Objective

Demonstrate the need to disable WPS by obtaining your WPA2 passphrase with Reaver.

Distributions

This will work on all distributions, but Kali is recommended.

Requirements

A working Linux install with root privileges on a computer with a wireless adapter.

Difficulty

Easy

Conventions

  • # - requires given command to be executed with root privileges either directly as a root user or by use of sudo command
  • $ - given command to be executed as a regular non-privileged user

Introduction

WPS is trash. Don't use it. Don't ever use it. There is absolutely no excuse to use it. This guide will walk you through the steps of breaking WPS to obtain a wireless network's WPA password.

This guide is purely for educational purposes. Using this process on a network that you do not own is illegal.

Install Aircrack and Reaver

Kali Linux has everything that you need installed and ready to go. If you're on a different distribution, you'll need to install both aircrack-ng and reaver.
$ sudo apt install aircrack-ng reaver

Scan For Your Network

Find the name of your wireless interface with ip a. Then, use it to start up a virtual monitoring interface with airmon-ng.
$ sudo airmon-ng start wlan0
Take a look at the resulting output, and find the name of the virtual interface that was created. Use airodump-ng to display wireless activity in your area in the terminal.
$ sudo airodump-ng mon0
Fin your network on the resulting table. Notate the BSSID and channel of your network. When you have them, you can stop airodump-ng.

Launch Your Attack With Reaver

You have everything you need to launch your attack with Reaver. Reaver will take your network information and use it to try every possible WPS PIN. There are a limited number of available PINs, so it will eventually find it. It'll take some time, but once it has it, Reaver will use the PIN to obtain your network's password.

The command needed to launch the attack contains several mandatory flags. This guide will cover each piece first. Then, it'll put it all together.

Of course, the command starts off with the name of the program. The next piece, tough, is the interface that Reaver will use.
$ sudo reaver -i mon0
Then, you need to give Reaver the BSSID of the router that it's going after.
-b XX:XX:XX:XX:XX:XX
It's a good idea to add a delay between attempts at the PIN. This will help to circumvent any potential protections the router may have. In this case, the delay is 10 seconds. That might be somewhat extreme. You can lower the duration if you want.
-d 10
The next two options speed up the process and help to minimize potential issues.
-S -N
Last, you can choose how you want this command to run. It takes a long time, so you can daemonize it. If you just want to suppress messages, you can do that too. If you'd rather go the opposite way, you can tell Reaver to be as verbose as possible.

Daemonize
-D
Quiet
-q
Verbose
-vv
This is what it looks like all together.
$ sudo reaver -i mon0 -b XX:XX:XX:XX:XX:XX -d 10 -S -N -vv
Reaver is probably going to take several hours to discover your PIN, but when it does, it'll output all of the relevant information into the terminal window, including the network password.

Closing Thoughts

Clearly, there is no redeeming WPS at this point. Unless the technology receives a massive overhaul, it will continue to be a massive security hole. While it might seem convenient, any benefit it may afford is nothing compared to the risk. If you have WPS enabled on your router, disable it now.