Reaver

[xC]

Was looking around BackTrack and came across Reaver. Very effective method of bruteforcing WPS pins, however it is quite a long and tedious process if you don't know the specified range of the pin (took about 2 hours). I found the main provider around here has the same pin for each modem they deploy, so it was quite easy to recover passwords after that though. I would think it would probably red flag the provider with 10,000 pin attempts but if you are willing to risk it, try it out.

Code: [Select]

Reaver Open Source
Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases, as described in http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf.

Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations.

On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase.
https://code.google.com/p/reaver-wps/

[vezzy]

I'd be surprised if anyone here doesn't know of Reaver. It's a pretty famous tool in general.

There's a different, more clean implementation of the WPS bruteforce attack known as Bully, which has more options, is refactored and has improved memory performance. The source is here.

Kali may have some issues running it, but it should work fine on other distros.

[xC]

I never really looked into BackTrack until last night, so I will definitely try out Kali. I just thought it was quite convienient rather than waiting for handshakes with airodump, and aireplay was no help at all. I admit this tool is quite noobish, but I guess it's a last scenario, or first for beginners, or if you're lazy. I will look into Bully as well.

[vezzy]

I use it pretty often, since I'm a freeloader (I haven't been hooked up to an ISP in about a couple of years or so).

It's a very old vulnerability, one that is very convenient to exploit and an example of user accessibility gone wrong. Some routers don't even let you disable it.

The other option is to make large tables of PMKs with Pyrit and use GPGPU power to achieve insane dictionary attack speeds, but that still depends on how good your wordlist is. You could generate profiled wordlists with something like CUPP, since lots of users use private information for their credentials, but yeah it's all relative.

Reaver hasn't been updated since January 2012, so Bully aims to pick off from where it left. Though I still find myself using Reaver more often.

[Snayler]

Yeah, reaver is pretty well known. In fact, it was already mentioned multiple times in these forums, not to mention there are already 2 topics exclusively about it:
https://evilzone.org/security-tools/%28wpawpa2%29-reaver
https://evilzone.org/security-tools/reaver-wps

There's a different, more clean implementation of the WPS bruteforce attack known as Bully, which has more options, is refactored and has improved memory performance. The source is here.

Thanks for this! Cookie for you, sir.