stuffs

apt-get update

apt-get install reaver

Now if everything worked fine you will get a freshly installed Reaver tool. Now if you aretesting it in your own system then please go to Wicd Network Manager and Disconnectyourself first.

Step 3 : Gather Information

Before launching the Reaver attack you need to know your target wireless network name,BSSID ( it is the series of unique letters and number of a particular router) and its channelnumber. So to know this make your wireless card into monitor mode and gather the requiredinformation of the access points. So let us do all these things.

First lets find your wireless card. Inside terminal or console, type:

airmon-ng

Press Enter and there you should see a list of interface names of different devices. Thereshould be a wireless device in that list you you have connected it to BackTrack. Probably itmay be wlan0 or wlan1.

Note: To connect your wireless network card into WMware. Firstly, connect it to the USBand then you will see a small USB icon like in the figure in the top right of VMware. Then,right click on it and click connect. At last, USB sign will turn into green colour and start toglow.

Enable monitor mode. Supposing your wireless card interface name as wlan0, type thiscommand in that same console.

airmon-ng start wlan0

This code will create a new monitor mode interface mon0 like in the screenshot below whichyou want to keep note of.

Search the BSSID of the Access Point(router) you want to crack. There are few ways tosearch for the Access Point BSSID but I prefer to use the inbuilt reaver search methodwhich shows the list of WPS vulnerable BSSID only.

In the console type this following command and press enter:

wash -i mon0

You will see the list of wireless networks that support WPS which are vulnerable to Reaveras seen in the screenshot below. After few minutes you can stop the scan by pressingCtrl+C.

Step 4: Lets start Cracking

I suggest you to try to crack the ones which have WPS lock disabled or say “NO” in WPSLocked column. It may also work if it says YES but I am not sure of that. For that, copy theBSSID of the target AP and also keep note of its channel and in the console and type thefollowing and Enter:

reaver -i monitormode -c channel -b targetbssid -vv

For My Case the monitor mode will be mon0 channel would be 1 ,targetbssid would beC8:3A:35:54:88:81 and ­vv is written to show the current statistic of the attack likepercentage completed, currently brute forcing PIN and so on; so we will type the followingand enter:

reaver -i mon0 -c 1 -b C8:3A:35:54:88:81 -vv

Press Enter and if everything goes right then you will see the attack process like in thescreenshot below. Please note that you will not get “Restore previous session…” like mebecause I have already tried to crack it so, it is prompting me to either to resume from thatpaused point or not. Your progress will also be saved if your press Ctrl+C. It will prompt youthe same if you again hit the same above command and you can resume it from there.

Now just wait or have some coffee and let Reaver do its magic. It might take from 2 hours to10 hours or more. There are 8 numeric digits of WPS but due the fact that WPSauthentication protocol cuts the pin in half and validates each half separately. Since the lastdigit of pin is a cheksum value which can be calculated on the basis of previous value thereare 10^4=10,000 possible values for first half and then 10^3=1000 values for the last pin. Sothe WPS pin code can be calculated in 11,000 possible pin code. Some AP can check theWPS pin in the rate of 1 pin per second and some take more so the time depend upon theAP and even the network connection strength depends too.

When the PIN is successfully brute­forced Reaver will show you the WPS PIN and the plainpassword of the AP like in the below screenshot.

I recommend you to keep note of the WPS pin so that if the password is changed again youcan hack that in few seconds the next time by using the following process.

reaver -i (monitor interface) -b (BSSID) -c (channel) --pin=(8 digit pin) -vv

Example:

reaver -i mon0 -b 11:22:33:44:55:66 -c 1 --pin=12345678 -vv

So now the error part as you might get a bunch of error depending upon your conditions. Youmight get some timeout but it is normal but if you are getting other errors then see the belowError section for that

Error Section:

If you are getting the following error then check the corresponding solution for that.

If 10 consecutive unexpected WPS errors are encountered, a warning message will beshown. Since this may be a sign that the AP is rate limiting pin attempts, a waitingcommand can be issued that will occur whenever these warning messages appears byissuing the following command:

reaver -i mon0 -b 00:01:02:03:04:05 --fail-wait=360

The default receive timeout period is 5 seconds. This timeout period can be setmanually if necessary (minimum timeout period is 1 second):

reaver -i mon0 -b 00:01:02:03:04:05 -t 3

5 thoughts on “How to crack WPA2 WiFi password using reaver (99%chance) !!”

Leave a Reply

The default delay period between pin attempts is 1 second. This value can be increasedor decreased to any value. Please note that 0 means no delay:

reaver -i mon0 -b 00:01:02:03:04:05 -d 0

So here ends the tutorial on how to crack wireless network easily using reaver. Good LuckHacking…!!!

Related

How to crack WPA2 andWPA WiFi password ­ Stepby step guide!

How to crack wep wifipassword..!!

How to see who is usingyour wireless network(Windows)

In "Hack WiFi"In "Hack WiFi"

In "Other Cool Stuffs"

bibek

Sounds interesting!but i’ve got one question.

for the brute­force and reaver to work is it required that the wps button ispressed in router? I think i got it wrong. Would you make it more clearplease…

Reply

Jul 12,2014 4:12 pm

admin

It will work even if the button is not pushed. But some cheap routerwill not be bruteforce due to some of their hardware fault. It mayinclude some router of Tp­link, Digicom and mostly Tenda.

Reply

Jul 26,2014 8:14 pm

Arash

hi ! tnx for your information

when i type “airmon­ng” i can’t see Any thing ….. just titles “interface,chipset, drive”

or , when run “wicd network manager” i see an error !!!!!

and my laptop’s Fn key notwork in backtrack 5 r3

what should i do ????????????? tnx for your help

Reply

Aug 8,2014 2:14 pm

admin

Install Backtrack again and see if the problem goes.Reply

Aug 9,2014 8:39 am

Arash

I did that , i have this problem again !!!!

also in WICD i can’t see my Wireless network to connect

Reply

Aug 9,2014 12:25 pm

© 2014 Wireless Domination.com — All Rights Reserved.

« How to see who is using your wireless network (Windows)

Author (required)

Email (will not be published)(required)

Website

b i link b­quote code close tags

Post Comment

Notify me of follow­up comments by email.

Notify me of new posts by email.