Nathan Heafner

Linux, Networking & Security

Jan
11

By

Hacking my own router with Reaver, guide to brute forcing Wifi Protected Setup

Category: Security 4 Comments

I thought I would share how easy it is to take down a router that is vulnerable against WPS attacks like my own. Reaver is an open source tool that brute forces WPS (Wifi Protected Setup). This is the pin (usually printed on the bottom of your router) that you can use to authenticate other devices to your wireless network without typing in a password. With enough time, reaver can crack this pin and reveal the WPA or WPA2 password.

Getting Started
To get started you will need to be on Linux, you will need the aircrack suite and reaver installed, and your wireless nic will need to be put into monitor mode. I’m using Ubuntu for this post from a friends computer. You’ll notice I’ve masked some personal details in the images below to hide my router details. I’ll explain as we move along.

In Ubuntu(debian) you can install aircrack and reaver just like you install everything else.

If you need to download, and need help installing Ubuntu, you can use this page for help.
http://www.ubuntu.com/download/desktop

Next you need to put your wireless card into monitor mode (mon0). I’m using an internal wireless card so my wireless interface is wlan0, however you can run ifconfig to ensure your using wlan0 or wlan1. To put your interface into monitor mode you would run the following:

Next you need to obtain the unique identifier for the router you wish to crack. Here’s a screenshot of me running airodump to grab my access points bssid. Masked for privacy reasons but you get the point.

bssid

 

Now you can start up reaver.

startingreaver

 

 

 

Now reaver runs for a while, trying to bruteforce the WPS pin.

reaverinprogress

 

 

In After about 2 hours, reaver hits my pin and gives up the password for the router. In the screenshot I re-run reaver with my pin used first to save time. And that’s it. It’s that easy.

 

passwordgot

 

 

If you need any help with the commands you can ask for help, or read the man pages.

Protecting yourself
The easiest way to protect yourself is to turn WPS off, however some routers don’t have an option to turn it off, and some routers are still vulnerable even if the feature is turned off. Personally I would recommend using a third party firmware on your router like DD-WRT. DD-WRT doesnt support WPS, so no worries there.

Further reading:
If your looking to learn more about wireless hacking and reaver here are some links I would suggest.

http://www.aircrack-ng.org – aircrack suite
http://code.google.com/p/reaver-wps/ – Reaver webpage, also has a point and click commercial version.

Here is a spreadsheet of vulnerable routers, i’m not sure how current this is so the best route to see if your (or others) router is vulnerable will be to use reavers “wash” tool.

 

  • justICEserved

    Never knew about Reaver, to bad my router doesnt allow me to actually turn off WPS.

  • Waseem

    if i know the wps then how i can i break password immediately???

    • nathan1465

      Hey Waseem,
      if you know the pin, you can use

      –pin 1234567890

  • Raju Hemnani

    Dear Sir ,

    Can you give me full command to enter if i have already WPS pin