Wireless wi-fi cracking: Using reaver to crack WPS

PJ: the PIN code is divided into the first 4 and the last 4. The first 4 contains a maximum of 10 thousand combinations, and the first 3 in the last 4 contains only one thousand combinations, there are a total of eleven thousand combinations of passwords. 10 to the power of 4 + 10 to the power of 3 = 11000 password combinations. After reaver determines the first four PIN passwords, the task progress value will jump to more than 90.9%, that is, only the remaining one thousand passwords are combined. A total of eleven thousand passwords! ----------------------------------------------------------- Learning process 1. Click "open" on the VM. If your computer has multiple wireless NICs, run ifconfig-a to check which Nic you are using, such as WLAN0 or WLAN1 ---------------------------------------------- (the following command uses a single Nic WLAN0 as an example) 2. the root Shell window appears. Run the First Command "ifconfig wlan0 up" to load the usb Nic. Next, the "airmon-ng start wlan0" listening mode has been activated to mon0. If the NIC is not properly loaded, follow the instructions in step 1 to solve the problem. ----------------------------------------------------------------------- 3. Run the second command "airodump-ng mon0" to view information about the peripheral route AP. Record the MAC address of the route you want to learn. Refer provides several ways to learn routing by using the PIN code. Note: You can use the PIN method to learn the PSK password only When WPS and QSS are enabled for the AP! How can I check whether the AP has enabled WPS and QSS? How many small methods are provided? A) In reaver1.3 use the command "command-imon0-C" to view against xiaopangOS3.2 B) in reaver1.4 use the new command: WASH-I mon0-C is capitalized and displayed in the wps locked item. C) connect to the AP in the usual way in WIN7. If the prompt "enter the password" box appears, you can also connect to the AP by pressing the vro button ", make sure that WPS and QSS are enabled for this AP. D) In the crab software-available network-mode with N, G is not very accurate, but the following option is clicked PIN Input configuration, select the access point, haha, this is a learning goal. It should be noted that some of the following operations do not support pin code connection, so don't do it. You know the consequences. --------------------------------------------------------------------- 1. Open a new root Shell window and run the third command "reaver-I mon0-B MAC-a-S-vv" to capture the PIN code. Note: The colon in the MAC address cannot be omitted. the MAC address can contain uppercase and lowercase letters.-S is an uppercase letter, and-vv is two V and not W! -I listener-Interface Name-target mac address B-a Automatically detects target AP optimal configuration-S uses the smallest DH key (improves PJ speed) -vv: show more non-severe warnings.-d: the idle time for every run of delay is set to 1 second by default-t, that is, timeout. The longest time for every run is waiting for feedback.-c: The specified channel is convenient. find the signal, for example, if-c1 specifies Channel 1, you can view your target channel and modify it accordingly (The reaver-I mon0-B MAC-a-S-d9-t9 parameter is recommended for non-TP-LINK Routing) summary-when learning, adjust the parameters based on the condition (-c is followed by the target channel 1 as an example). The target signal is very good: reaver-I mon0-B MAC-a-S-vv-d0-c 1 target signal common: reaver-I mon0-B MAC-a-S-vv-d2-t. 5-c 1 target signal: reaver-I mon0-B MAC- -S-vv-d5-c 1 learning started, and then it was a long wait. If the signal is good, you will be pleasantly surprised to find it when the Progress reaches 100% within 2-4 hours. Except PIN password breaking has extremely strict signal requirements. If the signal is slightly poor, it may lead to slow password breaking progress or routing deadlocks (repeat the same PIN or timeout ). If the AP disables WPS or does not have a QSS drop, the following error occurs: WARNING: Failed to associate with XX: XX (ESSID: XXXX) Failed 5. if an ultra-long wpa psk occurs, you can use the fourth command "reaver-I mon0-B MAC-p WPA PSK" as the target MAC address, and WPA PSK is the obtained ultra-long password. The function is to obtain the wpa password psk from the specified pin code. 6. Common commands: 7. Not all routes support pin learning. If the AP disables WPS or does not have a QSS drop, the following error occurs: WARNING: Failed to associate with XX: XX (ESSID: XXXX) during the learning process, you can press Ctrl + C to terminate PJ at any time, repeat the same PIN or timeout to terminate, and reaver will automatically save the progress. Repeat the 2-4 items after saving the progress. First, check whether the AP signal is strong or not, and continue learning. After the reaver-I mon0-B MAC-vv command is repeated, it will allow you to select y or n, and then select y to continue. After reaver confirms the first four PIN passwords, the progress of the job completion task will jump to more than 90.9%, that is, only the remaining one thousand passwords are combined (a total of eleven thousand passwords ). This is one step away from success !!! TIPS: as long as the Root Shell window is not closed, the commands you have entered will appear in the upper and lower directions for convenient calling. 8. Find the two icons for saving snapshots in the VM. The first one is to save the snapshots. The second icon is the last snapshot. Snapshot function: similar to resumable data transfer of thunder, it can save the progress of the last learning and prevent the target pin from freezing, this is unavoidable for CD boot, USB flash drive boot, and hard disk boot. Virtual machines can provide insurance for themselves. If you cannot continue loading the snapshot, You can uninstall the usb Nic and reload it. Then, continue the previous learning in the open window. During the learning process, you can press Ctrl + C to terminate PJ at any time and repeat the same PIN or timeou t to terminate. reaver automatically saves the progress. After the reaver-I mon0-B MAC-vv command is issued, you will be asked to select y or n, and then select y to continue. 9. reaver1.3 storage path of the method for saving the learning progress when the disc is started, USB flash drive/hard disk is started: Open the last icon xfec on the desktop and find a file with the wpc suffix under/etc/reaver, the name is the mac address of your learning target, copied to your USB flash drive, and the path is/mnt/sdb1 (this is generally the one you are looking for. If there is nothing, right-click and mount it ), restart xiaopanOS, copy the file to the original path, and try again to load the progress! O (alias _ alias) o Haha reaver1.4 storage path: Save Directory:/usr/local/etc/reaver if xfe file manager does not obtain the ROOT permission. Run the root shell and enter xfe to obtain the root permission. The same method is used to save data. After the next restart, manually copy the MAC address to the/etc/reaver/directory. wpc is actually a text file. The format is similar to the password-breaking dictionary. The first and second rows of wpc are 4-digit and 3-digit locations (+ 4 ). If the AP crashes after the Progress reaches 99.9%, you can open the AP. It has a total of 1000 three-digit digits. Find the remaining 10 PIN codes and use the QSS and WPS client software, manual test and password cracking. If 99.99% crashes, does it mean? You know? The last PIN is. The following command specifies the PIN code to obtain the WPA password PSKreaver-I mon0-B MAC-p PIN8 bits. If the above measures are not followed, the PSK password is still missing, which may be caused by software reasons, missing code! You need to re-run the last three digits! (If the first four digits are correct) reaver-I mon0-B MAC-p PIN's first four digits post-Editor: This article references some of the author and text of the Forum, I would like to express my gratitude to the original author. I hope this will not cause copyright disputes. O (Copyright _ copyright) O Haha ~. I hope the birds can find the appropriate methods and skills from this article. If you still cannot understand this article, it only means that my cainiao teacher is too low. Please move to another level and ask for higher education. This article does not accept any negative feedback! ^_^ 1. xiaopanos with 8187 drive RF-kill does not support 8187 Nic very well, sometimes the driver cannot be loaded, that is, after the first command is entered, operation not possible due to RF-kill appears, I think most people have met each other. The new version 0.34 uses the command rfkill unblock all to solve this problem, which is prone to 0.3.2. Solution to the first solution: disconnect the USB at this time, and wait for about 10 seconds to plug it in again. It will always be good to plug it in several times in a row. Solution 2: run the bottle scan for a while and then exit the bottle. The Virtual Machine USB icon (a small dot on the USB icon) changes from dark green to light green. If it becomes light green, enter ifconfig wlan0 upairmon-ng start wlan0. solution 3: solution a after an error occurs. in the Root Shell window, tap the command "ifconfig-a" to check whether wlan0 exists in the last item. This is your wireless network card. If the network card is not plugged in, wlan0 appears in the test. B. Enter the second command "ifconfig wlan0 up", and the third "airmon-ng start wlan0" to load the NIC. If operation not possible due to RF-kill occurs, do not panic to enter the command "airmon-ng startwlan0" multiple times, then unplug the USB Nic and insert it again, repeat the command in step 1. Normally, only the monitor mode enabled on mon0 is displayed in the brackets, and operation not possibledue to RF-kill is not displayed. If the preceding steps are not completed, repeat the preceding steps until the solution is completed. C. enter "airodump-ng mon0" (if the monitor mode enabled on mon1 is displayed in the brackets, change the corresponding command to airodump-ng mon1. The other commands are similar). Test the function, if the scan is normal, it indicates that 8187L is loaded successfully, and you can reaver It, you know! D. Tips: as long as the Root Shell window is not closed, the commands you have entered will appear in the upper and lower directions for convenient calling. 2. reaver password-breaking schedule all-around saving method you can use a USB flash drive or hard disk to start xiaopanos to save the progress. The restart will not be lost. The method is as follows: Open the last icon xfec on the desktop and locate/etc/reaver, there is a wpc suffix file named PJ mac address, copied to your USB flash drive, path is/mnt/sdb1 (this is generally, right-click mount if there is nothing.) Restart xiaopanOS, copy the file to the original path, and try again to load the progress! The reaver schedule file is stored in the/etc/reaver/MAC address. wpc uses the resource manager to manually name the backend worker with the MAC address. copy the wpc file to the USB flash drive or hard disk. After restarting, manually copy the file to the/etc/reaver/directory. MAC address. wpc is actually a text file. The format is similar to the dictionary used for password cracking. If the Progress reaches 99.9%, the AP crashes and can open it, with a total of 1000 three-digit digits, find the remaining 10 PIN codes and use the QSS and WPS client software to manually test and crack passwords. 3. One of the most powerful measures to reduce timeout and duplicate codes by PIN password breaking is that the difficulty of PIN is irrelevant to MAC! It is mainly related to the channel congestion level of the route channel! (There are several routes in the same channel, especially those with strong signals, which interfere with each other and cause timeout.) generally, the default AP channel is cn 6, in part, the principle of 1 cn solving "same-frequency interference" and "adjacent-frequency interference" is as follows: try to adjust the way from the mountains (which I want everyone to understand ). Keep the transferred AP away from the broken AP at least 3 CN 5. if a 90.9% process crashes or stops, you can use the-p parameter to write down the first four digits of the PIN. Run the following command: reaver-I mon0-bMAC-a-vv-p XXXX (the first four digits of the PIN) will break the password from the specified PIN segment. 6. You can use the PIN method to break the PSK password only When WPS and QSS are enabled for the AP! How can I check whether the AP has enabled WPS and QSS? When airodump-ng-mon0 MB is used in reaver1.3, 54e is displayed. is to open the WPS of 11N (not 54e has a decimal point of 54e .) reaver1.4 In addition to using the preceding command, you can also use the new command: WASH-imon0-C to display in the wps locked item. In WIN7, connect to the AP in the usual way. If "you can connect to the AP by pressing the vro button" appears in the prompt text box, make sure that the AP has enabled WPS and QSS. PIN password breaking requires extremely strict signal. If the signal is slightly poor, it may lead to slow password breaking progress or routing deadlocks (repeat the same PIN or timeout ). If the AP disables WPS or does not have a QSS drop, the following error occurs: WARNING: Failed to associate with XX: XX (ESSID: XXXX) 7. you can use the mac address to find the routing brand. Sometimes, When PJ is used, the SSID is usually changed to another bad judgment. You can open the following URL: http://standards.ieee.org/develop/regauth/oui/public.html Enter the first three digits of your ap mac. Do you need to skip this step? PJ should at least know what route the other party uses to sum up and find that this method is the fastest and best to help PJ 8. simply scan a route that supports pin resolution and open a root shell in xiaopanos. If the root shell is 1.3 or earlier, type the following command: [I mon0-C, if not, change it to your Nic. Note that c should be capitalized.) 1.4 you should change the power supplies to wash to list the routes that support wps, in wps locked, if it is N, pinPJ9. in xiaopanOS, The Opened Window is minimized and cannot be found because windows does not have the taskbar below, press Alt + Tab, and a pop-up menu appears. Select rootshell, and the original minimized window will appear. 10. The helpless method after PIN is locked. Can also attack the routing of the hidden ssid (not recommended) aireplay-ng-0 1000-a ssid mac-c valid client MAC Nic port is to let the client disconnect 1000 times 11. [Public Wi-Fi password] China Mobile: Card No.: 15821275836 password: 159258; card No.: 15800449592 password: 159258; card No.: 15800449954 password: 159258; card No.: 15800449940 password: 159258. China Telecom: Whenever your mobile phone can find the chinanet hotspot of China Telecom, the national public account is free of charge: 07953591377 password 3591377. Have a blessing! 12. Adjust the antenna with a false connection, and use the 8187 management software to adjust the position of the antenna accurately. (Because the 8187 interface is very intuitive and friendly, you can see the signal strength of the current ap source and the dynamic bar of the receiving quality.) Adjust the signal strength first, the receiving quality lays a solid foundation for pj. The most stupid way is to connect the signal that requires pj. Then you will ask if you can connect to the server. No response from the brothers. Well, let me slowly say: You can make a false connection. For example, to break the signal of this 1234p ssid. Double-click the signal to bring up the Enter Password dialog box. You can press 10 to 1. Enter 10 1 as follows. In this way, the connection will be falsely connected. You can see a dynamic diagram of the signal reception intensity and quality on the 8187 management interface. Although the network is not accessible, you can adjust the antenna to the optimal receiving status based on the two items to verify the signal to the optimum status. After adjusting the signal, do you say that PJ is not going well? Will the packet loss such as timeout occur? It will be quite smooth. Haha. For example, we need to have a good targeting antenna with pj. I am a brother of the hardware section. We often diy large-gain antennas on our own. This makes our signal stronger. This is a good horse with a good saddle, making pj useless and unfavorable. To sum up, this is my little experience to share. I have no more than 30 minutes at the slowest speed. It usually takes 15 minutes to complete .. Newbie: see it. 13. to hide the SSID, ensure that a valid client is connected. open a shell in BT3/4/5 and enter airodump-ng Nic Port 2. open another shell, enter the MAC Nic port of the MAC-c valid client of the aireplay-ng-0 10-a AP, this command may be wrong due to channel errors, in this case, you need to input multiple times (re-import technique: you only need to press the up key. If not, it is not a legal client and you need to try another client) until the prompt is successful. 3. then we can see in the Last shell that the displayed SSID graph borrowed from the Forum's XD. I hope I don't mind connecting to the hidden SSID: enter the SSID and select the Network Authentication Encryption Method and the password from the pojie. Then, even if the network is not broadcast, connect to the server. Then, you can see the computer in the lower right corner shake up! If the connection fails, it may be because the signal is too weak and the signal is too strong. In this case, we need to delete all the AP lists in the available network, leaving only the newly added AP. if the connection still fails, it is because the signal is too weak. windows regards that it has no connection value, or the AP also sets MAC and IP filtering. 14. the macchanger-m 00: 16: 6f: AB: 25: f9 wlan015. PIN password breaking method to modify the mac address of the usb Nic In xiaopangOS is normal, and the signal quality is also good, A sudden occurrence of a code loop and a large number of timeouts may be caused by the following reasons (excluding shutdown status ). Reaver only supports 11N PIN password breaking. 11n verifies the first four digits of the code first, and 11g also provides the PIN function, which is full code verification. Currently, most AP wireless modes are mixed with 11bgn. When 11g devices are connected, the AP automatically drops from 11N to 11g. At this time, reaver will have the same-code loop timeout! In the case of a WARNING: Failed to associate withXX: XX (ESSID: XXXX) demonstration, after removing the interference factors with the same frequency, scan the wireless network, find the router, indeed from 54e. mode down to 54. mode. Some people call this phenomenon temporary WPS, PIN function self-locking from the collection analysis, the current password-breaking is mainly TP-LINK router! Solution: Wait for the 11g device to exit wireless access, power off and restart, and the AP will automatically recover from 11g to 11N mode. If you encounter a stubborn AP that has not been restarted for a long time, I think the most effective way is to help it restart, find the nearby (the router must be not far from US) in the building unit power switch! Next, you should know what to do. ultimate secret: pull the switch and power off, then push the switch, and go home to continue the PIN!