Commit eb83821cc87d696eedc752f2996a0f412a2a8a32 - reaver

New upstream version 1.6.2 Sophie Brun 6 years ago

3 changed file(s) with 121 addition(s) and 52 deletion(s). Raw diff Collapse all Expand all

+111

-42

README.md less more

0	0	# Overview
1	1
2		Reaver has been designed to be a robust and practical attack against Wi-Fi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases. It has been tested against a wide variety of access points and WPS implementations.
3
4		The original Reaver implements a online brute force attack against, as described in [http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf](http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf).
5		reaver-wps-fork-t6x version 1.6b is a community forked version, which has included various bug fixes and additional attack method (the offline Pixie Dust attack).
6
	2	Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases, as described in [Brute forcing Wi-Fi Protected Setup When poor design meets poor implementation.](http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf) by Stefan Viehböck.
	3	Reaver has been designed to be a robust and practical attack against Wi-Fi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases and has been tested against a wide variety of access points and WPS implementations.
7	4	Depending on the target's Access Point (AP), to recover the plain text WPA/WPA2 passphrase the average amount of time for the transitional online brute force method is between 4-10 hours. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase.
8	5	When using the offline attack, if the AP is vulnerable, it may take only a matter of seconds to minutes.
9	6
10		* The original Reaver (v1.4) can be found here: [https://code.google.com/p/reaver-wps/](https://code.google.com/p/reaver-wps/).
11		* The discontinued reaver-wps-fork-t6x community edition (which includes the Pixie Dust attack. v1.5.3) is now the old-master branch from this repository
12		* reaver-wps-fork-t6x community edition of Reaver version 1.6b (which includes the Pixie Dust attack): [https://github.com/t6x/reaver-wps-fork-t6x](https://github.com/t6x/reaver-wps-fork-t6x).
13		* For more information about the Pixie Dust attack (including which APs are vulnerable) can be found here: [https://github.com/wiire/pixiewps](https://github.com/wiire/pixiewps),
14		[https://forums.kali.org/showthread.php?24286-WPS-Pixie-Dust-Attack-(Offline-WPS-Attack)](https://forums.kali.org/showthread.php?24286-WPS-Pixie-Dust-Attack-(Offline-WPS-Attack)) & [https://docs.google.com/spreadsheets/d/1tSlbqVQ59kGn8hgmwcPTHUECQ3o9YhXR91A_p7Nnj5Y/edit?usp=sharing](https://docs.google.com/spreadsheets/d/1tSlbqVQ59kGn8hgmwcPTHUECQ3o9YhXR91A_p7Nnj5Y/edit?usp=sharing)
	7	The first version of reaver-wps (reaver 1.0) was created by Craig Heffner in 2011.
	8	reaver-wps-fork-t6x version 1.6.x is a community forked version which includes various bug fixes, new features and additional attack method (such as the offline Pixie Dust attack).
	9
	10	* The original Reaver (version 1.0 to 1.4) can be found in [google code archives](https://code.google.com/p/reaver-wps/).
	11	* The discontinued reaver-wps-fork-t6x community edition, reaver version 1.5.3, which includes the Pixie Dust attack, is now the [old-master branch](https://github.com/t6x/reaver-wps-fork-t6x/tree/master-old) from this repository.
	12	* The latest revison of reaver-wps-fork-t6x community edition is the [master branch](https://github.com/t6x/reaver-wps-fork-t6x) from this repository.
	13	Reaver versioning was updated to 1.6.x in order to identify the new cycle.
	14	All stable relases since the first beta version of reaver 1.6 can be downloaded from our [Releases](https://github.com/t6x/reaver-wps-fork-t6x/releases) page.
	15	* More information about the Pixie Dust attack (including which APs are vulnerable) can be found in [pixiewps repository](https://github.com/wiire/pixiewps),
	16	[pixie dust thread in Kali forum)](https://forums.kali.org/showthread.php?24286-WPS-Pixie-Dust-Attack-(Offline-WPS-Attack) & [Dominique Bongard's full disclosure](https://docs.google.com/spreadsheets/d/1tSlbqVQ59kGn8hgmwcPTHUECQ3o9YhXR91A_p7Nnj5Y/edit?usp=sharing)
15	17
16	18	- - -
17	19
18		# Requirements
	20	# Requirements
19	21
	22	## Build-time dependencies
	23
	24	- libpcap-dev
	25	- build-essentials
	26
	27	## Runtime-time dependencies
	28
	29	- pixiewps (optional, required for pixiedust attack)
	30	- aircrack-ng (optional, though recommended)
	31
	32	## Example
20	33	```
21		apt-get -y install build-essential libpcap-dev aircrack-ng pixiewps
	34	sudo apt -y install build-essential libpcap-dev aircrack-ng pixiewps
22	35	```
23	36	_The example uses [Kali Linux](https://www.kali.org/) as the Operating System (OS) as `pixiewps` is included._
24	37
25		You must already have Wiire's Pixiewps installed.
26		The latest version can be found here: [https://github.com/wiire/pixiewps](https://github.com/wiire/pixiewps).
	38	You must already have Wiire's Pixiewps installed to perform a pixie dust attack, latest version can be found in its [official github repository](https://github.com/wiire/pixiewps).
27	39
28	40	- - -
29	41

37	49
38	50	`wget https://github.com/t6x/reaver-wps-fork-t6x/archive/master.zip && unzip master.zip`
39	51
40		Build
	52	Locate the shell
41	53
42		```bash
43		cd reaver-wps-fork-t6x*/
44		cd src/
45		./configure
46		make
47		```
	54	`cd reaver-wps-fork-t6x*`
	55	`cd src`
	56
	57	Compile
	58
	59	`./configure`
	60	`make`
48	61
49	62	Install
50	63
51		`sudo make install`
	64	`sudo make install`
52	65
53	66	- - -
54	67
55		# About Reaver 1.6b Options
	68	# Reaver Usage
56	69
57		Please notice that work is in progress and the situation will progress soon, stay tuned! ;)
	70	```Reaver v1.6.2 WiFi Protected Setup Attack Tool
	71	Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
58	72
59		## -K and-or -Z // --pixie-dust (in reaver)
	73	Required Arguments:
	74	-i, --interface=<wlan> Name of the monitor-mode interface to use
	75	-b, --bssid=<mac> BSSID of the target AP
60	76
	77	Optional Arguments:
	78	-m, --mac=<mac> MAC of the host system
	79	-e, --essid=<ssid> ESSID of the target AP
	80	-c, --channel=<channel> Set the 802.11 channel for the interface (implies -f)
	81	-o, --out-file=<file> Send output to a log file [stdout]
	82	-s, --session=<file> Restore a previous session file
	83	-C, --exec=<command> Execute the supplied command upon successful pin recovery
	84	-D, --daemonize Daemonize reaver
	85	-f, --fixed Disable channel hopping
	86	-5, --5ghz Use 5GHz 802.11 channels
	87	-v, --verbose Display non-critical warnings (-vv for more)
	88	-q, --quiet Only display critical messages
	89	-h, --help Show help
	90
	91	Advanced Options:
	92	-p, --pin=<wps pin> Use the specified pin (may be arbitrary string or 4/8 digit WPS pin)
	93	-d, --delay=<seconds> Set the delay between pin attempts [1]
	94	-l, --lock-delay=<seconds> Set the time to wait if the AP locks WPS pin attempts [60]
	95	-g, --max-attempts=<num> Quit after num pin attempts
	96	-x, --fail-wait=<seconds> Set the time to sleep after 10 unexpected failures [0]
	97	-r, --recurring-delay=<x:y> Sleep for y seconds every x pin attempts
	98	-t, --timeout=<seconds> Set the receive timeout period [5]
	99	-T, --m57-timeout=<seconds> Set the M5/M7 timeout period [0.20]
	100	-A, --no-associate Do not associate with the AP (association must be done by another application)
	101	-N, --no-nacks Do not send NACK messages when out of order packets are received
	102	-S, --dh-small Use small DH keys to improve crack speed
	103	-L, --ignore-locks Ignore locked state reported by the target AP
	104	-E, --eap-terminate Terminate each WPS session with an EAP FAIL packet
	105	-n, --nack Target AP always sends a NACK [Auto]
	106	-w, --win7 Mimic a Windows 7 registrar [False]
	107	-K, --pixie-dust Run pixiedust attack
	108	-Z Run pixiedust attack
	109
	110	Example:
	111	reaver -i wlan0mon -b 00:90:4C:C1:AC:21 -vv
	112	```
	113
	114	Options description and examples of use can be found in the [Readme from Craig Heffner](https://github.com/t6x/reaver-wps-fork-t6x/blob/master/docs/README.REAVER). Here comes a description of the new options introduced since then:
	115	## -K or -Z // --pixie-dust
61	116	The `-K` and `-Z` option perform the offline attack, Pixie Dust _(`pixiewps`)_, by automatically passing the PKE, PKR, E-Hash1, E-Hash2, E-Nonce and Authkey variables. `pixiewps` will then try to attack Ralink, Broadcom and Realtek detected chipset.
62	117	Special note: If you are attacking a Realtek AP, do NOT use small DH Keys (`-S`) option.
63	118	User will have to execute reaver with the cracked PIN (option -p) to get the WPA pass-phrase.
64	119	This is a temporary solution and an option to do a full attack will be implemented soon
	120	## -p with arbitrary string // --pin=<wps pin>
	121	See our wiki: [Introducing a new way to crack WPS: Option p with an Arbitrary String](https://github.com/t6x/reaver-wps-fork-t6x/wiki/Introducing-a-new-way-to-crack-WPS:-Option--p-with-an-Arbitrary-String)
65	122
	123	# Wash Usage
66	124
67		## -a // --all (in wash)
	125	```
	126	Wash v1.6.2 WiFi Protected Setup Scan Tool
	127	Copyright (c) 2011, Tactical Network Solutions, Craig Heffner
68	128
69		The option `-a` of Wash will list all access points, including those without WPS enabled.
	129	Required Arguments:
	130	-i, --interface=<iface> Interface to capture packets on
	131	-f, --file [FILE1 FILE2 FILE3 ...] Read packets from capture files
70	132
71		## Deprecated and temporary left behind options
	133	Optional Arguments:
	134	-c, --channel=<num> Channel to listen on [auto]
	135	-o, --out-file=<file> Write data to file
	136	-n, --probes=<num> Maximum number of probes to send to each AP in scan mode [15]
	137	-D, --daemonize Daemonize wash
	138	-5, --5ghz Use 5GHz 802.11 channels
	139	-s, --scan Use scan mode
	140	-u, --survey Use survey mode [default]
	141	-a, --all Show all APs, even those without WPS
	142	-j, --json print extended WPS info as json
	143	-h, --help Show help
72	144
73		* - n (reaver): Automatically enabled, no need to invocate it.
74		* - W (reaver): Temporary left behind. Integration of the default PIN generators was unstable, leading to many warnings at compilation time. It was also an issue to use a PIN attempt (risk of AP rating limit) in order to get a BSSID and an ESSID. For the moment PIN generation has to be done externally using the scripts provided in "doc".
75		* - a (reaver): This option was the only option which required sqlite3 adding an extra dependency. It was only designed for automation scripts and this task (execute the last reaver command again) can be easily done internally by the script that calls reaver
76		* - p1 and -p2 (reaver): Too much warnings and bugs.
77		* -H (reaver): There is a need to find a way to perform it more cleanly, work is in progress.
78		* - vvv (reaver): The highest level of verbose is temporary removed for the same reason.
79		* - g (wash): Option was broken in latest release and need to be seriously rethought.
	145	Example:
	146	wash -i wlan0mon
	147	```
80	148
81		## Options repaired/solved issues
82
83		Issues with -g and -p (and their crossed usage) are left behind.
84		Code is much more clean, robust and has less dependencies.
85		We know that it looks like at first time as a regression but it is not!
86		We were stuck with issues for years due the dificulty of the task and the lack of global direction.
87		Now we have a much healthier base and it will be worth it.
	149	A detailed description of the options with concrete syntax examples can be found in [Craig Heffner's wash readme](https://github.com/t6x/reaver-wps-fork-t6x/blob/master/docs/README.WASH).
	150	About the new options:
	151	## -a // --all
	152	The option `-a` of Wash will list all access points, including those without WPS enabled.
	153	## -j // --json
	154	The extended WPS information (serial, model...) from the AP probe answer will be printed in the terminal (in json format)
	155
	156	Notice that wash output can be piped into other commands. For more information see the wiki article [Everything about the new options from wash](https://github.com/t6x/reaver-wps-fork-t6x/wiki/Everything-about-the-new-options-from-wash)
88	157
89	158	# Acknowledgements
90	159

-9

src/configure less more

0	0	#! /bin/sh
1	1	# Guess values for system-dependent variables and create Makefiles.
2		# Generated by GNU Autoconf 2.69 for reaver 1.6.1.
	2	# Generated by GNU Autoconf 2.69 for reaver 1.6.2.
3	3	#
4	4	#
5	5	# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.

576	576	# Identity of this package.
577	577	PACKAGE_NAME='reaver'
578	578	PACKAGE_TARNAME='reaver'
579		PACKAGE_VERSION='1.6.1'
580		PACKAGE_STRING='reaver 1.6.1'
	579	PACKAGE_VERSION='1.6.2'
	580	PACKAGE_STRING='reaver 1.6.2'
581	581	PACKAGE_BUGREPORT=''
582	582	PACKAGE_URL=''
583	583

1222	1222	# Omit some internal or obsolete options to make the list less imposing.
1223	1223	# This message is too long to be a string in the A/UX 3.1 sh.
1224	1224	cat <<_ACEOF
1225		\`configure' configures reaver 1.6.1 to adapt to many kinds of systems.
	1225	\`configure' configures reaver 1.6.2 to adapt to many kinds of systems.
1226	1226
1227	1227	Usage: $0 [OPTION]... [VAR=VALUE]...
1228	1228

1283	1283
1284	1284	if test -n "$ac_init_help"; then
1285	1285	case $ac_init_help in
1286		short \| recursive ) echo "Configuration of reaver 1.6.1:";;
	1286	short \| recursive ) echo "Configuration of reaver 1.6.2:";;
1287	1287	esac
1288	1288	cat <<\_ACEOF
1289	1289

1371	1371	test -n "$ac_init_help" && exit $ac_status
1372	1372	if $ac_init_version; then
1373	1373	cat <<\_ACEOF
1374		reaver configure 1.6.1
	1374	reaver configure 1.6.2
1375	1375	generated by GNU Autoconf 2.69
1376	1376
1377	1377	Copyright (C) 2012 Free Software Foundation, Inc.

1669	1669	This file contains any messages produced by compilers while
1670	1670	running configure, to aid debugging if configure makes a mistake.
1671	1671
1672		It was created by reaver $as_me 1.6.1, which was
	1672	It was created by reaver $as_me 1.6.2, which was
1673	1673	generated by GNU Autoconf 2.69. Invocation command line was
1674	1674
1675	1675	$ $0 $@

3845	3845	# report actual input values of CONFIG_FILES etc. instead of their
3846	3846	# values after options handling.
3847	3847	ac_log="
3848		This file was extended by reaver $as_me 1.6.1, which was
	3848	This file was extended by reaver $as_me 1.6.2, which was
3849	3849	generated by GNU Autoconf 2.69. Invocation command line was
3850	3850
3851	3851	CONFIG_FILES = $CONFIG_FILES

3898	3898	cat >>$CONFIG_STATUS <<_ACEOF \|\| ac_write_fail=1
3899	3899	ac_cs_config="`$as_echo "$ac_configure_args" \| sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
3900	3900	ac_cs_version="\\
3901		reaver config.status 1.6.1
	3901	reaver config.status 1.6.2
3902	3902	configured by $0, generated by GNU Autoconf 2.69,
3903	3903	with options \\"\$ac_cs_config\\"
3904	3904

-1

src/configure.ac less more

0		AC_INIT(reaver, 1.6.1)
	0	AC_INIT(reaver, 1.6.2)
1	1	AC_CONFIG_FILES([config.mak])
2	2	AC_PROG_CC
3	3	AC_LANG(C)