Cracking WPA and WPA2 Encryption by Exploiting WPS Using Reaver

In this documentation I will discuss the steps to take on how to bypass issues that one would usually face when using Reaver to crack into routers that have Wifi Protected Setup (WPS) enabled.

I will presume you have a wireless adapter that supports monitor mode and packet injection along with Kali Linux installed (or other penetration testing OS installed).

Below I have documented the process on how to use Reaver and bypass any issues when using it. Reaver is a tool that comes pre installed in Kali. and is used to implement a brute force attack against WPS registrar PIN (WPS uses a 8 digit pin) in order to recover the WPA/WPA2 passphrase. However, Reaver does not work against all routers. It only works against PBC (Push Button Configuration) authentication. Meaning the WPS router has to be configured for PBC. In some Wi-Fi Protected Setup networks, the user may connect multiple devices to the network and enable data encryption by pushing a button. The access point/wireless router will have a physical button, and other devices may have a physical or software-based button.

• The below issues are documented in regards to a very secure router. Hence, you may experience these issues with Reaver or may not. With that noted, let’s move on to the main course of this documentation.

1. First we will go to terminal and run the wash command to find all WPS enabled routers around us.

   1
   wash -i wlan0
   

   (Note: The above command should give you a list of routers that have WPS enabled.)

2. Next, we will run Reaver against the target WPS enabled router.

   1
   reaver -b (input AP mac address here) -c (input AP channel here) -i wlan0
   

   (Note: in the above command -b is the bssid of the target router, -c is the channel of the router and -i is the interface of the wireless adapter; where in my case its wlan0.)

If “Failed to associate” error shows up when running the Reaver command then do the following:

1. When “Failed to associate” warning shows up, we will manually associate with the target router to bypass this issue using aireplay-ng. In order to do this we will open another terminal window as shown below (I am using the terminator application which allows me to split windows). We will simultaneously run the Reaver command in one window and aireplay-ng in another window. We will pass the -A option in the Reaver command so that it does not associate with the target since we are doing it manually using aireplay-ng. As for the aireplay-ng command, we will do a fake authentication, setting a delay of 100 seconds before re-associating with the router.

2. Now, we will get these two commands ready in separate windows as shown below. First we will run the Reaver command and then immediately after we will run the aireplay-ng command. This below method should succesfully help you bypass the “Failed to associate” issue.

   1
   reaver -b (input AP mac address here) -c (input AP channel here) -i wlan0 -A -vvv
   

   (Note: in the above command -vvv is to show verbose output on the screen. Which means everything that happens happens in the background of Reaver tool will be output to the screen. Type reaver –help in terminal for more info.)

   1
   aireplay-ng --fakeauth 100 -a (input AP mac address here) -h (input attack machine mac address here) wlan0
   

   (Note: in the above command -a is the mac address of router -h is the mac address of your attack machine. In order to find your mac address, do ifconfig in terminal and if you see an unspec field, its the first 12 digits. Make sure to replace the ‘-‘ with a ‘:’ when typing in the mac address for -h option.)

If “WPS transaction failed (code: 0x02) or (code: 0x03), re-trying last pin” errors shows up when running the Reaver command then do the following:

1. When looking into the verbose information, Reaver seems to be stuck in a loop where it keeps re-trying the same PIN over and over again due to timeout. Since Reaver does not know if the PIN it tried is correct or Wrong it retries the same PIN again causing it to get stuck in a loop. Resulting in no progress.

   1
   reaver --help
   

   (Note: we will use the option -N / –no-nacks to not send NACK messages, since this seems to be the issue that causes Reaver to get stuck in this loop.)

2. Run the below command simultaneously, by first running the Reaver command in one window and immediately running the aireplay-ng command after in another window. -N option for Reaver should successfully help us bypass the 0x02 and 0x03 error.

   1
   reaver -b (input AP mac address here) -c (input AP channel here) -i wlan0 -A -vvv -N
   

   1
   aireplay-ng --fakeauth 100 -a (input AP mac address here) -h (input attack machine mac address here) wlan0
   

   (Note: in the above commands we are associating reaver manually by using aireplay-ng which is why there is a -A option and -vvv is for verbose output.)

If “WPS Lock : Yes” shows up in your wash command then do the following, else you are lucky!

1. Eventually another error may show up in Reaver command and that is “Detected AP rate limiting…” To understand more about this issue, we will look into the WPS Lock concept.
   • Firstly, we exploit WPS by brute-forcing it’s PIN. Which means that we use the Reaver tool to try every possible PIN combination. However, some routers lock after a number of failed attempts and some routers are configured to be not locked regardless of the amount of wrong pins entered.
   • The problem here is that locked routers refuse all PIN’s even if we send it the right PIN after and may take between a minute and days for the router to unlock :o
   • We have two solutions to the above problem: (I personally would use Solution 2!)
     
2. Solution 1: is to get the user to reset their router by sending them an infinite amount of deauth packets, hoping until one of the users will think something is wrong with the network router and would go and turn off their router and it back on. When the client does this the router will get unlocked and we will be able to resume Reavers progress again.

   1
   aireplay-ng --deauth 100000000000 -a (input AP mac address here) wlan0
   

   (Note: in the above command -a is the mac address of the target router.)

3. Solution 2: is to use a tool called MDK3 to remotely unlock locked routers. MDK3 is a tool designed to exploit a number of weaknesses in 802.11 protocol which can cause the router to reset. We will run a DOS attack (Denial of Service) on the target router. This DOS attack will flood the network’s router causing it to reset everything including WPS lock. Since Reaver supports pause and resume, we can continue where we left off after WPS is unlocked.

   1
   mdk3 --help -a
   

   (Note: the above command will show more info on DDOS attack. To see more info of MDK3 type mdk3 –help)

   1
   mdk3 wlan0 a -a (input AP mac address here) -m
   

   (Note: in the above command, a is the DOS mode attack, -a is the mac address of router. Here, mdk3 will be used to create a large number of client MAC’s (-m) which will be used to connect (send authentication frames) to the target WPS enabled router in order to freeze/reset the router.)

4. Sometimes, you might see the MDK3 tool say that the router is Invulnerable, however let it run upto 60,000 connected clients to see if it works (keep in mind this attack may not work against some routers). Just to double check if router has been reset, control+c out of mdk3 around 15,000 connected clients and do a wash command to see if WPS unlocked.

   1
   wash -i wlan0
   

   You may see that the WPS Lock of the router is reset, if it says “No” in the wash table. Hence, if thats the case, then we can resume with our Reaver attack to crack the WPS PIN and repeat the above mdk3 process if WPS gets locked again :)

---

• Previous
  Building a Fake Access Point and Using a Captive Portal to Get Login Credentials
• Next
  How to Write MITM Scripts Using Python and Executing it With MITMproxy

---