Академический Документы
Профессиональный Документы
Культура Документы
A new, free, open-source tool called Reaver exploits a security hole in wireless routers and
can crack most routers current passwords with relative ease. Heres how to crack a WPA or
WPA2 password, step by step, with Reaverand how to protect your network against Reaver
attacks.
BackTrack is a bootable Linux distribution thats filled to the brim with network testing tools,
and while its not strictly required to use Reaver, its the easiest approach for most users.
Download the Live DVD from BackTracks download page and burn it to a DVD. You can
alternately download a virtual machine image if youre using VMware, but if you dont know
what VMware is, just stick with the Live DVD. As of this writing, that means you should
select BackTrack 5 R1 from the Release drop-down, select Gnome, 32- or 64-bit depending
on your CPU (if you dont know which you have, 32 is a safe bet), ISO for image, and then
download the ISO.
A computer with Wi-Fi and a DVD drive.
BackTrack will work with the wireless card on most laptops, so chances are your laptop will
work fine. However, BackTrack doesnt have a full compatibility list, so no guarantees. Youll
also need a DVD drive, since thats how youll boot into BackTrack. I used a six-year-old
MacBook Pro.
A nearby WPA-secured Wi-Fi network.
Technically, it will need to be a network using WPA security with the WPS feature enabled.
Ill explain in more detail in the How Reaver Works section how WPS creates the security
hole that makes WPA cracking possible.
A little patience.
This is a 4-step process, and while its not terribly difficult to crack a WPA password with
Reaver, its a brute-force attack, which means your computer will be testing a number of
different combinations of cracks on your router before it finds the right one. When I tested it,
Reaver took roughly 2.5 hours to successfully crack my password. The Reaver home page
suggests it can take anywhere from 4-10 hours. Your mileage may vary.
To boot into BackTrack, just put the DVD in your drive and boot your machine from the disc.
(Google around if you dont know anything about live CDs/DVDs and need help with this
part.) During the boot process, BackTrack will prompt you to to choose the boot mode. Select
BackTrack Text Default Boot Text Mode and press Enter.
Eventually BackTrack will boot to a command line prompt. When youve reached the prompt,
type startx and press Enter. BackTrack will boot into its graphical interface.
Step 2: Install Reaver
Reaver has been added to the bleeding edge version of BackTrack, but its not yet
incorporated with the live DVD, so as of this writing, you need to install Reaver before
proceeding. (Eventually, Reaver will simply be incorporated with BackTrack by default.) To
install Reaver, youll first need to connect to a Wi-Fi network that you have the password to.
Click Applications > Internet > Wicd Network Manager
Select your network and click Connect, enter your password if necessary, click OK, and then
click Connect a second time.
Now that youre online, lets install Reaver. Click the Terminal button in the menu bar (or
click Applications > Accessories > Terminal). At the prompt, type:
root@root:~# apt-get update
If all went well, Reaver should now be installed. It may seem a little lame that you need to
connect to a network to do this, but it will remain installed until you reboot your computer. At
this point, go ahead and disconnect from the network by opening Wicd Network Manager
again and clicking Disconnect. (You may not strictly need to do this. I did just because it felt
like I was somehow cheating if I were already connected to a network.)
Step 3: Gather Your Device Information, Prep Your Crackin
In order to use Reaver, you need to get your wireless cards interface name, the BSSID of the
router youre attempting to crack (the BSSID is a unique series of letters and numbers that
identifies a router), and you need to make sure your wireless card is in monitor mode. So lets
do all that.
Find your wireless card:
root@root:~# iwconfig
lo
no wireless extensions.
eth0
no wireless extensions.
wlan0
Put your wireless card into monitor mode: Assuming your wireless cards interface name is
wlan0, execute the following command to put your wireless card into monitor mode:
This command will output the name of monitor mode interface, which youll also want to
make note of. Most likely, itll be mon0. Make note of that.
Find the BSSID of the router you want to crack: Lastly, you need to get the unique identifier
of the router youre attempting to crack so that you can point Reaver in the right direction. To
do this, execute the following command:
root@root:~# airodump-ng wlan0
(Note: If airodump-ng wlan0 doesnt work for you, you may want to try the monitor interface
insteade.g., airodump-ng mon0.)
Youll see a list of the wireless networks in rangeitll look something like the screenshot
below:
[ CH 1 ] [Elapsed: 4s ] [ 2012-03-20 13:23] [ WPA handshake:
00:14:6C:7E:40:80
BSSID
AUTH ESSID
00:09:6B:1C:AA:1D
NETGEAR
00:14:9C:7A:41:81
bigbear
00:14:DC:7E:40:80
PSK teddy
...
PWR RXQ
11
Beacons
#Data, #/s
CH
MB
ENC
CIPHER
16
10
11
54.
OPN
34 100
57
14
11e
WEP
WEP
32 100
752
73
54
WPA
TKIP
When you see the network you want, press Ctrl+C to stop the list from refreshing, then copy
that networks BSSID (its the series of letters, numbers, and colons on the far left). The
network should have WPA or WPA2 listed under the ENC column.
Now, with the BSSID and monitor interface name in hand, youve got everything you need to
start up Reaver.
Step 4: Crack a Networks WPA Password with Reaver
Now execute the following command in the Terminal, replacing bssid and moninterface with
the BSSID and monitor interface and you copied down above:
root@root:~# reaver -i moninterface -b bssid -vv
For example, if your monitor interface was mon0 like mine, and your BSSID was
8D:AE:9D:65:1F:B2 (a BSSID I just made up), your command would look like:
root@root:~# reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -vv
Press Enter, sit back, and let Reaver work its disturbing magic. Reaver will now try a series of
PINs on the router in a brute force attack, one after another. This will take a while. In my
successful test, Reaver took 2 hours and 30 minutes to crack the network and deliver me with
the correct password. As mentioned above, the Reaver documentation says it can take
between 4 and 10 hours, so it could take more or less time than I experienced, depending.