Cracking WPS protected WiFi – Introduction to Reaver/Wash

We already went through the complex process of “trying” to crack a WPA/WPA2, and I am using the word ‘trying’ as the results are quite uncertain and heavily dependent on your wordlist. However, many routers’ are vulnerable to a much easier attack. You must have come across routers with enabled WPS ( Wi-Fi Protected setup) – it works in several methods such as PIN method, Push-button-method and etc. If you want to get more familiar with WPS and this attack – I recommend reading Stefan Viehbock’s article on it. These devices that have WPS enaabled, are vulnerable to brute-force attacks and by ‘guessing’ the WPS code, you essentially also gain the WPA2 encryption password – or in other words the needed Wi-Fi password.

All this is possible thanks to Reaver. Downloading and installing is explained on their website on Google Code. The process is insanely easy – once installed, you can use Wash to find the available Wi-Fi networks with enabled WPS protection:

walsh -i ‘your wireless interface in monitor mode(usually mon0)’

This will essentially show you the networks vulnerable to the attack. If you encounter the “Found packet with bad FCS, skipping…” error, edit the command to walsh -i mon0 –ignore-fcs .

 Choose your network and launch the attack:

reaver -i  ’your wireless interface in monitor mode(usually mon0)’ -b ‘victim router’s Mac address’ -vv (or -v for less info)

This essentially should break the WPA password for up to 10 hours. There are ways to speed things up – add parameters such as -c <channel of router> and -d 0, which will speed things up BUT can result in the router crashing.

The best part is, the software is fully functional under Maemo and the N900. The latest version available is revision 100, provided in this post thanks to marc0s_h4f. (However, this version has issues with wash reading pcap format, but it is irrelevant to this post.) You should check that thread, as he seems to provide new versions constantly.

Moreover, Saturn has edited Cleven and it now has a GUI for Wash and Reaven and essentially makes the process even easier. You should note that macr0s_h4f’s files should be unpacked to  /home/user/.reaver/ - once that is done, restart cleven ( make sure you have the latest version) and the options for reaver and wash should appear.

DISCLAIMER: This program is intended for learning purposes only. I do not condone hacking and wouldn’t be held responsible for your actions. Only you would face legal consequences if you used this script for illegal activities. 

This entry was posted in Backtrack, N900. Bookmark the permalink.
  • jesus

    Missing some examples….

    • Mahmoud Abdelrahman

      Reaver: (Any commands typed between “…..” just to clarify the command but don’t type the “….” when you try your self.

      First, make sure your wireless card is in monitor mode:

      # airmon-ng start wlan0

      Then Type: “wash -i mon0″ to scan for valid Wifis.”mon0″ is the monitor mode interface you might find yours is “mon1″

      To run Reaver, you must specify the BSSID of the target AP and the name of the
      monitor mode interface (usually ‘mon0′, not ‘wlan0′, although this will vary
      based on your wireless card/drivers):

      # reaver -i mon0 -b 00:01:02:03:04:05

      You will probably also want to use -vv to get verbose info about Reaver’s

      # reaver -i mon0 -b 00:01:02:03:04:05 -vv

      Speeding Up the Attack

      By default, Reaver has a 1 second delay between pin attempts. You can disable
      this delay by adding ‘-d 0′ on the command line, but some APs may not like it:

      # reaver -i mon0 -b 00:01:02:03:04:05 -vv -d 0

  • Shawn Ingram

    walsh command not found

    • Anonymouse

      it’s called wash now

  • deshanunit

    wash command doesn’t show any of available access points. Help. heres the output

    root@bt:~# wash -i mon0 –ignore-fcs

    Wash v1.4 WiFi Protected Setup Scan Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner

    BSSID Channel RSSI WPS Version WPS Locked ESSID

  • dontrootme

    Can you please fix your typos in this article? walsh? reaven? cleven?

    • Mahmoud Abdelrahman

      you can tell he copied and pasted :D