WPS - Crack any WPA/WPA2/WEP access point / router

[Sethioz]

WPS attacks have been possible since 2011 Dec already, but i just wrote a quick wiki article on how to attack WPS enabled stations
See HERE on how it can be done, that article is not very detailed, but should be enough to get you going. Maybe in future i will add screenshots to it.

UPDATE:
There's a new method to hack WPS, check out the "pixie dust" method for more info. It's a way to crack WPS pin based on the info that router gives during the first WPS pin attempt, it appears that the WPS pins are not randomly generated and it can be calculated based on the info, not all the routers are vulnerable tho. Just check out Pixie Dust and tool is called pixiewps
there's also auto pixie (or autopixie) that does it automatically, but those tools are in beta and work on only very few routers, mostly on routers available in US i think.

[iyass092]

i need the code for reaver , mean the new one that your freind worte it
thankx

[Sethioz]

ok, will post it within 48h. have to get it from the laptop first.

[Sucher]

Man, I stumbled across your tutorial on wps and would like to get that code as well. Thanks.

[Sethioz]

i completely forgot about this topic, here's the modified reaver

ryreaver-reverse.rar

(169.1 KiB) Downloaded 7707 times

Usage: copy into your /root/ or any other folder, then type in full path, like:

Code: Select all

/root/modifiedreaver/ryreaver-reverse

and commands are same as normal reaver. as explained this one worked on a station where normal reaver failed. normal reaver got first part of the WPS pin, but failed to get last 3 digits + checksum (last 4 digits in total), but this one did it!

[GALAXYLANG]

can give me the code?
[email protected]

[Sethioz]

it's attached in previous post, are you blind?

[fonzy35]

Thanks for the code.. I'm all new to linux kali, maybe 3 weeks. How do I make it run, do i have to rebuild the kernel so that he can see ryreaver-reverse to run it?

Thank again for the program

[Sethioz]

dude stop being stupid, it's in previous posts how to run it. what's wrong with you?

[fonzy35]

dude stop being stupid, it's in previous posts how to run it. what's wrong with you?

lol
Thanks, It didin't work in Kali but it work in BTR3 with ./

No stupid here , I think people come to your forum to ask question and learn

Thanks Dude!!!

[Sethioz]

what exactly didn't work on kali?
i tested it on BT5, worked fine.

yes to learn, but not to ask things that have been explained.

[shehroz]

sorry i know that this post is quite old, i am new to reaver and lunix. I would like to know how to use the code of the nwe reaver. I was not able to understand it from the above post, I would greatly appreciate if someone tell it step by step, thanks in advance.

[Sethioz]

Newbie (and best way) to get reaver working is to get one of those linux's that has reaver pre-installed, such as BackTrack5 or Kali (i think Kali linux is next step from BT5, but i've never had the time to install Kali yet).
Once you got it, run reaver as usual, except that you have to "cd" into the /root/ of /ryreaver-reverse and then instead of "reaver" you type "ryreaver-reverse".
everything else is as normal.
or use the example seen before, then you don't have to "cd" into the root of reaver, you can just type in FULL PATH to the ryreaver-reverse, like the command seen in above post and here:

Code: Select all

/root/modifiedreaver/ryreaver-reverse

ofcourse if your reaver is in different folder, you have to modify the path to fit.

[shehroz]

i am really sorry but i am having a bit of problem. As in the above Post it is said by sethizo that it is good to use a linux's that has reaver per-installed, so i downloaded BT5R3 and make a directory for ryreaver-reverse as cd /root/Desktop/modifiedreaver/ and place ryreaver-reverse file here after i opened a terminal and according to the above post i first started my wireless card in monitor mode and then typed whole command "cd /root/Desktop/modifiedreaver/ryreaver-reverse" in the terminal and it gave me an error "(cd /root/Desktop/modifiedreaver/ryreaver-reverse is not a directory)" then i just navigated to the folder where the ryreaver-reverse file was present i.e (cd /root/Desktop/modifiedreaver) and typed ryreaver-reverse --bssid xx:xx:xx:xx:xx -c X -vv -i mon0 and i got a error "command not found"

i am sorry if a am not able to make myself clear but i did what i understood from the post above. I would appreciate any help that what i did wrong and guide me correct. Thanks in Advance

[Sethioz]

you don't put cd in front of whole command.
ahaha it's kind a funny how nowday people are struggling with command prompt / console.
if you want to go into folder called /blah1/ from the /root/.
lets say you have folder /root/blah1/ and your current directory is /root/, then you would enter:

Code: Select all

cd blah1

anway, i was wrong about the cd thing, it won't work on this case, it makes no difference what is your current directory, you have to enter FULL PATH to run the tool.
so in your case it would be:

Code: Select all

/root/Desktop/modifiedreaver/ryreaver-reverse

Enter this whole thing and it will work. I think it won't work with a simple command, because ryreaver-reverse is not programmed to be a command, so you have to enter full path to run it. I'm sure there is a way to "register" it as command and to make it work by simply typing "ryreaver-reverse", but i'm not that much into linux, so i don't know how you would go about doing that.
On windows, you would have to put the files into windows/system32 (i think it was system32 and not windows root), im sure there's similar trick in linux, then you can type in the command from any directory and it will run.

[flyinghaggis]

Hi, managed to get this working (ryreaver-reaver) enventually.

One problem though, I am unable to save/restart a session. Which is a little inconvenient should I need to shut
the computer down. Doing this just starts the pin from the beginning again.

Even editing the wpc file does not help. Is it possible for your friend to write this back into the programme or
do you have a suggestion on how I can resume a session?

Rab.

[Sethioz]

hmm that's odd. Well his not around at the time, he should be back maybe in 2-3 months.
He wrote it, because we had a problem that Reaver found the first 4 digits of the pin, but it was unable to find the last 3 digits.
WPS pin works like this:
4 digits = first part of WPS pin
3 digits = second part of WPS pin
1 digit = checksum of 7 previous digits

So checksum is automatically calculated based on first 7 digits.
Even tho we ran it thru like 2-3 times, reaver did not find last 3+1 digits. So he re-wrote it and then ran the command, obviously it needed only 999 tries and it did it in less than day, so we never had to resume and never tested. It found the pin just fine tho.

[flyinghaggis]

aye - but depending on the router - some can run without being locked.

The one I am trying at the moment I have set at a delay of 10 and a wait of 30 after 3 tries - taking forever lol, due in the
main to previous failures.

I had to restart the comp as I wished to transfer this to my lappy and run it directly from there as it is supposed to run better
(was running it through a vm). Copied the wpc to lappy and placed in same folder as proggy (root) but did not resume.

It's not a big problem now that I know the behaviour.

Sorry to hear about your mate maybe he can look into this when he gets back - hope he gets out early with good behaviour psml

I agree with one of your earlier posts concerning the Virgin Modems and the behaviour of the wps. This works on the earlier firmware r19 but
as soon as I upgrade the pin fails.

Will maybe try running it without the delays in future and see what happens.

Rab.

[Sethioz]

It's taken me like a week to crack some of WPS pins. There are TALKTALK routers that keep failing for no reason, maybe some incompatibility issues, no idea. It works 100%, just keeps failing too often.

If you want to continue a session, find the file where reaver saves the session. It's usually a file with mac address of the station. not sure where it is tho, you have to search for "reaver" and you'll find it. in that file, first 4 digits specifies where it left the pin. It only saves first 4 digits.
So you can also resume manually by changing the reaver file, in which order it takes the pins from. you just delete from beginning to that point and it will try the remaining pins. so its one solution for "resuming" the session, but for that, you have to manually do it and remember where session was left.

lol you have some messed up mind, he's actually travelling, he said he'll be back before summer, but don't know when.

as far as i know, all the routers will unlock themselves after some time, but for some, that delay is like 2-3 days. so if you doing it on a router you're not suppose to, you gotta wait until it unlocks. then increase the delay between pin attempts and run it again. I've had to use delay as big as 300 seconds, its a lot, but it isn't THAT much. It should be less than month. However if router has 8 digit password (upper or lower alpha only) and you have good enough PC, you can just take a whack at the handshake.
but yeah, virginmedia routers do not have WPS enabled. it says it is, but it isn't. If you go into settings, you will notice it. You'd have to enable the WPS pin entering. I mean WPS is enabled, but its on the "push the button" mode, so in order to connect via WPS, you have to hold the button down on router and on the WPS capable wifi card. .. not sure how it works tho, i thought that doing that, it just uses that same PIN, maybe it just enables it for that short time, like enables it for 1 minute when you press the button and then disables it.
as far as i know, WPS button just enters the pin automatically for both devices, that's all. If you have virginmedia router, go ahead and test. hold WPS button (like it says in manual in order to connect) and at same time, use reaver to try and crack the WPS pin (use specific pin, look it from router settings). It should crack it during that time.

[bambito]

Can I get the source as this is not statically linked. The version of libpcap (0.8.x) it's linked against is over a decade old. Thanks!

[Sethioz]

I don't have the source, but normal reaver's source is surely free and out there somewhere. Just google for it.
If you know how to program, then it should be piece of cake for you to modify it yourself and make it do what ry-reaver does.

[ale8286]

Hello,
I have some problems using ryreaver-reverse. I run kaly linux from live USB (prepared with unetbootin), since BackTrack5R3 is no longer available. I follow all the step of the guide since I arrive to the final command, but I have the following error message

[email protected]:~/ryreaver-reverse# /root/ryreaver-reverse/ryreaver-reverse -b A4:B1:E9:EF:9A:72 -d 60 -x 3 -S -w -vv -c 8 -i mon0
/root/ryreaver-reverse/ryreaver-reverse: error while loading shared libraries: libpcap.so.0.8: cannot open shared object file: No such file or directory

Could someone help me?
thanks a lot!

[Sethioz]

does normal reaver work?

[ale8286]

does normal reaver work?

I did not try... It's installed in kaly linux or I have to download it?

[ale8286]

does normal reaver work?

I tried to use normal reaver and It seems to work, but it stop here and do not receive any other message (I do not know if it is ok)

[email protected]:~# reaver -b A4:B1:E9:EF:9A:72 -d 60 -x 3 -S -w -vv -c 8 -i mon0

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>

[+] Switching mon0 to channel 8
[+] Waiting for beacon from A4:B1:E9:EF:9A:72

[Sethioz]

i'm not sure what that -x 3 is there, but this happens when station has really poor signal. I've had this few times and it's always caused by crap signal. Only way to measure the true signal strenght, is using Wifi Hopper on XP, rest of the tools fail badly.

Well you can use airodump, set it onto the channel where your station is (in your case channel 8) and then adjust the antenna based on the beacons you receive, it's not best method, but usually when it does not skip beacons, then it means you have good signal.

if normal reaver works and other one doesn't, i don't know where the issue is, since my friend only modified the order it works in, he didn't change any libraries or files.