OVERVIEW Reaver performs a brute force attack against an access point's WiFi Protected Setup pin number. Once the WPS pin is found, the WPA PSK can be recovered and alternately the AP's wireless settings can be reconfigured. While Reaver does not support reconfiguring the AP, this can be accomplished with wpa_supplicant once the WPS pin is known. DESCRIPTION Reaver targets the external registrar functionality mandated by the WiFi Protected Setup specification. Access points will provide authenticated registrars with their current wireless configuration (including the WPA PSK), and also accept a new configuration from the registrar. In order to authenticate as a registrar, the registrar must prove its knowledge of the AP's 8-digit pin number. Registrars may authenticate themselves to an AP at any time without any user interaction. Because the WPS protocol is conducted over EAP, the registrar need only be associated with the AP and does not need any prior knowledge of the wireless encryption or configuration. Reaver performs a brute force attack against the AP, attempting every possible combination in order to guess the AP's 8 digit pin number. Since the pin numbers are all numeric, there are 10^8 (100,000,000) possible values for any given pin number. However, because the last digit of the pin is a checksum value which can be calculated based on the previous 7 digits, that key space is reduced to 10^7 (10,000,000) possible values. The key space is reduced even further due to the fact that the WPS authentication protocol cuts the pin in half and validates each half individually. That means that there are 10^4 (10,000) possible values for the first half of the pin and 10^3 (1,000) possible values for the second half of the pin, with the last digit of the pin being a checksum. Reaver brute forces the first half of the pin and then the second half of the pin, meaning that the entire key space for the WPS pin number can be exhausted in 11,000 attempts. The speed at which Reaver can test pin numbers is entirely limited by the speed at which the AP can process WPS requests. Some APs are fast enough that one pin can be tested every second; others are slower and only allow one pin every ten seconds. Statistically, it will only take half of that time in order to guess the correct pin number. INSTALLATION Reaver is only supported on the Linux platform, requires the libpcap and libsqlite3 libraries, and can be built and installed by running: $ ./configure $ make # make install To remove everything installed/created by Reaver: # make distclean KNOWN BUGS o Some drivers don't play nice with Reaver (check the wiki for the latest list) FILES The following are Reaver source files: o 80211.c Functions for reading, sending, and parsing 802.11 management frames o builder.c Functions for building packets and packet headers o config.h Generated by the configure script o cracker.c Core cracking functions for Reaver. o defs.h Common header with most required definitions and declarations o exchange.c Functions for initiating and processing a WPS exchange o globule.c Wrapper functions for accessing global settings o iface.c Network interface functions o init.c Initialization functions o keys.c Contains tables of all possible pins o misc.c Mac address conversion, debug print functions, etc o pins.c Pin generation and randomization functions o send.c Functions for sending WPS response messages o sigalrm.c Functions for handling SIGALRM interrupts o sigint.c Functions for handling SIGINT interrupts o wpscrack.c Main Reaver source file o wps.h Includes for wps wpa_supplicant functions o libwps/* Generic library code for parsing WPS information elements The following files have been taken from wpa_supplicant. Some have been modified from their original sources: o common/* o crypto/* o tls/* o utils/* o wps/* The lwe directory contains Wireless Tools version 29, used for interfacing with Linux Wireless Extensions.