Ethical Hacking and Penetration Testing Guide ( PDFDrive )
305 Using Reaver to Crack WPS-Enabled Wireless Networks Reaver is the penetration tester’s ultimate choice, this tool can help you crack WPA/WPA2 keys
within a matter of hours. Reaver does not directly perform a brute force attack against the WPA/
WPA2 keys, but it performs a brute force attack against the WPS pins. The WPS pins are eight
digits in length, and as most routers use default pins, they can easily be compromised.
Once reaver compromises the pins by either using the default pins or by using a brute force
attack, which won’t take much long since eight-digit pins would have 10,000,000 (10^7) and the
last digit can be calculated by using the first seven pins according to official documentation.
As reaver compromises the pins, it gets authenticated as a valid external registrar. A registrar
has access to all the configurations of the access point, which would include the WPA/WPA2
keys. For this attack to work, the access point should have WPS enabled. The good thing is that
we would have it enabled in most of the access points we encounter. Let’s see how we can use reaver
to crack WPS-enabled wireless networks.
Step 1 —Make sure that your wireless card is in the monitor mode.
Step 2 —Next, we would use airodump-ng to select our target we want to attack.
In this case we target the access point with ESSID PTCL-BB, and BSSID F4:3E:61:F5:FC:49.
We will copy the BSSID, since this will be the only input required for reaver to work.
Step 3 —Now, we will use reaver to attack our access point. The command would be as follows:
reaver –i mon0 –b F4:3E:61:F5:FC:49 –vv
The –i parameter was used to specify the interface, which is mon0, followed by the –b param-
eter used to define the bssid and –vv for the verbosity. The verbosity is set to twice, which means
that it will display each pin’s number as it’s tried against the access point.
