4

I have been trying to find an answer to this but the search terms seem to be to ambiguous.

I am attempting to determine from a strategic standpoint how intelligent it is to use reaver.

From a speed standpoint it seems to be infinitely quicker than Aircrack assuming that the WPS exploit is available. From a visiblitiy standpoint though it seems Aircrack is the way to go.

I can grab the 4 way handshake in a matter of seconds then go back to some deep dark hole to brute force it on a power machine. Whereas reaver needs access to the AP which I can only assume means it's making network noise. Common sense would dictate that the more network noise there is the worse off you are.

I can't find anything on this though confirming my theory. Anyone have insight?

DotNetRussell
  • 1,441
  • 1
  • 19
  • 30

2 Answers2

4

Brute-forcing the four-way handshake can be completely silent: an attacker can set up a card to passively listen for someone connecting to the AP, record the handshake, and brute-force it at their leisure. It is impossible to tell if someone is doing this.

Cracking WPS, in contrast, is quite noisy. It can only be performed through active contact with the AP, which means the AP's administrator can find out about the attack even if you guess the PIN on the first try. Each PIN attempt requires roughly half a dozen exchanges with the AP, which can be detected by anyone running a wireless IDS. Further, some APs will flag that WPS has been locked out due to too many failures, which can be spotted by anyone scanning for APs in the area. the AP may also be configured to notify an administrator if the WPS lockout has been triggered.

Mark
  • 34,390
  • 9
  • 85
  • 134
  • Okay that's what I assumed. Do you have any good resources on WPS detection by chance? I could crap open the reaver script and look for myself but it would be faster if I could find it in english – DotNetRussell Jan 05 '15 at 12:20
0

Reaver is more noisy. A person might look at there router and see wifi light flashing on it when their computers are off. Most people would just think there kids gave out the wifi password or they would think it's odd but not look into it. I have seen some routers that have a wps lock light on them so after too many failed attempt the router will disable wps for a certain amount of time. If the person knows about wps cracking and see's the wps lock light on his router it is likely he will be looking out his front window. So I believe using aircrack to capture a handshake is more stealthy than using reaver.

Tim Jonas
  • 807
  • 1
  • 7
  • 19