Reaver Download Hack WPS Pin WiFi Networks
Steven
I can grab the 4 way handshake in a matter of seconds then go back to some deep dark hole to brute force it on a power machine. Whereas reaver needs access to the AP which I can only assume means it's making network noise. Common sense would dictate that the more network noise there is the worse off you are.
Brute-forcing the four-way handshake can be completely silent: an attacker can set up a card to passively listen for someone connecting to the AP, record the handshake, and brute-force it at their leisure. It is impossible to tell if someone is doing this.
Cracking WPS, in contrast, is quite noisy. It can only be performed through active contact with the AP, which means the AP's administrator can find out about the attack even if you guess the PIN on the first try. Each PIN attempt requires roughly half a dozen exchanges with the AP, which can be detected by anyone running a wireless IDS. Further, some APs will flag that WPS has been locked out due to too many failures, which can be spotted by anyone scanning for APs in the area. the AP may also be configured to notify an administrator if the WPS lockout has been triggered.
Reaver is more noisy. A person might look at there router and see wifi light flashing on it when their computers are off. Most people would just think there kids gave out the wifi password or they would think it's odd but not look into it. I have seen some routers that have a wps lock light on them so after too many failed attempt the router will disable wps for a certain amount of time. If the person knows about wps cracking and see's the wps lock light on his router it is likely he will be looking out his front window. So I believe using aircrack to capture a handshake is more stealthy than using reaver.
I have experimented with Reaver over the past few days. In my opinion, this tool is dead.
The first reason is that only a percentage of routers can be WPS attacked. Compare the outputs from airodump-ng and wash. There might be 20 WPA networks shown in airodump-ng but only 8 will be WPS crackable as shown by wash.
The second reason is that all (?) routers now have WPS locking.
I have spent considerable time with Reaver's various options such as -E (eap-terminate), -L (ignore WPS locks), -t (timeout period), -A (no associate; do so via aireplay-ng), and -d (set delays between pin attempts).
Without fail, I always get either:
[!] WARNING: Detected AP rate limiting, waiting 60 seconds before re-checking [or any other length I set]
WPS transaction failed (code: 0x02), re-trying last pin
I have tried the ReVdK3-r1.sh script. This did not work as it prevented Reaver from associating with APs. I also tried running mdk3 manually with Reaver on. Again, same problem: no association.
I have used mdk3 in the past to unlock a locked router. However, once I tried Reaver again, after a few attempts the router just locked itself as before.
The issue is how to prevent locking in the first place. My impression is that there is no way to avoid this. If the router is designed to lock, it will lock.
So, I ask the simple question. Is Reaver 100% dead? If not, is there any viable way to use it?
From a security tester point of view, a lot of companies will buy an AP, deploy it and then forget about it. Locking and all other protections are good but if the AP was deployed a few years ago and never touched then the company will be vulnerable till the AP dies and someone goes out and buys a new one with the new protections in place.
Well heres the thing i noticed down here in my location with WPS networks is when ever a customer upgrades or downgrades or moves or the equipment dies or the ISP claims the device is dead customers get a new modem what i noticed in my area is recently is alot of these xfinitywifi are popping up which tells me these customers have recently had their hardware upgraded so likely a WPS attack on them would not be worth it.
Well lets just say that comcast customers who have a SSID that starts with HOME-#### likely have a bundled Cable Modem and Router package i myself had this before i bought my own doc 3.0 cable modem online and using my own router i bought anyways before i upgraded my stuff when i had the service put in my SSID name was HOME-#### the #'s are either a letter or a number or both i tried attacking my own router and WPS would lock after 3 fail pin trys so unless you're gonna preform a slow attack and be willing to wait days then its a complete waste of time.
I wanna mention to it appears that some comcast techs who install a customers service set the customers WPA password to the customers phone number thats normally the default password unless the customer changes it most people never do.
Dead yes...no. Reaver specifically, maybe....WPS still has it's nefarious uses, even if it locks out. Seeing as how most home users/small business owners don't seem to know it exists, it still has it's uses for persistence on the network. Seeing how WPS was built for convenience, yet know one seems to ever use it. It's my personal opinion, that WPS is an epic failure overall. But picture this scenario, asshat gains access, then gains access to admin pages. Asshat then copies down WPS pin, and enables it if it's not already enabled. Owner suspects router compromised for one reason or another. Could be the sluggishness of the network from our friendly neighborhood asshat's excessive torrent usage. Owner changes WPA PSK. Asshat uses WPS to retrieve WPA PSK. Wash rinse repeat. Wow, neat treat?
As far as "reaver is dead" goes... as far as I know the developer dropped the project. So it's old unsupported software that targets old unsupported routers. There may be some changes to WPS on newer routers, I haven't really looked into it. In that case, someone might fork reaver(doubtful).
And by the way, it's not just comcast techs. I've seen Frontier techs doing the same thing. It's another one of those things that will probably never go away. Like password1, and cookie reuse. BTW, who ever got a pin in the first 15 minutes? Must have been nice.
What I'm actually kind of curious about now, since I haven't had Comcast lately, is the use of that username and password for their hotspot portals. Are those creds used anywhere else? Because if something that I feel would be easily harvested could be used to access anything else, it would deter me from using Comcast again.
I just find it interesting that people feel they are too inconvenienced by having to enter a long random password once per device, ever to the point where they demanded something like WPS to be integrated to make it easier for them to gain access. The end user is, was and always will be the largest liability to any device.
On the router I got, the password is printed on a label on the device and it's a truckload of junk, 16 characters long (I think) and I truly believe my ISP doesn't have it on record because when I claimed to have accidentally washed the label off, could they perhaps tell me what it is or even reset it for me, they offered to send me a new one at substantial cost to me. Which, I might add, is the only appropriate response.
The password to the management interface on the device however is as standard and predictable as can be. Never bothered to see if I should change it - I've set things up such that this device doesn't matter. As far as my network is concerned, it's an external proxy. Nice for internet, but not required and certainly not trusted.
Shit, a former neighbor of mine moved house and left his AP stuck to the wall (he'd opened up the case, drilled holes in it and screwed it onto the wall like that) for the new owners to use. Gave the password and everything. To this very day I can get on their network using the original password. The new owners probably saw a password that was a pile of gobbledigook, assumed that was secure enough for their needs and kept on using it as is. That is now 2 years ago.
b37509886e