ObjectiveDemonstrate the need to disable WPS by obtaining your WPA2 passphrase with Reaver.
DistributionsThis will work on all distributions, but Kali is recommended.
RequirementsA working Linux install with root privileges on a computer with a wireless adapter.
- # - requires given linux commands to be executed with root privileges either directly as a root user or by use of
- $ - requires given linux commands to be executed as a regular non-privileged user
IntroductionWPS is trash. Don't use it. Don't ever use it. There is absolutely no excuse to use it. This guide will walk you through the steps of breaking WPS to obtain a wireless network's WPA password.
This guide is purely for educational purposes. Using this process on a network that you do not own is illegal.
Install Aircrack and ReaverKali Linux has everything that you need installed and ready to go. If you're on a different distribution, you'll need to install both
$ sudo apt install aircrack-ng reaver
Scan For Your NetworkFind the name of your wireless interface with
ip a. Then, use it to start up a virtual monitoring interface with
$ sudo airmon-ng start wlan0Take a look at the resulting output, and find the name of the virtual interface that was created. Use
airodump-ngto display wireless activity in your area in the terminal.
$ sudo airodump-ng mon0Fin your network on the resulting table. Notate the BSSID and channel of your network. When you have them, you can stop
Launch Your Attack With ReaverYou have everything you need to launch your attack with Reaver. Reaver will take your network information and use it to try every possible WPS PIN. There are a limited number of available PINs, so it will eventually find it. It'll take some time, but once it has it, Reaver will use the PIN to obtain your network's password.
The command needed to launch the attack contains several mandatory flags. This guide will cover each piece first. Then, it'll put it all together.
Of course, the command starts off with the name of the program. The next piece, tough, is the interface that Reaver will use.
$ sudo reaver -i mon0Then, you need to give Reaver the BSSID of the router that it's going after.
-b XX:XX:XX:XX:XX:XXIt's a good idea to add a delay between attempts at the PIN. This will help to circumvent any potential protections the router may have. In this case, the delay is 10 seconds. That might be somewhat extreme. You can lower the duration if you want.
-d 10The next two options speed up the process and help to minimize potential issues.
-S -NLast, you can choose how you want this command to run. It takes a long time, so you can daemonize it. If you just want to suppress messages, you can do that too. If you'd rather go the opposite way, you can tell Reaver to be as verbose as possible.
-vvThis is what it looks like all together.
$ sudo reaver -i mon0 -b XX:XX:XX:XX:XX:XX -d 10 -S -N -vvReaver is probably going to take several hours to discover your PIN, but when it does, it'll output all of the relevant information into the terminal window, including the network password.