12 – Using Wash and Reaver to bypass those long WPA/WPA2 passphrases and attack WPS to get around AES encryption

After the last lesson we learned that even on a Raspberry Pi 2 it is possible to crack WPA/WPA 2 passphrases with ease and even more so when we precomputed a PMK file but this requires a lot of storage for the PMK hash file and a long time at least on a RPi 2 so let’s try and speed this up even more using another attack against the Wi-Fi Protected Setup (WPS).

WPS is a different standard created by the Wi-Fi Alliance and introduced back in 2007, the goal of the protocol was to allow home users who do not understand how to use wireless security like Wi-Fi Protected Access (WPA) and may feel intimidated by it’s configuration options easily connect devices to an existing network without the need to enter a long passphrase.

Two independent researchers discovered this attack back in 2011 around the same time, Stefan Viehbock and Craig Heffner who released wash and reaver making it a trivial task to obtain the pin over the air without physical access to the access point. Stefan has a great PDF explaining this attack which is worth the read.

Put simply reaver performs a brute force attack against the access point and attempts every possible combination in order to guess the access points 8 digit pin number.

Even better yet as these are only numeric values there are a total of 10^8 or 100,000,000 possible values for any given pin number. BUT even better than that is the fact that you only actually need know half the pin 10^4 or 10,000 possible values for the first half as the access point will let you know when you have obtained the first four numbers in the pin so the actual amount of possible permutations you need is 11,000 and not 100,000,00, wait though you said 11,000, where did the extra 1,000 come from you ask? Well in the last four values of the second part of the pin you only need to calculate 10^3 or 1,000 as the last numeric value is actually a checksum which as you can imagine makes it even easier to crack than what you had been thinking a second ago 🙂

There was even a newer faster offline method released last year in 2014 by Dominique Bongard called the “Pixie Dust Attack”.

For now though let’s focus on wash and reaver so enable WPS on your access point like I have below1 - D-Link WPS ConfigurationNow to check the access point has WPS enabled before proceeding with reaver run wash first, to see what options are available to you just type “wash” and run it for a list of switches available to you2 - wash switchesNow that we see what it can do let’s run it with some of those switches, make sure you have monitor mode enabled prior to proceeding as outlined in this previous lesson.

wash -c 6 -i mon0

“wash” runs wash
“-c” is for the channel to listen on in this case 6
“-i” is for the interface in which you want to capture packets on3 - running washExplaining the output above

BSSID is our target access point MAC address
Channel 6 is the channel of our access point
RSSI is the Received signal strength indication ( A minus is a good thing here 😉
WPS Version which is 1.0
WPS Locked tells you if the access point has been locked due to to many attempts for example
ESSID is the network name of the access point

Now to run reaver against the access point4 - running reaverAs before just run “reaver” from the terminal for a full list of switches available to you

“reaver” runs reaver
“-i” is to select the sniffing interface in this case mon0
“-b” is followed by the target access point MAC address or BSSID
“-vv” is for very verbose output

reaver will just look like this for the next while but just leave it running and come back and check on it in an hour or so to see how it is getting on, no point staring at the screen until you get the pin!5 - reaver left runningAfter leaving reaver running over night I was greeted with the screen below this morning6 - reaver found pin and AES passphraseAs you can see above in 12,340 seconds or 3 hours 40 minutes we obtained the PIN and passphrase for for WPA/WPA2 “AES” network that we had configured, take a minute and let that sink in as we have obtained the passphrase for an “AES” network.

Lesson learned:

Disable Wi-Fi Protected Setup (WPS) as an attacker can leverage this technology in order to bypass your WPA/WPA2 configuration including “AES” without needing to know the passphrase and also obtain it in the process, all it takes is four numeric values to take you down and that is a lot easier for an attacker to compute compared to a long and complicated password. With the option of turning this into an off-line attack this becomes even more dangerous. Also it is worth trying this against your own router if it has WPS as even if you disable this option on some routers it actually remains active! If you have one of those routers you should really replace it for one that does allow you to disable this technology or better yet one that does not contain this technology to begin with. There may also be a firmware upgrade for your router so check the manufacturers website and upgrade as it may save you having to purchase a new router.


4 thoughts on “12 – Using Wash and Reaver to bypass those long WPA/WPA2 passphrases and attack WPS to get around AES encryption

  1. Hi Keith,
    very clear step by step tutorials, thx for your effort.
    I’d like that you check this attack with the old TKIP (and not with AES) because it appears that Reaven doesn’t support TKIP.
    A post with TKIP attacked with reaver will be very appreciated to demonstrate that it isn’t true
    I tried without success, I get WARNING: Failed to associate with xx:xx:xx:xx:xx:xx (ESSID: yyyyy)

Leave a Reply