]
10-03-2012, 02:08 PM
Reaver targets the external registrar functionality mandated by the WiFi Protected Setup specification. Access points will provide authenticated registrars with their current wireless configuration (including the WPA PSK), and also accept a new configuration from the registrar.
In order to authenticate as a registrar, the registrar must prove its knowledge of the AP's 8-digit pin number. Registrars may authenticate themselves to an AP at any time without any user interaction. Because the WPS protocol is conducted over EAP, the registrar need only be associated with the AP and does not need any prior knowledge of the wireless encryption or configuration.
Reaver performs a brute force attack against the AP, attempting every possible combination in order to guess the AP's 8 digit pin number. Since the pin numbers are all numeric, there are 100,000,000 possible values for any given pin number. However, because the last digit of the pin is a checksum value which can be calculated based on the previous 7 digits, that key space is reduced to 10,000,000 possible values.
The key space is reduced even further due to the fact that the WPS authentication protocol cuts the pin in half and validates each half individually. That means that there are 10,000 possible values for the first half of the pin and 1,000 possible values for the second half of the pin, with the last digit of the pin being a checksum.
Reaver brute forces the first half of the pin and then the second half of the pin, meaning that the entire key space for the WPS pin number can be exhausted in 11,000 attempts. The speed at which Reaver can test pin numbers is entirely limited by the speed at which the AP can process WPS requests. Some APs are fast enough that one pin can be tested every second; others are slower and only allow one pin every ten seconds. Statistically, it will only take half of that time in order to guess the correct pin number, once the pin is guessed the AP will happily give out the plain text password to your console.
Brute forcing using This method can take anywhere from 10 minutes to 10 hours, Reaver will try the most common pin's first and can be paused at any time by hitting Ctrl + c this will stop the program and save it's progress to be resumed at any time, also once Reaver has successfully found the pin it will save it so even if the password is changed it can be recovered in a matter of seconds!
Fist we need to put our card into monitor mode, the easiest way to do this is the aircrack suite
then use:
and that's all there is to it just sit back and wait, if you are getting a lot of errors or the program sits cycling through channels the most likely cause is you are too far from the AP and need to move closer.
In order to authenticate as a registrar, the registrar must prove its knowledge of the AP's 8-digit pin number. Registrars may authenticate themselves to an AP at any time without any user interaction. Because the WPS protocol is conducted over EAP, the registrar need only be associated with the AP and does not need any prior knowledge of the wireless encryption or configuration.
Reaver performs a brute force attack against the AP, attempting every possible combination in order to guess the AP's 8 digit pin number. Since the pin numbers are all numeric, there are 100,000,000 possible values for any given pin number. However, because the last digit of the pin is a checksum value which can be calculated based on the previous 7 digits, that key space is reduced to 10,000,000 possible values.
The key space is reduced even further due to the fact that the WPS authentication protocol cuts the pin in half and validates each half individually. That means that there are 10,000 possible values for the first half of the pin and 1,000 possible values for the second half of the pin, with the last digit of the pin being a checksum.
Reaver brute forces the first half of the pin and then the second half of the pin, meaning that the entire key space for the WPS pin number can be exhausted in 11,000 attempts. The speed at which Reaver can test pin numbers is entirely limited by the speed at which the AP can process WPS requests. Some APs are fast enough that one pin can be tested every second; others are slower and only allow one pin every ten seconds. Statistically, it will only take half of that time in order to guess the correct pin number, once the pin is guessed the AP will happily give out the plain text password to your console.
Brute forcing using This method can take anywhere from 10 minutes to 10 hours, Reaver will try the most common pin's first and can be paused at any time by hitting Ctrl + c this will stop the program and save it's progress to be resumed at any time, also once Reaver has successfully found the pin it will save it so even if the password is changed it can be recovered in a matter of seconds!
Fist we need to put our card into monitor mode, the easiest way to do this is the aircrack suite
Hidden Content
then use:
Hidden Content
and that's all there is to it just sit back and wait, if you are getting a lot of errors or the program sits cycling through channels the most likely cause is you are too far from the AP and need to move closer.