How to Crack a Wi-Fi Network's WPA Password with Reaver 15.10.

2012
SIGN IN

HIVE FIVE
Five Best Desktop Computer
Cases

STUFF WE LIKE
Extra Fuel Keeps You From
HACK ATTACK Having to Walk Home When You
Run Out of Gas
How to Crack a Wi-Fi
OPEN THREAD
Network’s WPA Password Share
Keep a Watchful Eye in This
with Reaver Week’s Open Thread

Your Wi-Fi network is your conveniently LAUNDRY

wireless gateway to the internet, and since Wool Dryer Balls Save Time and
Energy
you're not keen on sharing your connection
with any old hooligan who happens to be FITNESS
walking past your home, you secure your How To Motivate Yourself Into
network with a password, right? Knowing, as you might, how easy it is to crack a WEP an Exercise Routine You’ll
password, you probably secure your network using the more bulletproof WPA security protocol. Actually Stick To

Here's the bad news: A new, free, open-source tool called Reaver exploits a security hole in LIFEHACKER TOP 10
wireless routers and can crack most routers' current passwords with relative ease. Here's how to Top 10 Ways to Deal with the
Internet’s Biggest Morons
crack a WPA or WPA2 password, step by step, with Reaver—and how to protect your network
against Reaver attacks. WEEKENDHACKER
Upgrade Your Smartphone’s
In the first section of this post, I'll walk through the steps required to crack a WPA password Music and Podcast Abilities This
using Reaver. You can follow along with either the video or the text below. After that, I'll Weekend
explain how Reaver works, and what you can do to protect your network against Reaver
attacks. ASK THE COMMENT…
“So I’ve got my paws
First, a quick note: As we remind often on 3 Raspberry Pi’s. What cool
remind readers when we discuss topics that stuff can I do with them?”
appear potentially malicious: Knowledge is
ALWAYS UP TO DA…
power, but power doesn't mean you should The Best PCs You Can
be a jerk, or do anything illegal. Knowing Build for $600 and $1200
how to pick a lock doesn't make you a thief.
Consider this post educational, or a proof-of- CROWDHACKER
How to Train Yourself to Identify
concept intellectual exercise. The more you
Seasonings, Spices, and Flavors
know, the better you can protect yourself.
INTERVIEWS
What You'll Need Answer the “Where Do You See
Yourself in Five Years” Question
You don't have to be a networking wizard to use Reaver, the command-line tool that does the with Specific Details
heavy lifting, and if you've got a blank DVD, a computer with compatible Wi-Fi, and a few
hours on your hands, you've got basically all you'll need. There are a number of ways you could SLEEP
set up Reaver, but here are the specific requirements for this guide: The Science of the Perfect Nap

The BackTrack 5 Live DVD. BackTrack is a

MIND HACKS
bootable Linux distribution that's filled to the brim
Place Important Tasks at Eye
with network testing tools, and while it's not strictly Level
required to use Reaver, it's the easiest approach for
most users. Download the Live DVD from DIY
BackTrack's download page and burn it to a DVD. DIY Computer-In-a-Coffee-Table
You can alternately download a virtual machine Takes the Living Room to New
Levels of Awesome
image if you're using VMware, but if you don't
http://lifehacker.com/5873407/how-to-crack-a-wi+fi-networks-wpa-password-with-reaver 1/6
How to Crack a Wi-Fi Network's WPA Password with Reaver 15.10.2012
know what VMware is, just stick with the Live COMMUNICATION
DVD. As of this writing, that means you should Stick to the 3-B Plan when
select BackTrack 5 R1 from the Release drop-down, Emailing Busy People
select Gnome, 32- or 64-bit depending on your
ANNOYANCES
CPU (if you don't know which you have, 32 is a How to Fix Movies that Are
safe bet), ISO for image, and then download the Really Quiet, Then REALLY
ISO. LOUD—Redux
A computer with Wi-Fi and a DVD drive. THE SHOW
BackTrack will work with the wireless card on most laptops, so chances are your laptop will Hack Your Brain for Motivation,
work fine. However, BackTrack doesn't have a full compatibility list, so no guarantees. Buy Two Computers to Save
You'll also need a DVD drive, since that's how you'll boot into BackTrack. I used a six-year- Money, and Keep the Poop Off
Your Shoes and Body
old MacBook Pro.
A nearby WPA-secured Wi-Fi network. Technically, it will need to be a network using KITCHEN HACKS
WPA security with the WPS feature enabled. I'll explain in more detail in the "How Reaver Hack a Putty Knife Into a
Vegetable Peeler That Also Slices
Works" section how WPS creates the security hole that makes WPA cracking possible.
Potato Chips
A little patience. This is a 4-step process, and while it's not terribly difficult to crack a
WPA password with Reaver, it's a brute-force attack, which means your computer will be DOWNLOAD ROUND…
This Week’s Top
testing a number of different combinations of cracks on your router before it finds the right
Downloads
one. When I tested it, Reaver took roughly 2.5 hours to successfully crack my password.
The Reaver home page suggests it can take anywhere from 4-10 hours. Your mileage may PVC PROJECTS
vary. Build a PVC Trashbag Holder

Let's Get Crackin' MONEY

At this point you should have BackTrack burned to a DVD, and you should have your laptop How to Tackle Student Loan Debt
handy. When Your Grace Period Ends

Step 1: Boot into BackTrack INFOGRAPHICS

The Cooking Methods Cheat
To boot into BackTrack, just put the DVD in Sheet Clears Up All Those
your drive and boot your machine from the Confusing Cooking Terms
disc. (Google around if you don't know
anything about live CDs/DVDs and need HIGHLIGHTS
This Week’s Most Popular Posts:
help with this part.) During the boot process, October 6th to 12th
BackTrack will prompt you to to choose the
boot mode. Select "BackTrack Text - Default FOOD HACKS
Boot Text Mode" and press Enter. Make Cheeses Easier to Melt with
Sodium Citrate
Eventually BackTrack will boot to a
command line prompt. When you've reached HOW I WORK
I’m Jeff Atwood, Cofounder of
the prompt, type startx and press Enter. BackTrack will boot into its graphical interface.
Stack Exchange, and This Is How
I Work
Step 2: Install Reaver
Reaver has been added to the bleeding edge version of BackTrack, but it's not yet incorporated QUOTABLES
with the live DVD, so as of this writing, you need to install Reaver before proceeding. “Your Career Is Not a Sprint; It’s
(Eventually, Reaver will simply be incorporated with BackTrack by default.) To install Reaver, a Marathon”
you'll first need to connect to a Wi-Fi network that you have the password to.
1. Click Applications > Internet > Wicd Network Manager
2. Select your network and click Connect, enter your password if necessary, click OK, and then
click Connect a second time.
Now that you're online, let's install Reaver. Click the Terminal button in the menu bar (or click
Applications > Accessories > Terminal). At the prompt, type:

apt-get update

And then, after the update completes:

apt-get install reaver

If all went well, Reaver should now be

installed. It may seem a little lame that you
need to connect to a network to do this, but it
will remain installed until you reboot your
computer. At this point, go ahead and
disconnect from the network by opening
Wicd Network Manager again and clicking
Disconnect. (You may not strictly need to do
http://lifehacker.com/5873407/how-to-crack-a-wi+fi-networks-wpa-password-with-reaver 2/6
How to Crack a Wi-Fi Network's WPA Password with Reaver 15.10.2012
this. I did just because it felt like I was
somehow cheating if I were already connected to a network.)

Step 3: Gather Your Device Information, Prep Your Crackin'

In order to use Reaver, you need to get your wireless card's interface name, the BSSID of the
router you're attempting to crack (the BSSID is a unique series of letters and numbers that
identifies a router), and you need to make sure your wireless card is in monitor mode. So let's do
all that.
Find your wireless card: Inside Terminal, type:

iwconfig

Press Enter. You should see a wireless device

in the subsequent list. Most likely, it'll be
named wlan0, but if you have more than
one wireless card, or a more unusual
networking setup, it may be named
something different.

Put your wireless card into monitor mode: Assuming your wireless card's interface name
is wlan0, execute the following command to put your wireless card into monitor mode:

airmon-ng start wlan0

This command will output the name of monitor mode interface, which you'll also want to make
note of. Most likely, it'll be mon0, like in the screenshot below. Make note of that.

Find the BSSID of the router you want to crack: Lastly, you need to get the unique
identifier of the router you're attempting to crack so that you can point Reaver in the right
direction. To do this, execute the following command:

airodump-ng wlan0

(Note: If airodump-ng wlan0 doesn't work for you, you may want to try the monitor
interface instead—e.g., airodump-ng mon0.)
You'll see a list of the wireless networks in range—it'll look something like the screenshot below:

http://lifehacker.com/5873407/how-to-crack-a-wi+fi-networks-wpa-password-with-reaver 3/6
How to Crack a Wi-Fi Network's WPA Password with Reaver 15.10.2012

When you see the network you want, press Ctrl+C to stop the list from refreshing, then copy
that network's BSSID (it's the series of letters, numbers, and colons on the far left). The network
should have WPA or WPA2 listed under the ENC column. (If it's WEP, use our previous guide to
cracking WEP passwords.)
Now, with the BSSID and monitor interface name in hand, you've got everything you need to
start up Reaver.

Step 4: Crack a Network's WPA Password with Reaver

Now execute the following command in the Terminal, replacing bssid and moninterface
with the BSSID and monitor interface and you copied down above:

reaver -i moninterface -b bssid -vv

For example, if your monitor interface was mon0 like mine, and your BSSID was
8D:AE:9D:65:1F:B2 (a BSSID I just made up), your command would look like:

reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -vv

Press Enter, sit back, and let Reaver work its disturbing magic. Reaver will now try a series of
PINs on the router in a brute force attack, one after another. This will take a while. In my
successful test, Reaver took 2 hours and 30 minutes to crack the network and deliver me with
the correct password. As mentioned above, the Reaver documentation says it can take between
4 and 10 hours, so it could take more or less time than I experienced, depending. When Reaver's
cracking has completed, it'll look like this:

A few important factors to consider: Reaver worked exactly as advertised in my test, but it
won't necessarily work on all routers (see more below). Also, the router you're cracking needs to
have a relatively strong signal, so if you're hardly in range of a router, you'll likely experience
problems, and Reaver may not work. Throughout the process, Reaver would sometimes
experience a timeout, sometimes get locked in a loop trying the same PIN repeatedly, and so on.
I just let it keep on running, and kept it close to the router, and eventually it worked its way
through.
Also of note, you can also pause your progress at any time by pressing Ctrl+C while Reaver is
running. This will quit the process, but Reaver will save any progress so that next time you run
the command, you can pick up where you left off-as long as you don't shut down your
computer (which, if you're running off a live DVD, will reset everything).

How Reaver Works

Now that you've seen how to use Reaver, let's take a quick overview of how Reaver works. The
tool takes advantage of a vulnerability in something called Wi-Fi Protected Setup, or WPS. It's a
feature that exists on many routers, intended to provide an easy setup process, and it's tied to a
PIN that's hard-coded into the device. Reaver exploits a flaw in these PINs; the result is that,
with enough time, it can reveal your WPA or WPA2 password.
Read more details about the vulnerability at Sean Gallagher's excellent post on Ars Technica.

How to Protect Yourself Against Reaver Attacks

Since the vulnerability lies in the implementation of WPS, your network should be safe if you
can simply turn off WPS (or, even better, if your router doesn't support it in the first place).
http://lifehacker.com/5873407/how-to-crack-a-wi+fi-networks-wpa-password-with-reaver 4/6
How to Crack a Wi-Fi Network's WPA Password with Reaver 15.10.2012
Unfortunately, as Gallagher points out as Ars, even with WPS manually turned off through his
router's settings, Reaver was still able to crack his password.

In a phone conversation, Craig Heffner said that the inability to shut this vulnerability
down is widespread. He and others have found it to occur with every Linksys and Cisco
Valet wireless access point they've tested. "On all of the Linksys routers, you cannot
manually disable WPS," he said. While the Web interface has a radio button that allegedly
turns off WPS configuration, "it's still on and still vulnerable.

So that's kind of a bummer. You may still want to try disabling WPS on your router if you can,
and test it against Reaver to see if it helps.
You could also set up MAC address filtering on your router (which only allows specifically
whitelisted devices to connect to your network), but a sufficiently savvy hacker could detect the
MAC address of a whitelisted device and use MAC address spoofing to imitate that computer.
Double bummer. So what will work?
I have the open-source router firmware DD-WRT installed on my router and I was unable to
use Reaver to crack its password. As it turns out, DD-WRT does not support WPS, so there's yet
another reason to love the free router-booster. If that's got you interested in DD-WRT, check
their supported devices list to see if your router's supported. It's a good security upgrade, and
DD-WRT can also do cool things like monitor your internet usage, set up a network hard drive,
act as a whole-house ad blocker, boost the range of your Wi-Fi network, and more. It essentially
turns your $60 router into a $600 router.

Further Reading
Thanks to this post on Mauris Tech Blog for a very straightforward starting point for using
Reaver. If you're interested in reading more, see:
Ars Technia's hands on
This Linux-centric guide from Null Byte
The Reaver product page (it's also available in a point-and-click friendly commercial
version.
Reddit user jagermo (who I also spoke with briefly while researching Reaver) has created a
public spreadsheat intended to build a list of vulnerable devices so you can check to see if your
router is susceptible to a Reaver crack.

Have any experience of your own using Reaver? Other comments or concerns? Let's har it in
the comments.

Contact Adam Pash:

DISCUSSIONS

Discussion now closed.

chgotechguy 09 Jan 2012 7:33 AM

A Reddit user (@jagermo on twitter or jagermo [at] hushmail.com) has posted a spreadsheet
titled "WPS Vulnerability Testing" listing various devices and user submitted testing data. While
the testing is not scientific, some may find it helpful. Be sure to read the comments and
background information at the bottom of the spreadsheet, which includes a link where you can
share your own testing data.
Link to spreadsheet: [docs.google.com]

Edited by chgotechguy at 01/09/12 7:34 AM

promoted by Adam Pash
chgotechguy was starred

jagermo @chgotechguy
Thank you for the link. We can always use more devices, so "get crackin'" (you should only
attack devices that you own, of course. We are not criminals.)

http://lifehacker.com/5873407/how-to-crack-a-wi+fi-networks-wpa-password-with-reaver 5/6
How to Crack a Wi-Fi Network's WPA Password with Reaver 15.10.2012
Melanie Pinola @chgotechguy
Link doesn't seem to be working. Trying this: [tinyurl.com]
Edited by Melanie Pinola at 01/09/12 9:56 AM

Walternate @chgotechguy
Congrats on the star and thanks for the info.

Five Best Desktop Unmasking Reddit's Wes Welker Getting These Gamers Won
Computer Cases Violentacrez, The Phased Out Of His $1 Million on
Biggest Troll on the Shoes, The Chiefs Saturday
Web And Buccaneers
Combining For
Something
Approximating A
Football Play And
More: Your Sunday
NFL GIF Roundup

My Boss Told Me My 10 of the Grossest Red Bull's Insane 24 Full Video of the
Hair and Makeup and Most Grotesque Mile Supersonic Supersonic Space
Were Holding Me Vampires from Stratos Space Jump Jump Is Astonishing
Back Folklore Has Been A Success

About Help Jobs Legal Priv acy Permissions Adv ertising Subscribe Send a tip

http://lifehacker.com/5873407/how-to-crack-a-wi+fi-networks-wpa-password-with-reaver 6/6