Let’s use Reaver to crack WPA/WPA2 passwords! Through all this journey of cracking passwords (with permission), I learned you need two things: Time and Luck. There is no easy way to get a networks password, unless you actually go and ask for it nicely… but that’s not an option sometimes.
(Note: Consider this post educational, or a proof-of-concept intellectual exercise. The more you know, the better you can protect yourself. Breaking through someone’s Wireless Network is ilegall, use it at your own risk)
There are 2 methods to hack WPA/WPA2:
- With Dictionaries: Usually takes plenty of time and if the password is not on the dictionary, you won’t find it.
- With Reaver: Uses a vulnerability called Wi-Fi Protected Setup, or WPS. It exists on many routers and can take between 5 and 10 hours to crack.
When we tried using dictionaries and had no luck, we can move on to Reaver. It’s extremely easy to use and has a 100% chance of finding the password (IF, the router has the WPS feature).
For this you will need Backtrack 5 R2 and patience. Click here to know how to Install Backtrack Persistent.
Using Reaver
In order to use Reaver you first need to know wich networks have WPS enabled.
Let’s put your wireless card into monitor mode, open terminal and run:
airmon-ng start wlan0
It should say now “monitor mode enabled on mon0”. Now we use “wash” to see identify the networks with WPS enabled.
wash -i mon0
All networks with WPS will be shown here. If the one you want to crack is here, copy the BSSID.
On a new terminal type:
reaver -i mon0 -b BSSID -vv
For example:
reaver -i mon0 -b 11:22:33:44:55:66 -vv
Press enter, sit back and let Reaver work! Reaver will now try a series of PINs on the router in a brute force attack, one after another. It can take between 4 – 10 hours to deliver the password. The good thing is, you can pause with Ctrl + C, save your progress. The next time you run reaver, it will ask you if you want to resume.
Reaver may not work for all routers, there are different factors like for example the Signals strength. The network your are attacking must have a strong signal in order for Reaver to work. Sometimes, Reaver tries the same PIN again and again, that’s normal dont worry. But if that happens once you run the command and doesn’t move forward to the next PIN, that means it is not working.
In a few words, a Router may have WPS enabled but thats no guarentee Reaver will work.
Like I said before, time and luck!
I wish you lots of patience and good luck!
Happy testing!
Richard L.