How to Crack a Wi-Fi Networks WPA

Password with Reaver

Your Wi-Fi network is your conveniently wireless gateway to the internet, and since
you're not keen on sharing your connection with any old hooligan who happens to be
walking past your home, you secure your network with a password, right? Knowing, as
you might, how easy it is to crack a WEP password, you probably secure your network
using the more bulletproof WPA security protocol.
Here's the bad news: A new, free, open-source tool called Reaver exploits a security
hole in wireless routers and can crack most routers' current passwords with relative
ease. Here's how to crack a WPA or WPA2 password, step by step, with Reaverand
how to protect your network against Reaver attacks.
In the first section of this post, I'll walk through the steps required to crack a WPA
password using Reaver. You can follow along with either the video or the text below.
After that, I'll explain how Reaver works, and what you can do to protect your network
against Reaver attacks.
First, a quick note: As we remind often remind readers when we discuss topics that
appear potentially malicious: Knowledge is power, but power doesn't mean you should
be a jerk, or do anything illegal. Knowing how to pick a lock doesn't make you a thief.
Consider this post educational, or a proof-of-concept intellectual exercise. The more
you know, the better you can protect yourself.

What You'll Need

You don't have to be a networking wizard to use Reaver, the command-line tool that
does the heavy lifting, and if you've got a blank DVD, a computer with compatible WiFi, and a few hours on your hands, you've got basically all you'll need. There are a
number of ways you could set up Reaver, but here are the specific requirements for this
guide:

The BackTrack 5 Live DVD. BackTrack is

a bootable Linux distribution that's filled to the brim with network testing tools,
and while it's not strictly required to use Reaver, it's the easiest approach for
most users. Download the Live DVD from BackTrack's download page and burn
it to a DVD. You can alternately download a virtual machine image if you're
using VMware, but if you don't know what VMware is, just stick with the Live
DVD. As of this writing, that means you should select BackTrack 5 R1 from the
Release drop-down, select Gnome, 32- or 64-bit depending on your CPU (if you
don't know which you have, 32 is a safe bet), ISO for image, and then download
the ISO.
A computer with Wi-Fi and a DVD drive. BackTrack will work with the
wireless card on most laptops, so chances are your laptop will work fine.
However, BackTrack doesn't have a full compatibility list, so no guarantees.
You'll also need a DVD drive, since that's how you'll boot into BackTrack. I
used a six-year-old MacBook Pro.
A nearby WPA-secured Wi-Fi network. Technically, it will need to be a
network using WPA security with the WPS feature enabled. I'll explain in more
detail in the "How Reaver Works" section how WPS creates the security hole
that makes WPA cracking possible.
A little patience. This is a 4-step process, and while it's not terribly difficult to
crack a WPA password with Reaver, it's a brute-force attack, which means your
computer will be testing a number of different combinations of cracks on your
router before it finds the right one. When I tested it, Reaver took roughly 2.5
hours to successfully crack my password. The Reaver home page suggests it can
take anywhere from 4-10 hours. Your mileage may vary.

Let's Get Crackin'

At this point you should have BackTrack burned to a DVD, and you should have your
laptop handy.
Step 1: Boot into BackTrack

To boot into BackTrack, just put the

DVD in your drive and boot your machine from the disc. (Google around if you don't
know anything about live CDs/DVDs and need help with this part.) During the boot
process, BackTrack will prompt you to to choose the boot mode. Select "BackTrack
Text - Default Boot Text Mode" and press Enter.
Eventually BackTrack will boot to a command line prompt. When you've reached the
prompt, type startx and press Enter. BackTrack will boot into its graphical interface.
Step 2: Install Reaver
Reaver has been added to the bleeding edge version of BackTrack, but it's not yet
incorporated with the live DVD, so as of this writing, you need to install Reaver before
proceeding. (Eventually, Reaver will simply be incorporated with BackTrack by
default.) To install Reaver, you'll first need to connect to a Wi-Fi network that you have
the password to.
1. Click Applications > Internet > Wicd Network Manager
2. Select your network and click Connect, enter your password if necessary, click
OK, and then click Connect a second time.
Now that you're online, let's install Reaver. Click the Terminal button in the menu bar
(or click Applications > Accessories > Terminal). At the prompt, type:
apt-get update

And then, after the update completes:

apt-get install reaver

If all went well, Reaver should now be

installed. It may seem a little lame that you need to connect to a network to do this, but

it will remain installed until you reboot your computer. At this point, go ahead and
disconnect from the network by opening Wicd Network Manager again and clicking
Disconnect. (You may not strictly need to do this. I did just because it felt like I was
somehow cheating if I were already connected to a network.)
Step 3: Gather Your Device Information, Prep Your Crackin'
In order to use Reaver, you need to get your wireless card's interface name, the BSSID
of the router you're attempting to crack (the BSSID is a unique series of letters and
numbers that identifies a router), and you need to make sure your wireless card is in
monitor mode. So let's do all that.
Find your wireless card: Inside Terminal, type:
iwconfig

Press Enter. You should see a wireless

device in the subsequent list. Most likely, it'll be named wlan0, but if you have more
than one wireless card, or a more unusual networking setup, it may be named something
different.
Put your wireless card into monitor mode: Assuming your wireless card's interface
name is wlan0, execute the following command to put your wireless card into monitor
mode:
airmon-ng start wlan0

This command will output the name of monitor mode interface, which you'll also want
to make note of. Most likely, it'll be mon0, like in the screenshot below. Make note of
that.
Find the BSSID of the router you want to crack: Lastly, you need to get the unique
identifier of the router you're attempting to crack so that you can point Reaver in the
right direction. To do this, execute the following command:
airodump-ng wlan0

(Note: If airodump-ng wlan0 doesn't work for you, you may want to try the monitor
interface insteade.g., airodump-ng mon0.)

You'll see a list of the wireless networks in rangeit'll look something like the
screenshot below:
When you see the network you want, press Ctrl+C to stop the list from refreshing, then
copy that network's BSSID (it's the series of letters, numbers, and colons on the far left).
The network should have WPA or WPA2 listed under the ENC column. (If it's WEP,
use our previous guide to cracking WEP passwords.)
Now, with the BSSID and monitor interface name in hand, you've got everything you
need to start up Reaver.
Step 4: Crack a Network's WPA Password with Reaver
Now execute the following command in the Terminal, replacing bssid and
moninterface with the BSSID and monitor interface and you copied down above:
reaver -i moninterface -b bssid -vv

For example, if your monitor interface was mon0 like mine, and your BSSID was
8D:AE:9D:65:1F:B2 (a BSSID I just made up), your command would look like:
reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -vv

Press Enter, sit back, and let Reaver work its disturbing magic. Reaver will now try a
series of PINs on the router in a brute force attack, one after another. This will take a
while. In my successful test, Reaver took 2 hours and 30 minutes to crack the network
and deliver me with the correct password. As mentioned above, the Reaver
documentation says it can take between 4 and 10 hours, so it could take more or less
time than I experienced, depending. When Reaver's cracking has completed, it'll look
like this:
A few important factors to consider: Reaver worked exactly as advertised in my test,
but it won't necessarily work on all routers (see more below). Also, the router you're
cracking needs to have a relatively strong signal, so if you're hardly in range of a router,
you'll likely experience problems, and Reaver may not work. Throughout the process,
Reaver would sometimes experience a timeout, sometimes get locked in a loop trying
the same PIN repeatedly, and so on. I just let it keep on running, and kept it close to the
router, and eventually it worked its way through.
Also of note, you can also pause your progress at any time by pressing Ctrl+C while
Reaver is running. This will quit the process, but Reaver will save any progress so that
next time you run the command, you can pick up where you left off-as long as you don't
shut down your computer (which, if you're running off a live DVD, will reset
everything).

How Reaver Works

Now that you've seen how to use Reaver, let's take a quick overview of how Reaver
works. The tool takes advantage of a vulnerability in something called Wi-Fi Protected
Setup, or WPS. It's a feature that exists on many routers, intended to provide an easy

setup process, and it's tied to a PIN that's hard-coded into the device. Reaver exploits a
flaw in these PINs; the result is that, with enough time, it can reveal your WPA or
WPA2 password.
Read more details about the vulnerability at Sean Gallagher's excellent post on Ars
Technica.

Capturar Contrasea de WPA/WPA2 con REAVER

Gracias a una vulnerabilidad del sistema de configuracin de los enrutadores inalmbricos, en
un software denominado Wifi Protected Setup (WPS) el seor Craig Heffner desarrollo un
software denominado REAVER, que permite obtener la contrasea de seguridad de WPA o
WPA2, donde el enrutador configure usando el WPS.

Este software lo puedes conseguir en google code en la URL http://code.google.com/p/reaverwps/ de donde pueden descargar la ltima versin de este programa. Antes de compilarlo en
Ubuntu o Debian deben asegurarse de tener unos paquetes, por lo que sera bueno que
ejecutaran el siguiente comando:

root@localhost:~# apt-get install build-essential libpcap0.8-dev libsqlite3-dev

Bueno una vez que tienes estos paquetes instalados entonces procedes a descomprimir el
tar.gz y a compilar el paquete, eso se hace con los siguientes pasos:

root@localhost:~# wget http://code.google.com/p/reaverwps/downloads/detail?name=reaver-1.3.tar.gz&can=2&q=

root@localhost:src#
root@localhost:src#
root@localhost:src# make install
Si

lo

vas

root@localhost:~#

instalar

en

Backtrack

apt-get

&& cd

R1

install

solo

reaver-1.3/src
./configure
make

debes

hacer

reaver

Listo ya con esto lo tienes instalado ahora toca aprender a usarlo, por lo que vamos a ver como
lo use en un Backtrack 5 R1. Lo primero es colocar la tarjeta inalmbrica en modo monitor, lo

que

se

hace

con

el

comando

airmon-ng,

de

la

siguiente

manera:

Despus de esto usas el comando airodump-ng, que te permite visualizar todas las redes
inalmbricas que capta tu antena y conocer su identificador BSSID, con el cual el reaver podr
iniciar la explotacin de la posible vulnerabilidad. Al ejecutar este comando vers algo como lo
siguiente y debes tomar una de los BSSID y con un poco de suerte ese estar configurado
usando
WPS.

Bueno una vez hayas escogido la red entonces ejecutas el comando reaver con la siguiente
estructura

root@localhost:# reaver -i [interface en modo monitor] -b [BSSID escogido]

Como se puede ver en la siguiente imagen el inicia el proceso de asociacin y la carga de datos
para vulnerar el WPS, este proceso puede durar al rededor de 4 horas (como siempre en esto,
toca
tener
calma),

Pero tiene algo muy bueno y es que puedes detenerlo y cuando lo enves de nuevo arrancar
desde lo detuviste , as:

Espero que no lo usen para males, es con el animo de educar no de dar herramientas de
ataques o violacin a la privacidad de las personas. Recuerda que el HACKER es aquel que usa
su conocimiento para ayudar y para mejorar las herramientas y montajes de los dems, el
CRACKER es que usa su conocimiento para beneficio propio y hacer mal a su prjimo, decide
de que lado deseas estar.