Full Report
Reaver download below, this tool has been designed to be a robust and practical tool to hack WPS Pin WiFi Networks using WiFi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases. It has been tested against a wide variety of access points and WPS implementations. The original Reaver implements an online brute […]
Analysis Summary
# Tool/Technique: Reaver
## Overview
Reaver is a robust and practical tool designed to attack WiFi Protected Setup (WPS) registrar PINs on WiFi networks. Its primary purpose is to recover the WPA/WPA2 passphrases used by the network. The original Reaver implements an online brute-force attack, while community forks, such as `reaver-wps-fork-t6x`, incorporate advanced methods like the offline Pixie Dust attack.
## Technical Details
- Type: Attack Tool (Network Auditing/Cracking)
- Platform: Not explicitly stated, but typically used on Linux/Unix-like operating systems where wireless monitoring capabilities are available (e.g., Kali Linux).
- Capabilities: Brute-forcing WPS PINs, recovering WPA/WPA2 passphrases, supporting various WPS attack methods (online brute force, Pixie Dust).
- First Seen: Original concept dates back to 2011 (based on context references).
## MITRE ATT&CK Mapping
The primary goal of Reaver is gaining unauthorized network access, mapping closely to Initial Access and Discovery tactics focused on wireless networks.
- T1583.003 - Acquire Infrastructure: Obtain access to necessary network infrastructure/devices during planning or execution phase (if used in external penetration tests).
- T1190 - Exploit Public-Facing Application: While not a traditional web vulnerability, WPS implementation flaws are exploited during the attack.
- T1049 - Availability Scanning: The brute-force nature inherently involves probing the target AP heavily.
*Note: A direct, widely agreed-upon mapping for specialized PIN brute-forcing tools is often less explicit than general malware frameworks. The functionality strongly aligns with **T1078.003 - Valid Accounts: Domain Accounts** if the network key is considered a credential, or general **Discovery/Credential Access**. Tactics related to wireless network exploitation are the most relevant.*
## Functionality
### Core Capabilities
1. **WPS PIN Brute Force (Online Attack):** Systematically attempts online WPS registrar PINs against the target Access Point (AP).
2. **WPA/WPA2 Passphrase Recovery:** Successfully guessing the PIN allows the tool to recover the plain text pre-shared key (WPA/WPA2 passphrase).
3. **Channel Handling:** Ability to set the 802.11 channel (`-c`) or disable channel hopping (`-f`).
### Advanced Features
1. **Pixie Dust Attack:** An offline attack method supported by forks (like v1.6b) that exploits vulnerabilities in certain AP hardware (Ralink, Broadcom, Realtek) by using parameters like PKE, PKR, E-Hash1, E-Hash2, E-Nonce, and Authkey to rapidly calculate the PIN/passphrase within seconds or minutes if the AP is vulnerable.
2. **Session Management:** Ability to restore previous sessions (`-s`).
3. **Automation/Logging:** Daemonize mode (`-D`) and output logging to a file (`-o`).
4. **Target Specification:** Requires specifying the target BSSID (`-b`) and monitor-mode interface (`-i`).
## Indicators of Compromise
As Reaver is an offensive tool, traditional malware IOCs (File Hashes, C2) are not standard components of its operation. IOCs relate primarily to its execution profile.
- File Hashes: Specific hashes relate to the downloaded tarball (e.g., `reaver-1.6.1.tar.xz`).
- File Names: `reaver`, `reaver-wps-fork-t6x`, `wash` (associated scanning tool).
- Network Indicators: No C2 associated; the tool interacts directly with the target AP using standard 802.11 management frames until authentication is achieved or brute-forced.
- Behavioral Indicators: High volume of authentication request/failure messages directed towards a single AP's BSSID over a short period; excessive delays imposed by the AP (lockout periods).
## Associated Threat Actors
Reaver is widely known in the public security and penetration testing community. It is not strictly tied to one specific advanced threat actor group but is commonly used by:
- Penetration Testers
- Security Researchers
- Script Kiddies/Hobbyists utilizing widespread hacking tool repositories.
## Detection Methods
Detection focuses on monitoring WiFi traffic patterns associated with WPS brute-forcing.
- Signature-based detection: Signatures for the binary hashes (if deployed onto a system by an attacker) or specific command-line arguments related to Reaver usage.
- Behavioral detection: Monitoring the rate of WPS authentication attempts directed at a single AP from a single source MAC address. Detection of monitor mode interface activity directed at WPS channels.
- YARA rules: Not typically applied to network tools unless the tool is dropped as a persistent binary.
## Mitigation Strategies
The primary mitigation is disabling the vulnerable feature.
- Prevention measures: **Disable WiFi Protected Setup (WPS)** functionality on all Access Points (APs).
- Hardening recommendations: Ensure AP firmware is up-to-date to patch vulnerabilities exploited by known attacks (like Pixie Dust). Where WPS cannot be disabled, ensure strong passphrase policies are enforced and monitor for AP-imposed lockout delays to slow down brute-force attacks.
## Related Tools/Techniques
- `wash`: Often used in conjunction with Reaver to scan for WPS-enabled APs.
- `wifite`: A mass cracking tool that frequently incorporates Reaver/Pixie Dust attacks.
- `Fern Wifi Cracker`: Another wireless security auditing tool that may use similar techniques.
- `Hijacker`: An Android application utilizing Reaver for mobile WPS attacks.