©2019 Security Unleashed | New Delhi

  • Animesh Gupta

How to Crack a WPS Enabled WPA/WPA2 WiFi Network With – Reaver


In this Kali Linux Tutorial, we are to work with Reaver. Reaver has been designed to be a handy and effective tool to attack Wi-Fi Protected Setup (WPS) register PINs keeping in mind the tip goal to recover WPA/WPA2 passphrases.

Presently hacking WPA/WPA2 is exceptionally a tedious job. A dictionary attack could take days, and still will not succeed.


WPS-functionality always stopped to work somewhere between 2 and 150 failed authentication attempts. The functionality did not even return after several hours. I would consider this a bug in the firmware which causes a DoS rather than lock-down functionality.

All major suppliers (counting Cisco/Linksys, Netgear, D-Link, Belkin, Buffalo, ZyXEL, and Technicolor) have WPS-affirmed gadgets, completely different sellers (eg. TP-Link) send gadgets with WPS-support that aren’t WPS-certified.WPS is enabled default by all devices.


WPS Pin Attack


An often overlooked feature on many WiFi routers and access points is WiFi Protected Setup (WPS). This is a convenient feature that allows the user to configure a client device against a wireless network by simultaneously pressing a button on both the access point and the client device (the client side “button” is often in software) at the same time. The devices trade information, and then set up a secure WPA link.

On the surface, this is a very clever feature. It allows less savvy users to establish a secure connection between their devices quickly and easily, and as it requires physical access to the hardware, it would seem relatively secure.

But a tool called Reaver has been designed to brute-force the WPA handshaking process remotely, even if the physical button hasn’t been pressed on the access point.

While some newer devices are building in protection against this specific attack, the Reaver WPS exploit remains useful on many networks in the field.


Note: To be clear, WPS is the vulnerable system in this case, not WPA. If a network has WPS disabled (which they should, given the existence of tools such as this), it will be immune to the following attack.


Your Wi-Fi network is your conveniently wireless gateway to the internet, and since you're not keen on sharing your connection with any old hooligan who happens to be walking past your home, you secure your network with a password, right? Knowing, as you might, how easy it is to crack a WEP password, you probably secure your network using the more bulletproof WPA security protocol.


Here's the bad news: A new, free, open-source tool called Reaver exploits a security hole in wireless routers and can crack most routers' current passwords with relative ease. Here's how to crack a WPA or WPA2 password, step by step, with Reaver—and how to protect your network against Reaver attacks.


NOTE: This tutorial is for educational purposes only. You acknowledge that you are using your newly acquired knowledge to perform penetration testing on your own test network environment and router device.


Setting up the Pen Testing environment


Setup a router with WPA or WPA2 for encryption and give it a password. Enable WPS if it is not already and connect to it wirelessly with a separate device (laptop, smartphone) simulating a real environment.


The first thing we need to do is enable the wireless USB adapter.


Run the command “airmon-ng” to see if Kali recognizes your wireless USB adapter. It should show “Wlan0” along with the chipset, if it doesn’t then some troubleshooting will have to be done until it does.


Once the wireless USB adapter is working we need it enabled. To do this run the following command “airmon-ng start wlan0”

If all goes well the screen will scroll by with some information then say enabled on mon0.


Finding a WPS enabled router is the next step this used to be hard to do until the “wash” command came along. Before the “wash” command every router would have to be found and then tested to see if WPS was enabled. The “wash” command will list only WPS enabled routers.


The “wash” command has been notorious for having problems and not working correctly. Basically the “wash” command goes out and tells you if a router has WPS enabled, so you don’t waste your time running Reaver. I believe I have found a fix that has been working for me on both Backtrack 5 and Kali Linux.


First make a directory like this.

“mkdir /etc/reaver”

Then run the wash command

“wash -i mon0 -C”

(That is a capital C)




Copy the BSSID, to paste it when needed later, then press CTRL+C to stop the terminal window using the wireless USB adapter.



If nothing comes up then no WPS enabled router is within reach. Run the following command to see all access point within your reach. “airodump-ng mon0”. Only do this if the wash command finds nothing.

Now we can get to using Reaver. Be sure the terminal window running the “wash” command is not actively using the wireless USB adapter by pressing CTRL+C inside of it. You can copy and paste the BSSID.

In the second terminal window run the following command.

“reaver -i mon0 -b (Target BSSID) –vv”

(The -vv is two V not a W)


Reaver should start to run.


Reaver will now run and start a brute force attack against the Pin number of the router. It will run until it finds the wireless password usually 2-10 hours.


Here is a screen shot of what it looks like when Reaver cracks the password.



Happy Hacking!