72 lines
3.7 KiB
Plaintext
72 lines
3.7 KiB
Plaintext
REAVER USAGE
|
|
|
|
Usually, the only required arguments to Reaver are the interface name and the BSSID of the target AP:
|
|
|
|
# reaver -i wlan0mon -b 00:01:02:03:04:05
|
|
|
|
It is suggested that you run Reaver in verbose mode in order to get more detailed information about
|
|
the attack as it progresses:
|
|
|
|
# reaver -i wlan0mon -b 00:01:02:03:04:05 -vv
|
|
|
|
The channel and SSID (provided that the SSID is not cloaked) of the target AP will be automatically
|
|
identified by Reaver, unless explicitly specified on the command line:
|
|
|
|
# reaver -i wlan0mon -b 00:01:02:03:04:05 -c 11 -e linksys
|
|
|
|
Since version 1.3, Reaver implements the small DH key optimization as suggested by Stefan which can
|
|
speed up the attack speed:
|
|
|
|
# reaver -i wlan0mon -b 00:01:02:03:04:05 --dh-small
|
|
|
|
By default, if the AP switches channels, Reaver will also change its channel accordingly. However,
|
|
this feature may be disabled by fixing the interface's channel:
|
|
|
|
# reaver -i wlan0mon -b 00:01:02:03:04:05 --fixed
|
|
|
|
When spoofing your MAC address, you must set the desired address to spoof using the ifconfig utility,
|
|
and additionally tell Reaver what the spoofed address is:
|
|
|
|
# reaver -i wlan0mon -b 00:01:02:03:04:05 --mac=AA:BB:CC:DD:EE:FF
|
|
|
|
The default receive timeout period is 5 seconds. This timeout period can be set manually if necessary
|
|
(minimum timeout period is 1 second):
|
|
|
|
# reaver -i wlan0mon -b 00:01:02:03:04:05 -t 2
|
|
|
|
The default delay period between pin attempts is 1 second. This value can be increased or decreased
|
|
to any non-negative integer value. A value of zero means no delay:
|
|
|
|
# reaver -i wlan0mon -b 00:01:02:03:04:05 -d 0
|
|
|
|
Some APs will temporarily lock their WPS state, typically for five minutes or less, when "suspicious"
|
|
activity is detected. By default when a locked state is detected, Reaver will check the state every
|
|
315 seconds (5 minutes and 15 seconds) and not continue brute forcing pins until the WPS state is unlocked.
|
|
This check can be increased or decreased to any non-negative integer value:
|
|
|
|
# reaver -i wlan0mon -b 00:01:02:03:04:05 --lock-delay=250
|
|
|
|
The default timeout period for receiving the M5 and M7 WPS response messages is .1 seconds. This
|
|
timeout period can be set manually if necessary (max timeout period is 1 second):
|
|
|
|
# reaver -i wlan0mon -b 00:01:02:03:04:05 -T .5
|
|
|
|
Some poor WPS implementations will drop a connection on the floor when an invalid pin is supplied
|
|
instead of responding with a NACK message as the specs dictate. To account for this, if an M5/M7 timeout
|
|
is reached, it is treated the same as a NACK by default. However, if it is known that the target AP sends
|
|
NACKS (most do), this feature can be disabled to ensure better reliability. This option is largely useless
|
|
as Reaver will auto-detect if an AP properly responds with NACKs or not:
|
|
|
|
# reaver -i wlan0mon -b 00:01:02:03:04:05 --nack
|
|
|
|
While most APs don't care, sending an EAP FAIL message to close out a WPS session is sometimes necessary.
|
|
By default this feature is disabled, but can be enabled for those APs that need it:
|
|
|
|
# reaver -i wlan0mon -b 00:01:02:03:04:05 --eap-terminate
|
|
|
|
When 10 consecutive unexpected WPS errors are encountered, a warning message will be displayed. Since this
|
|
may be a sign that the AP is rate limiting pin attempts or simply being overloaded, a sleep can be put in
|
|
place that will occur whenever these warning messages appear:
|
|
|
|
# reaver -i wlan0mon -b 00:01:02:03:04:05 --fail-wait=360
|