Monday, September 10, 2012

How To Hack WPA2 Wireless Access Points

Many of you have probably seen plenty of tutorials on how to crack WEP encryption. We even did a video back in the old Bauer-Power podcast on how to hack a WEP protected wireless access point using Bauer-Puntu Linux and GrimWEPA. The fact of the matter is, cracking WEP is really easy! What about something more people are using today like WPA2?

It used to be that the only way to crack WPA or WPA2 was to capture the 4 way handshake, then try to  brute-force the password. If the person's password is really long, then it would take an attacker way too long to try to crack it and they would probably move on to easier targets. That isn't necessarily the case now.

There is a new tool for Linux called Reaver. From their Google Code Page:
Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases.  Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations.  On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase. In short, Reaver bypasses the security of WPA and WPA2 by brute-forcing the WPS pin that is enabled by default on many home/SOHO wireless routers. The WPS pin in a non-complex 8 digit number. Because it isn't complex, it can be cracked in hours instead of days, weeks or months.

The simplest command you need to run while your wireless card is in monitor mode is:
reaver -i mon0 -b [BSSID] -vv Of course some access points are pickier than others, there are a bunch of different switches you can use to get better results. You can find out more on their Google Plus page.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.