Crack a Wi-Fi Network’s WPA Password with Reaver

Let’s use Reaver to crack WPA/WPA2 passwords! Through all this journey of cracking passwords (with permission), I learned you need two things: Time and Luck. There is no easy way to get a networks password, unless you actually go and ask for it nicely… but that’s not an option sometimes.

(Note: Consider this post educational, or a proof-of-concept intellectual exercise. The more you know, the better you can protect yourself. Breaking through someone’s Wireless Network is ilegall, use it at your own risk)

There are 2 methods to hack WPA/WPA2:

1. With Dictionaries: Usually takes plenty of time and if the password is not on the dictionary, you won’t find it.
2. With Reaver: Uses a vulnerability called Wi-Fi Protected Setup, or WPS. It exists on many routers and can take between 5 and 10 hours to crack.

When we tried using dictionaries and had no luck, we can move on to Reaver. It’s extremely easy to use and has a 100% chance of finding the password (IF, the router has the WPS feature).

For this you will need Backtrack 5 R2 and patience.  Click here to know how to Install Backtrack Persistent.

Using Reaver

In order to use Reaver you first need to know wich networks have WPS enabled.
Let’s put your wireless card into monitor mode, open terminal and run:

airmon-ng start wlan0

It should say now “monitor mode enabled on mon0”. Now we use “wash” to see identify the networks with WPS enabled.

wash -i mon0

All networks with WPS will be shown here. If the one you want to crack is here, copy the BSSID.
On a new terminal type:

reaver -i mon0 -b BSSID -vv

For example:

reaver -i mon0 -b 11:22:33:44:55:66 -vv

Press enter, sit back and let Reaver work! Reaver will now try a series of PINs on the router in a brute force attack, one after another. It can take between 4 – 10 hours to deliver the password. The good thing is, you can pause with Ctrl + C, save your progress. The next time you run reaver, it will ask you if you want to resume.

Reaver may not work for all routers, there are different factors like for example the Signals strength. The network your are attacking must have a strong signal in order for Reaver to work. Sometimes, Reaver tries the same PIN again and again, that’s normal dont worry. But if that happens once you run the command and doesn’t move forward to the next PIN, that means it is not working.

In a few words, a Router may have WPS enabled but thats no guarentee Reaver will work.

Like I said before, time and luck!

I wish you lots of patience and good luck!

Happy testing!

Richard L.

How to Crack a Wi-Fi Network’s password (WEP,WPA/WPA2)

Hi and welcome to my blog! How to Crack a Wi-Fi Network’s password (WEP,WPA/WPA2)

I’m going to show you how to crack Wi-fi passwords withouth too much effort and a lot of patient! Why cracking and not hacking? Why this term? First of all, hacking sounds like a big deal, like hacking bank accounts or things like that. What we are doing here is decrypting a password, in another words: Cracking.” It is something I can’t do”, you would say…” Im not a hacker! What’s WEP and all those things? ”  I will try my best to explain to you how easy it actually is! You don’t need to understand all definitions or processes, just follow this tutorial.

(Note: Consider this post educational, or a proof-of-concept intellectual exercise. The more you know, the better you can protect yourself. Breaking through someone’s Wireless Network is ilegall, use it at your own risk)

There are 3 kinds of encryption or security systems on a router: WEP, WPA and WPA2.

• WEP (Wired Equivalent Privacy) is the oldest one and therefore the easiest to penetrate. I’m not explaining why because neither I had time to understand how it works. The thing is, imagine WEP like a puzzle. The password is hidden on this puzzle and you have to put many of the pieces together to decrypt it. The problem is the pieces are flying around on the air and you have to catch them.  The passwords on WEP can be less than 8 characters.
  Cracking WEP is usually done passive (listening to packets)

• WPA and WPA2 are by definition much harder to break. Passwords can be 8 – 64 characters long with capitals, numbers and even symbols (?!\$…). Cracking WPA/WP2 works on a completely different way as WEP because it is a dynamic encryption, which means the password changes every second. It is pointless to find all the pieces, it would be a never ending search. The process is simple, you must get a Handshake from the network you want to decrypt and then use a dictionary to find the password. The 4-way handshake its like a one unique clue you have to do this. If the dictionary doesn’t find it, you won’t never find it. Unless you try brute-forcing but thats more advanced and will talk about that later. If you want to have an unbreakeable password, use all conditions I wrote before. Believe me, it will be impossible to crack.
  WPA/WPA2 is done active (Packet Injection) and with dictionaries.

Hmm flawless, now what? 

Now that you know the types of encryption, lets talk about the process. I present to you: Aircrack-ng!

Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs. Aircrack allows us to mess up.. sorry, auditore Wireless Networks and do some pretty fucked up shit. If you want to know more about Aircrack: http://www.aircrack-ng.org

In my case, I started doing this with Windows (with CommView drivers) and with this operative system things use to get complicated. You must have the correct drivers, download the correct version of Aircrack and also download patches for packet injection if needed. Linux is way better and has pretty cool distributions and one is Backtrack 5 R2. Backtrack is the preferred distribution for this and there’s only one reason why: It was made for these purposes. 
Backtrack 5 R2 has a great hardware compatibility system and comes with all drivers & patches you need for auditoring and packet injection included. If you want to keep things easy and save time, do yourself a favor and don’t use Windows, use Backtrack.

Installing Backtrack 5 R2

Check my tutorial on How to Create a Persistent USB with Backtrack 5 R2. Persistence is recommended because it allows us to keep files between reboots. You’ll need this if you want to install Pyrit with Cuda, OpenCl and/or C++. (I’ll talk about that on another tutorial).

If you want to install Backtrack on a Live USB or Disc, I recommend you to follow this one: http://myweb.csuchico.edu/~sbarrera3/BackTrack5R2doc.pdf (Thanks for whoever made it, s. barrera I suppose) 
My recommendation: Buy an USB (Pendrive) from at least 8 Gb memory. There are good options on amazon or any local store, I use a PNY 16 Gb. Why install it on a USB? It’s the easiest way.

Make sure at the end, you restart your computer and change the boot order. On a Dell machine it’s usually F2, Toshiba is F1 or ESC, HP is F1 or F2, and IBMs usually require you to go to Start, Programs and then Thinkpad CFG to start up in the BIOS.Once you are on the boot order list, change the USB Hard Drive to the first position (use F5 and F6). Press F10 and Enter, now it will boot into Backtrack!

 First steps with Backtrack 

A list of booting modes will appear, choose “Default” or if you are using a Persistent USB, choose “Persistent mode”. Now you’ll have to wait a little, it usually takes up to 5 minutes, just be patient it’s not an error! It will take you to a command box, type startx, hit enter and you are done!

Using Aircrack-ng

Again there are many tutorials on the web and im not writing one because I think it’s pointless. Here we have this one again, very easy step-by-step and well explained (By the same author):

http://myweb.csuchico.edu/~sbarrera3/AirCrackdoc.pdf

Resuming the command lines:
The variables are in Italic font.

1. airmon-ng start wlan0
2. airodump-ng mon0
3. (Close the old airodump-ng terminal to avoid channel hoping) airodump-ng –w capture-packages –bssid (accesspoint) –c (channel) mon0
4. aireplay-ng --deauth 1 –a (accesspoint) –c (client) mon0
5. aircrack-ng capture-packages-01.cap –w /root/wordlist.lst

To download the dictionaries, visit: http://g0tmi1k.blogspot.de/2011/06/dictionaries-wordlists.html

I suggest using one of no more than 500 mb, at that point it is very likely to not find the password. The dictionaries come in 7zip format. To extract the files just open terminal and run the command:

p7zip -d “filenamehere.7z”

Happy testing!

Richard L.