Reaver 101

App Name: Reaver
Main Platform: Linux/GNU
Usage: Gaining Access To WPA Password Protected Wireless Networks/Access Points

First thing about WPA passwords is you can not decrypt them, all you can do is a brute force attack to get the password, depending on the password length and complexity it may take anything from few hours to thousands of years. The great thing about Reaver is that it exploits the routers/access points using another form of brute force attack, not brute forcing the password it self, but focusing on the pin of the access point that has WPS active on it.

The basic idea about WPS pin is that it offers you a pin of 7 digits that you can use to authenticate or retrieve the password of the wireless network in plain text. Hmmm… 7 digits, so its 10⁷, thats shorter than brute forcing the password, but yet that is huge number of possible pins! is there a way around this?

Sure! The catch is the pin does not get validated as whole, it actually being validated in 2 parts, the first 4 digits gets validated alone, and the last 3 are validated alone, and it gets better, you do not need the 2 parts to be correct to get validated or get a result. Which ever part is correct the access point will inform you that part one is ok but part 2 is not!

Hold on! Why are so happy about this?
Let me try to explain that, now for the first 4 digits are 10⁴ = 10000 as a max of attempts, the second part is 10³ = 1000 as a max of attempts, so that is 11000 max attempts and that is a max, you may not even reach 1000 depending on the pin set on the access point. an average of 4 hours and a max of 10 hours and you get the password.

Great! what do i need?
1- A Linux Distribution
2- Reaver
3- Aircrack-ng
sudo apt-get install reaver aircrack-ng

Why would i need aircrack-ng?
To sniff for available wireless networks and know which to target!

Oh Great! How do i use it?
First thing is to start airmon-ng on your wireless card, if you have it as wlan0 run the command
airmon-ng start wlan0

What! you did not say i need airmon-ng, where do i get it?
It is bundled with Aircrack-ng don’t worry.

Ok, what is next?
Once you start the monitor you will receive a message informing you what the monitored interface name is, usually this is mon0. Now you can run:
airodump-ng mon0

A new application! Don’t tell me, its bundled with aircrack-ng right?
You are 100% correct!
Now you will get a list of wireless networks along with the mac addresses of the access points.
1- Look for those with WPA/WPA2 passwords
2- Select your target
3- Copy the MAC address
4- Use ctrl+c to close airodump-ng

So is that is?
Basically yes, all you need to do is run Reaver and wait. The basic command is:
reaver -b "Mac address of target network" -i mon0 -vv reaver -b 00:11:22:33:44:55 -i mon0 -vv

Whats next?
Sit back and relax! once Reaver found the pin it will auto request the password and provide it in plain text.

Ok, Cool! but how can i protect my wireless network?
1- Get an access point that doesn’t have WPS enabled
2- Disable WPS if you have an option to do so
3- Some access points can limit the number of failed pins