How to Crack a Wi-Fi Network’s WPA Password with Reaver

A new, free, open-source tool called Reaver exploits a security hole in wireless routers and

can crack most routers’ current passwords with relative ease. Here’s how to crack a WPA or

WPA2 password, step by step, with Reaver—and how to protect your network against

Reaver attacks.

What You’ll Need

You don’t have to be a networking wizard to use Reaver, the command-line tool that does

the heavy lifting, and if you’ve got a blank DVD, a computer with compatible Wi-Fi, and a

few hours on your hands, you’ve got basically all you’ll need. There are a number of ways

you could set up Reaver, but here are the specific requirements for this guide:

The BackTrack 5 Live DVD.

BackTrack is a bootable Linux distribution that’s filled to the brim with network testing

tools, and while it’s not strictly required to use Reaver, it’s the easiest approach for most

users. Download the Live DVD from BackTrack’s download page and burn it to a DVD. You

can alternately download a virtual machine image if you’re using VMware, but if you don’t

know what VMware is, just stick with the Live DVD. As of this writing, that means you

should select BackTrack 5 R1 from the Release drop-down, select Gnome, 32- or 64-bit

depending on your CPU (if you don’t know which you have, 32 is a safe bet), ISO for image,

and then download the ISO.

A computer with Wi-Fi and a DVD drive.

BackTrack will work with the wireless card on most laptops, so chances are your laptop will

work fine. However, BackTrack doesn’t have a full compatibility list, so no guarantees.

You’ll also need a DVD drive, sincethat’s how you’ll boot into BackTrack. I used a six-year-

old MacBook Pro.

A nearby WPA-secured Wi-Fi network.

Technically, it will need to be a network using WPA security with the WPS feature enabled.

I’ll explain in more detail in the “How Reaver Works” section how WPS creates the security

hole that makes WPA cracking possible.

A little patience.

This is a 4-step process, and while it’s not terribly difficult to crack a WPA password with

Reaver, it’s a brute-force attack, which means your computer will be testing a number of

different combinations of cracks on your router before it finds the right one. When I tested

it, Reaver took roughly 2.5 hours to successfully crack my password. The Reaver home

page suggests it can take anywhere from 4-10 hours. Your mileage may vary.

Let’s Get Crackin’

At this point you should have BackTrack burned to a DVD, and you should have your laptop

handy.

Step 1: Boot into BackTrack

To boot into BackTrack, just put the DVD in your drive and boot your machine from the

disc. (Google around if you don’t know anything about live CDs/DVDs and need help with

this part.) During the boot process, BackTrack will prompt you to to choose the boot mode.

Select “BackTrack Text – Default Boot Text Mode” and press Enter.

Eventually BackTrack will boot to a command line prompt. When you’ve reached the

prompt, type startx and press Enter. BackTrack will boot into its graphical interface.

Step 2: Install Reaver

Reaver has been added to the bleeding edge version of BackTrack, but it’s not yet

incorporated with the live DVD, so as of this writing, you need to install Reaver before

proceeding. (Eventually, Reaver will simply be incorporated with BackTrack by default.) To

install Reaver, you’ll first need to connect to a Wi-Fi network that you have the password

to.

Click Applications > Internet > Wicd Network Manager

Select your network and click Connect, enter your password if necessary, click OK, and

then click Connect a second time.

Now that you’re online, let’s install Reaver. Click the Terminal button in the menu bar (or

click Applications > Accessories > Terminal). At the prompt, type:

root@root:~# apt-get update

And then, after the update completes:

root@root:~# apt-get install reaver

If all went well, Reaver should now be installed. It may seem a little lame that you need to

connect to a network to do this, but it will remain installed until you reboot your computer.

At this point, go ahead and disconnect from the network by opening Wicd Network

Manager again and clicking Disconnect. (You may not strictly need to do this. I did just

because it felt like I was somehow cheating if I were already connected to a network.)

Step 3: Gather Your Device Information, Prep Your Crackin’

In order to use Reaver, you need to get your wireless card’s interface name, the BSSID of

the router you’re attempting to crack (the BSSID is a unique series of letters and numbers

that identifies a router), and you need to make sure your wireless card is in monitor mode.

So let’s do all that.

Find your wireless card:

root@root:~# iwconfig

lo no wireless extensions.

eth0 no wireless extensions.

wlan0 IEEE 802.11abg ESSID:"default"

Mode:Managed Frequency:2.437 GHz Access Point: Not-

Associated

Tx-Power=20 dBm

Retry long limit:7 RTS thr:off Fragment thr:off

Encryption key:off

Power Management:off

Put your wireless card into monitor mode: Assuming your wireless card’s interface

name is wlan0, execute the following command to put your wireless card into monitor

mode:

root@root:~# airmon-ng start wlan0

This command will output the name of monitor mode interface, which you’ll also want to

make note of. Most likely, it’ll be mon0. Make note of that.

Find the BSSID of the router you want to crack: Lastly, you need to get the unique identifier

of the router you’re attempting to crack so that you can point Reaver in the right direction.

To do this, execute the following command:

root@root:~# airodump-ng wlan0

(Note: If airodump-ng wlan0 doesn’t work for you, you may want to try the monitor

interface instead—e.g., airodump-ng mon0.)

You’ll see a list of the wireless networks in range—it’ll look something like the screenshot

below:

[ CH 1 ] [Elapsed: 4s ] [ 2012-03-20 13:23] [ WPA handshake:

00:14:6C:7E:40:80

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC

CIPHER AUTH ESSID

00:09:6B:1C:AA:1D 11 16 10 0 0 11 54. OPN

NETGEAR

00:14:9C:7A:41:81 34 100 57 14 1 9 11e WEP WEP

bigbear

00:14:DC:7E:40:80 32 100 752 73 2 9 54 WPA

TKIP PSK teddy

...

When you see the network you want, press Ctrl+C to stop the list from refreshing, then

copy that network’s BSSID (it’s the series of letters, numbers, and colons on the far left).

The network should have WPA or WPA2 listed under the ENC column.

Now, with the BSSID and monitor interface name in hand, you’ve got everything you need

to start up Reaver.

Step 4: Crack a Network’s WPA Password with Reaver

Now execute the following command in the Terminal, replacing bssid and moninterface

with the BSSID and monitor interface and you copied down above:

root@root:~# reaver -i moninterface -b bssid -vv

For example, if your monitor interface was mon0 like mine, and your BSSID was

8D:AE:9D:65:1F:B2 (a BSSID I just made up), your command would look like:

root@root:~# reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -vv

Press Enter, sit back, and let Reaver work its disturbing magic. Reaver will now try a series

of PINs on the router in a brute force attack, one after another. This will take a while. In my

successful test, Reaver took 2 hours and 30 minutes to crack the network and deliver me

with the correct password. As mentioned above, the Reaver documentation says it can

take between 4 and 10 hours, so it could take more or less time than I experienced,

depending.

A few important factors to consider:

Reaver worked exactly as advertised in my test, but it won’t necessarily work on all routers

(see more below). Also, the router you’re cracking needs to have a relatively strong signal,

so if you’re hardly in range of a router, you’ll likely experience problems, and Reaver may

not work. Throughout the process, Reaver would sometimes experience a timeout,

sometimes get locked in a loop trying the same PIN repeatedly, and so on. I just let it keep

on running, and kept it close to the router, and eventually it worked its way through.

Also of note, you can also pause your progress at any time by pressing Ctrl+C while Reaver

is running. This will quit the process, but Reaver will save any progress so that next time

you run the command, you can pick up where you left off-as long as you don’t shut down

your computer (which, if you’re running off a live DVD, will reset everything).

How Reaver Works

Now that you’ve seen how to use Reaver, let’s take a quick overview of how Reaver works.

The tool takes advantage of a vulnerability in something called Wi-Fi Protected Setup, or

WPS. It’s a feature that exists on many routers, intended to provide an easy setup process,

and it’s tied to a PIN that’s hard-coded into the device. Reaver exploits a flaw in these PINs;

the result is that, with enough time, it can reveal your WPA or WPA2 password.