In order to use Reaver, you need to get your wireless card's interface name, the BSSID of the router you're attempting to crack (the BSSID is a unique series of letters and numbers that identifies a router), and you need to make sure your wireless card is in monitor mode. So let's do all that.
Find
your wireless card: Inside
Terminal, type:
iwconfig
Press Enter. You should see a wireless device in the subsequent list. Most likely, it'll be named wlan0, but if you have more than one wireless card, or a more unusual networking setup, it may be named something different.
Put
your wireless card into monitor mode: Assuming your wireless card's
interface name is wlan0, execute the following command to put
your wireless card into monitor mode:
airmon-ng start wlan0
This command will output the name of monitor mode interface, which you'll also want to make note of. Most likely, it'll be mon0, like in the screenshot below. Make note of that.
Find
the BSSID of the router you want to crack: Lastly, you need to get the
unique identifier of the router you're attempting to crack so that you can
point Reaver in the right direction. To do this, execute the following command:
airodump-ng wlan0
(Note: If airodump-ng wlan0 doesn't work for you, you may want to try the monitor interface instead—e.g., airodump-ng mon0.)
You'll
see a list of the wireless networks in range.
When
you see the network you want, press Ctrl+C to stop the list from refreshing,
then copy that network's BSSID (it's the series of letters, numbers, and colons
on the far left). The network should have WPA or WPA2 listed under the ENC
column. Now, with the BSSID and monitor
interface name in hand, you've got everything you need to start up Reaver.
Crack a Network's WPA
Password with Reaver
Now
execute the following command in the Terminal, replacing bssid and moninterface with the BSSID
and monitor interface and you copied down above:
reaver -i moninterface -b bssid -vv
For example, if your monitor interface was mon0 like mine, and your BSSID was 8D:AE:9D:65:1F:B2 (a BSSID I just made up), your command would look like:
reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -vv
Press Enter, sit back, and let Reaver work its disturbing magic. Reaver will now try a series of PINs on the router in a brute force attack, one after another. This will take a while. When Reaver's cracking has completed, it'll look like this:
EXPAND
A
few important factors to consider:Reaver worked exactly as advertised in
my test, but it won't necessarily work on all routers (see more below). Also,
the router you're cracking needs to have a relatively strong signal, so if
you're hardly in range of a router, you'll likely experience problems, and
Reaver may not work. Throughout the process, Reaver would sometimes experience
a timeout, sometimes get locked in a loop trying the same PIN repeatedly, and
so on. I just let it keep on running, and kept it close to the router, and
eventually it worked its way through.
Also of note, you can also pause your progress at any time by pressing Ctrl+C while Reaver is running. This will quit the process, but Reaver will save any progress so that next time you run the command, you can pick up where you left off-as long as you don't shut down your computer (which, if you're running off a live DVD, will reset everything).
How Reaver Works
Now
that you've seen how to use Reaver, let's take a quick overview of how Reaver
works. The tool takes advantage of a vulnerability in something called Wi-Fi
Protected Setup, or WPS. It's a feature that exists on many routers, intended
to provide an easy setup process, and it's tied to a PIN that's hard-coded into
the device. Reaver exploits a flaw in these PINs; the result is that, with
enough time, it can reveal your WPA or WPA2 password.
Read more details about the vulnerability at Sean Gallagher's excellent post on Ars Technica.
How to Protect Yourself Against Reaver Attacks
Since
the vulnerability lies in the implementation of WPS, your network should be
safe if you can simply turn off WPS (or, even better, if your router doesn't
support it in the first place). Unfortunately, as Gallagher points out as Ars, even
with WPS manually turned off through his router's settings, Reaver was still
able to crack his password.
In a
phone conversation, Craig Heffner said that the inability to shut this
vulnerability down is widespread. He and others have found it to occur with
every Linksys and Cisco Valet wireless access point they've tested. "On
all of the Linksys routers, you cannot manually disable WPS," he said.
While the Web interface has a radio button that allegedly turns off WPS
configuration, "it's still on and still vulnerable.
So that's kind of a bummer. You may still want to try disabling WPS on your router if you can, and test it against Reaver to see if it helps.
You could also set up MAC address filtering on your router (which only allows specifically whitelisted devices to connect to your network), but a sufficiently savvy hacker could detect the MAC address of a whitelisted device and use MAC address spoofing to imitate that computer.
I
have the open-source router firmware DD-WRT installed on my router and I was
unable to use Reaver to crack its password. As it turns out, DD-WRT does not
support WPS, so there's yet another reason to love the free router-booster. If
that's got you interested in DD-WRT, check their supported devices list to see
if your router's supported. It's a good security upgrade, and DD-WRT can also
do cool things like monitor your internet usage, set up a network hard drive,
act as a whole-house ad blocker, boost the range of your Wi-Fi network, and
more. It essentially turns your $60 router into a $600 router.
