With WPA & WPA2 encrypted networks becoming standard in Ireland there are a vast amount of people trying to crack Eircom & UPC wireless connections without any success. In general a WPA/2 attack can take up to several billion years to crack (thats no joke) however in recently a new security hole was found that allows new devices to be cracked in less then 10 hours.
A new & free open source tool called Reaver exploits a massive security hole in wireless modems/routers and can crack up to 95% of devices used in Ireland today. A built in feature in most routers called “WiFi Protected Setup” is the culprit and it literally makes billions of devices across the globe susceptible to attack including many government agencies networks and large commercial networks like Google, Microsoft & eBay. Not only that but many of our home devices now have WiFi Protected Setup built into their hardware and software which means your network as well as mine could very well have already been cracked by some wardriving geek!
You might find yourself asking “What is a “WiFi Protected Setup?”. Basically WPS makes some devices like printers or other network devices connect to your network without requiring the WPA key.
Anyway simply for educational purposes here’s how to crack Eircom & UPC networks protected with WPA Encryption which have the WPS feature installed using Reaver on Backtrack 5.
Note: Hacking Networks without authorized access is Illegal – So get permission first!
- Backtrack 5
A linux based hackers operating system (PTD). You can download it for free here: http://www.backtrack-linux.org/downloads/
I’ll show you how to install this on Backtrack later on.
- Alpha USB Network Interface (AWUS036H)
Depending on your machine you might not have a compatible wireless interface. I use the Alpha device named above. Its a powerful machine and works great for cracking and hacking all sorts of tools. You can buy one here: USB Wireless Network Device
- A target network protected with WPA / WPA2
Obviously the network your attacking must have WPS running. If it doesn’t then your looking at a failed attack and several billion years at cracking that network.
Lets get started
Install Backtrack 5 onto your machine (a laptop is ideal if you plan to wardrive). If your running a live DVD or you installed it from a DVD then there is a good chance you will need to install Reaver to your machine. This only takes a few minutes and its quite simple to do. With Backtrack up and running connect your wireless or ethernet port to your internet connection and establish a connection. You can verify you are connected by opening up Firefox and navigating to www.google.com.
Now open up a new shell window (terminal) and type the following:
After the update type the following into the shell:
apt-get install reaver
If all went well and your computer hasn’t exploded then Reaver should now have installed. If your running a live version of Backtrack (not installed) then you will have to have an internet connection every time you reboot your computer to get this update. If you installed Backtrack to your machine (either as a virtual machine or on a partition then you won’t need to keep doing this).
If your connected to a wireless network then go ahead and disconnect it. You can do this by opening Wicd Network manager and clicking disconnect. (mess about in Backtrack for a while to learn where these settings are).
Next you need to get your wireless card’s interface name. To do this open up a new shell window and type in the following:
You should see an interface name like wlan0. If you have a weird setup or different devices on your computer then it might be named different. You should be able to identify it quite easily. You will need to remember this so grab a pen and paper and write down your interface name.
Next we need to put the interface into “monitor mode”. Open up a new shell window and type in the following (changing wlan0 for your device name)
airmon-ng start wlan0
Doing this will show you the monitor mode interface name. This will probably be something like “mon0″. You should write this down on your piece of paper as we will also need this later on.
Next we need to find the BSSID of the router we want to crack. This is the unique identifier of the router/modem we will be trying to crack. We need this so we can tell Reaver we want it to attack this network and not every network it sees. To find the BSSID open up a new shell window and type the following command (replacing “wlan0″ with your wireless interface name):
You will now see a bunch of networks that your wireless device can see. Look under the Under the CNC column and you will see the encryption type on the networks. Pick a network with WPA or WPA2 encryption and then press “Ctrl + C” to stop the card searching for more networks. Now write down the BSSID of the network you want to attack. The BSSID will be visible on the right side of the screen as a series of letters, numbers and colons.
NOTE: You might want to change your MAC address now. This is a unique identifier which only your wireless interface has. Its a good reason to change this if you are trying to spoof your identity, otherwise the attack could be traced back to your computer if somebody was to investigate it deep enough. To change your MAC address check this article i wrote a while back (it opens in a new page): http://insanitypop.com/2012/01/changing-your-mac-address-in-windows-osx-10-7-backtrack-5/
Next job is to get started with Reaver and begin cracking the network. If you have a bunch of shell windows open you can close them and open up a new shell window. A neat computer is a productive computer
Type in the following into the shell window. Replace mon0 with your monitor mode interface ID and replace “AA:BB:CC:DD:EE:FF” with the BSSID you want to crack
reaver -i mon0 -b AA:BB:CC:DD:EE:FF -vv
Now run the command and Reaver will begin to crack the network. Reaver does this by trying a series of PINs on the router via a brute force attack. This can take up to 10 hours tom complete but eventually if WPS is enabled on the router then Reaver will have the code cracked. In most cases it took me around 2 to 3 hours to crack WPA networks using Reaver.
Eventually you will see something like the following printed on your screen:
[+]WPS PIN: '73848219' [+]WPS PSK: 'XXXXXXXX" [+]AP SSID: 'CISCO'
Your golden ticked is “WPS PSK”. This code will give you full access to the wireless network which opens it up for internal attacks, digging and all sorts of havoc!