How to Crack a Wi-Fi Networks WPA Password with Reaver

A new, free, open-source tool called Reaver exploits a security hole in wireless routers and
can crack most routers current passwords with relative ease. Heres how to crack a WPA or
WPA2 password, step by step, with Reaverand how to protect your network against Reaver
attacks.

What Youll Need

You dont have to be a networking wizard to use Reaver, the command-line tool that does the
heavy lifting, and if youve got a blank DVD, a computer with compatible Wi-Fi, and a few
hours on your hands, youve got basically all youll need. There are a number of ways you
could set up Reaver, but here are the specific requirements for this guide:
The BackTrack 5 Live DVD.

BackTrack is a bootable Linux distribution thats filled to the brim with network testing tools,
and while its not strictly required to use Reaver, its the easiest approach for most users.
Download the Live DVD from BackTracks download page and burn it to a DVD. You can
alternately download a virtual machine image if youre using VMware, but if you dont know
what VMware is, just stick with the Live DVD. As of this writing, that means you should
select BackTrack 5 R1 from the Release drop-down, select Gnome, 32- or 64-bit depending
on your CPU (if you dont know which you have, 32 is a safe bet), ISO for image, and then
download the ISO.
A computer with Wi-Fi and a DVD drive.

BackTrack will work with the wireless card on most laptops, so chances are your laptop will
work fine. However, BackTrack doesnt have a full compatibility list, so no guarantees. Youll
also need a DVD drive, since thats how youll boot into BackTrack. I used a six-year-old
MacBook Pro.
A nearby WPA-secured Wi-Fi network.

Technically, it will need to be a network using WPA security with the WPS feature enabled.
Ill explain in more detail in the How Reaver Works section how WPS creates the security
hole that makes WPA cracking possible.
A little patience.

This is a 4-step process, and while its not terribly difficult to crack a WPA password with
Reaver, its a brute-force attack, which means your computer will be testing a number of
different combinations of cracks on your router before it finds the right one. When I tested it,
Reaver took roughly 2.5 hours to successfully crack my password. The Reaver home page
suggests it can take anywhere from 4-10 hours. Your mileage may vary.

Lets Get Crackin

At this point you should have BackTrack burned to a DVD, and you should have your laptop
handy.
Step 1: Boot into BackTrack

To boot into BackTrack, just put the DVD in your drive and boot your machine from the disc.
(Google around if you dont know anything about live CDs/DVDs and need help with this
part.) During the boot process, BackTrack will prompt you to to choose the boot mode. Select
BackTrack Text Default Boot Text Mode and press Enter.
Eventually BackTrack will boot to a command line prompt. When youve reached the prompt,
type startx and press Enter. BackTrack will boot into its graphical interface.
Step 2: Install Reaver

Reaver has been added to the bleeding edge version of BackTrack, but its not yet
incorporated with the live DVD, so as of this writing, you need to install Reaver before
proceeding. (Eventually, Reaver will simply be incorporated with BackTrack by default.) To
install Reaver, youll first need to connect to a Wi-Fi network that you have the password to.
Click Applications > Internet > Wicd Network Manager
Select your network and click Connect, enter your password if necessary, click OK, and then
click Connect a second time.
Now that youre online, lets install Reaver. Click the Terminal button in the menu bar (or
click Applications > Accessories > Terminal). At the prompt, type:
root@root:~# apt-get update

And then, after the update completes:

root@root:~# apt-get install reaver

If all went well, Reaver should now be installed. It may seem a little lame that you need to
connect to a network to do this, but it will remain installed until you reboot your computer. At
this point, go ahead and disconnect from the network by opening Wicd Network Manager
again and clicking Disconnect. (You may not strictly need to do this. I did just because it felt
like I was somehow cheating if I were already connected to a network.)
Step 3: Gather Your Device Information, Prep Your Crackin

In order to use Reaver, you need to get your wireless cards interface name, the BSSID of the
router youre attempting to crack (the BSSID is a unique series of letters and numbers that
identifies a router), and you need to make sure your wireless card is in monitor mode. So lets
do all that.
Find your wireless card:
root@root:~# iwconfig
lo
no wireless extensions.
eth0

no wireless extensions.

wlan0

IEEE 802.11abg ESSID:"default"

Mode:Managed Frequency:2.437 GHz
Tx-Power=20 dBm
Retry long limit:7
RTS thr:off
Encryption key:off
Power Management:off

Access Point: Not-Associated

Fragment thr:off

Put your wireless card into monitor mode: Assuming your wireless cards interface name is
wlan0, execute the following command to put your wireless card into monitor mode:

root@root:~# airmon-ng start wlan0

This command will output the name of monitor mode interface, which youll also want to
make note of. Most likely, itll be mon0. Make note of that.
Find the BSSID of the router you want to crack: Lastly, you need to get the unique identifier
of the router youre attempting to crack so that you can point Reaver in the right direction. To
do this, execute the following command:
root@root:~# airodump-ng wlan0

(Note: If airodump-ng wlan0 doesnt work for you, you may want to try the monitor interface
insteade.g., airodump-ng mon0.)
Youll see a list of the wireless networks in rangeitll look something like the screenshot
below:
[ CH 1 ] [Elapsed: 4s ] [ 2012-03-20 13:23] [ WPA handshake:
00:14:6C:7E:40:80
BSSID
AUTH ESSID
00:09:6B:1C:AA:1D
NETGEAR
00:14:9C:7A:41:81
bigbear
00:14:DC:7E:40:80
PSK teddy
...

PWR RXQ
11

Beacons

#Data, #/s

CH

MB

ENC

CIPHER

16

10

11

54.

OPN

34 100

57

14

11e

WEP

WEP

32 100

752

73

54

WPA

TKIP

When you see the network you want, press Ctrl+C to stop the list from refreshing, then copy
that networks BSSID (its the series of letters, numbers, and colons on the far left). The
network should have WPA or WPA2 listed under the ENC column.
Now, with the BSSID and monitor interface name in hand, youve got everything you need to
start up Reaver.
Step 4: Crack a Networks WPA Password with Reaver

Now execute the following command in the Terminal, replacing bssid and moninterface with
the BSSID and monitor interface and you copied down above:
root@root:~# reaver -i moninterface -b bssid -vv

For example, if your monitor interface was mon0 like mine, and your BSSID was
8D:AE:9D:65:1F:B2 (a BSSID I just made up), your command would look like:
root@root:~# reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -vv

Press Enter, sit back, and let Reaver work its disturbing magic. Reaver will now try a series of
PINs on the router in a brute force attack, one after another. This will take a while. In my
successful test, Reaver took 2 hours and 30 minutes to crack the network and deliver me with
the correct password. As mentioned above, the Reaver documentation says it can take
between 4 and 10 hours, so it could take more or less time than I experienced, depending.

A few important factors to consider:

Reaver worked exactly as advertised in my test, but it wont necessarily work on all routers
(see more below). Also, the router youre cracking needs to have a relatively strong signal, so
if youre hardly in range of a router, youll likely experience problems, and Reaver may not
work. Throughout the process, Reaver would sometimes experience a timeout, sometimes get
locked in a loop trying the same PIN repeatedly, and so on. I just let it keep on running, and
kept it close to the router, and eventually it worked its way through.
Also of note, you can also pause your progress at any time by pressing Ctrl+C while Reaver is
running. This will quit the process, but Reaver will save any progress so that next time you
run the command, you can pick up where you left off-as long as you dont shut down your
computer (which, if youre running off a live DVD, will reset everything).

How Reaver Works

Now that youve seen how to use Reaver, lets take a quick overview of how Reaver works.
The tool takes advantage of a vulnerability in something called Wi-Fi Protected Setup, or
WPS. Its a feature that exists on many routers, intended to provide an easy setup process, and
its tied to a PIN thats hard-coded into the device. Reaver exploits a flaw in these PINs; the
result is that, with enough time, it can reveal your WPA or WPA2 password.

How to Protect Yourself Against Reaver Attacks

Since the vulnerability lies in the implementation of WPS, your network should be safe if you
can simply turn off WPS (or, even better, if your router doesnt support it in the first place).
Unfortunately, as Gallagher points out as Ars, even with WPS manually turned off through his
routers settings, Reaver was still able to crack his password.
So thats kind of a bummer. You may still want to try disabling WPS on your router if you
can, and test it against Reaver to see if it helps.
You could also set up MAC address filtering on your router (which only allows specifically
whitelisted devices to connect to your network), but a sufficiently savvy hacker could detect
the MAC address of a whitelisted device and use MAC address spoofing to imitate that
computer.
Double bummer. So what will work?
I have the open-source router firmware DD-WRT installed on my router and I was unable to
use Reaver to crack its password. As it turns out, DD-WRT does not support WPS, so theres
yet another reason to love the free router-booster. If thats got you interested in DD-WRT,
check their supported devices list to see if your routers supported. Its a good security
upgrade, and DD-WRT can also do cool things like monitor your internet usage, set up a
network hard drive, act as a whole-house ad blocker, boost the range of your Wi-Fi network,
and more. It essentially turns your $60 router into a $600 router.