WPA and WPA2 (Wi-Fi Protected Access) are common security protocols used to protect wireless networks. While these protocols are considered secure, they are not immune to attacks, and attackers can exploit certain weaknesses in their implementation. One of the most famous tools used for cracking WPA/WPA2 passwords is Reaver. Reaver is a powerful tool that takes advantage of a vulnerability in the WPS (Wi-Fi Protected Setup) protocol, allowing attackers to recover WPA/WPA2 passwords by exploiting this weakness.

In this article, we’ll provide a detailed step-by-step guide on how to use Reaver for cracking WPA/WPA2 passwords, along with real-world examples to help you understand its functionality and best practices.

What is Reaver?

Reaver is a tool designed for performing brute-force attacks against Wi-Fi networks that have WPS enabled. WPS is a feature that allows users to easily connect devices to a wireless network by pressing a button on the router or entering a PIN. While WPS is convenient, it has a vulnerability in its implementation, which Reaver exploits to recover the WPA/WPA2 passphrase.

WPA and WPA2 use pre-shared keys (PSKs), which are needed to authenticate devices to the network. Reaver’s attack targets WPS’s PIN, which is an 8-digit number, and uses this PIN to recover the WPA/WPA2 password.

Prerequisites for Using Reaver

Before diving into the steps of using Reaver, ensure you have the following:

1. A Wireless Network with WPS Enabled: Reaver is only effective against networks with WPS enabled. WPS is often enabled by default on many routers but can sometimes be turned off for security reasons. Therefore, this method will not work on networks without WPS.
2. A Wireless Network Adapter that Supports Monitor Mode: Reaver requires your wireless network adapter to support monitor mode (a mode that allows the card to capture raw packets). A compatible USB Wi-Fi adapter is essential for performing attacks.
3. Linux Operating System (Preferably Kali Linux): Reaver is typically run on a Linux distribution such as Kali Linux, which includes the tool by default. Other distributions can be used, but you might need to install Reaver manually.
4. Knowledge of Wireless Networks: Basic understanding of wireless networks and how WPA/WPA2, WPS, and cracking tools work will help you perform the task efficiently.

Step-by-Step Guide: How to Use Reaver for Cracking WPA/WPA2 Passwords

Step 1: Install Reaver (If Necessary)

If you're using Kali Linux, Reaver is already included, so you don't need to install it. However, if you’re using a different Linux distribution, you may need to install Reaver manually. Use the following command to install it:

sudo apt update

sudo apt install reaver

After the installation, Reaver will be available in your system’s PATH, and you can run it directly from the command line.

Step 2: Set Up Your Wireless Adapter

Before you can use Reaver, you need to ensure that your wireless network adapter is in monitor mode, which allows it to capture network packets and interact with the router.

1. Identify your wireless interface:

   Use the following command to list all network interfaces:

   iwconfig

   Your wireless network interface will typically be labeled something like wlan0 or wlan1.

2. Enable monitor mode:

   Once you’ve identified your wireless interface, put it into monitor mode using the following commands:

   sudo ifconfig wlan0 down

   sudo iw dev wlan0 set type monitor

   sudo ifconfig wlan0 up

   This will enable monitor mode on the interface. You can verify it by using the iwconfig command again, which should show that the interface is now in monitor mode.

Step 3: Discover Nearby Networks

Before attacking a network, you need to find a nearby Wi-Fi network that has WPS enabled. You can use airodump-ng, a tool that comes with the Aircrack-ng suite, to scan for available networks.

1. Start the airodump-ng tool:

   Run the following command to scan for nearby wireless networks:

   sudo airodump-ng wlan0

   This will display a list of nearby networks, along with their BSSID (MAC address), channel, encryption type, and other details.

2. Identify a network with WPS enabled:

   Look for a network that shows WPS support, which is typically indicated in the WPS column. Note the BSSID (MAC address) and the channel number for the target network.

Step 4: Launch Reaver to Attack the Network

Now that you’ve identified a target network with WPS enabled, you can use Reaver to attempt to crack the WPA/WPA2 password.

1. Start the Reaver attack:

   Run the following command, replacing [BSSID] with the target network’s BSSID and [channel] with the target’s channel number:

   sudo reaver -i wlan0 -b [BSSID] -c [channel] -vv

   This command launches Reaver with the following options:

   • -i wlan0: Specifies the network interface (make sure this matches your interface).

   • -b [BSSID]: Specifies the target network’s BSSID.

   • -c [channel]: Specifies the channel the target network is operating on.

   • -vv: Enables verbose mode for more detailed output.

2. Monitor the Attack:

   Reaver will now attempt to brute-force the 8-digit WPS PIN. This process can take several hours, depending on the strength of the PIN and the quality of the Wi-Fi signal. Reaver will provide status updates throughout the process, including the number of attempts and the current progress.

   Example output might look like this:

   [!] WARNING: A previous attack has been detected.

   [*] Trying PIN 12345670...

   [*] Attempting WPS PIN 12345670

   [*] WPS PIN found: 12345670

   [*] WPA/WPA2 PSK found: mywifipassword

   Once Reaver successfully cracks the WPS PIN, it will use this PIN to derive the WPA/WPA2 password. The password will be displayed in the terminal output.

Step 5: Recover the WPA/WPA2 Password

After Reaver successfully recovers the WPS PIN, it will attempt to derive the WPA/WPA2 password using the PIN. The result will look like the following:

[*] WPA/WPA2 PSK found: mywifipassword

This is the WPA/WPA2 password for the targeted network, which you can now use to connect to the Wi-Fi.

Step 6: Disconnect the Network Adapter and Exit

Once the attack is complete, disconnect your network adapter and exit Reaver.

1. Disable monitor mode:

   sudo ifconfig wlan0 down

   sudo iw dev wlan0 set type managed

   sudo ifconfig wlan0 up

2. Exit Reaver:

   You can simply press Ctrl+C to stop Reaver if it’s still running.

Considerations and Legal Implications

Using Reaver to crack WPA/WPA2 passwords without permission is illegal and unethical. It’s important to only use this tool on networks that you own or have explicit permission to test. Unauthorized access to computer networks is a criminal offense in many countries, and using tools like Reaver to gain unauthorized access can lead to severe legal consequences.

Conclusion

Reaver is a powerful tool for cracking WPA/WPA2 passwords by exploiting the WPS vulnerability. While it can take some time to brute-force the 8-digit PIN, Reaver is an effective method for recovering the WPA key on networks with WPS enabled. By following the steps outlined in this article, you can use Reaver to test the security of your own wireless networks and identify potential weaknesses before attackers can exploit them. Remember to always use Reaver responsibly and within the bounds of the law.