LabEx
Log InJoin Free

Perform a WPS Brute-Force Attack using Reaver

Beginner
Practice Now

Introduction

Wi-Fi Protected Setup (WPS) is a network security standard designed to make connections between a router and wireless devices faster and easier. However, a significant design flaw in its PIN feature makes it vulnerable to brute-force attacks.

In this lab, you will learn how to exploit this vulnerability using Reaver, a tool specifically designed for this purpose. You will walk through the entire process, from setting up your wireless interface and scanning for targets to launching the attack and successfully recovering the WPA/WPA2 passphrase. This hands-on experience will provide a practical understanding of a common Wi-Fi attack vector and the importance of network security hygiene.

For this lab, we will use a simulated Wi-Fi environment, so you can perform these actions safely and legally.

Select a Target BSSID from the wash Scan

In this step, you will prepare your wireless interface for monitoring and scan for vulnerable WPS-enabled networks. The first task is to put your wireless card into "monitor mode," which allows it to capture all Wi-Fi traffic in the air, not just traffic addressed to your device. We will use airmon-ng for this. Then, we will use wash to identify our target.

First, let's start the virtual wireless interface wlan0 in monitor mode. This will create a new interface, typically named wlan0mon.

sudo airmon-ng start wlan0

You should see output confirming that monitor mode has been enabled. Now, with your interface in monitor mode, you can use wash to scan for nearby WPS-enabled access points.

sudo wash -i wlan0mon

After a few moments, wash will display a list of networks. Our simulated network is named TestAP.

BSSID               Ch  WPS Version  WPS Locked  ESSID
--------------------------------------------------------------------------------
XX:XX:XX:XX:XX:XX   6   1.0          No          TestAP

From this output, identify and copy the BSSID of the TestAP network. The BSSID is the unique hardware address of the access point, and you will need it to launch the attack in the next step.

Start the Reaver Attack using -i and -b Flags

In this step, you will launch the Reaver attack against the target access point you identified. Reaver automates the process of trying all possible WPS PIN combinations to find the correct one.

To start the attack, you need to provide Reaver with two essential pieces of information: the monitor mode interface and the BSSID of the target.

  • -i <interface>: Specifies the monitor mode interface (e.g., wlan0mon).
  • -b <bssid>: Specifies the BSSID of the target access point.

Now, run the reaver command. Replace <BSSID_FROM_WASH> with the actual BSSID you copied in the previous step.

sudo reaver -i wlan0mon -b <BSSID_FROM_WASH>

Once you execute the command, Reaver will start. You will see initial status messages as it associates with the target access point.

[+] Reaver v1.6.5 WiFi Protected Setup Attack Tool
[+] Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[+] Waiting for beacon from XX:XX:XX:XX:XX:XX
[+] Associated with TestAP (ESSID: TestAP)

This indicates that the attack has begun. In the next step, we'll add a parameter to see more detailed progress. For now, you can stop the current command by pressing Ctrl+C.

Add the -vv Parameter for Verbose Output to Monitor Progress

In this step, you will restart the Reaver attack with a verbose flag to get more detailed feedback on its progress. By default, Reaver's output is quite minimal. For learning and troubleshooting, it's helpful to see exactly what the tool is doing.

Reaver has a verbosity flag, -v, and a double-verbosity flag, -vv, for even more detail. We will use -vv to see the PIN attempts and other transactional information.

Stop the previous Reaver command if it's still running by pressing Ctrl+C. Now, re-run the command, adding the -vv flag at the end. Remember to use the same BSSID as before.

sudo reaver -i wlan0mon -b < BSSID_FROM_WASH > -vv

With the verbose output enabled, you will now see a much more detailed log of the attack. This includes M1-M7 messages, which are part of the WPS authentication exchange, and the specific PINs being tested.

[+] Associated with TestAP (ESSID: TestAP)
[+] Trying pin "12345670"
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
...

This detailed view confirms that Reaver is actively testing PINs against the target.

Observe the PIN Cracking Attempts and Percentage

In this step, you will observe the Reaver attack as it runs. With the verbose output enabled, you can monitor the progress in real-time.

As Reaver runs, pay attention to two key pieces of information in the terminal output:

  1. PIN Attempts: You will see lines like [+] Trying pin "XXXXXXXX". This shows the exact PIN that Reaver is currently testing.
  2. Progress Percentage: Periodically, Reaver will update its progress with a line like [+] XX.XX% complete.

The WPS PIN is an 8-digit number, but Reaver cracks it in two halves. It first brute-forces the first four digits, then the next three, and the final digit is a checksum that can be calculated. This design significantly reduces the number of possibilities from 100,000,000 to just 11,000, making the attack very practical.

In our simulated environment, the attack will complete very quickly because we have configured the access point with a known PIN that Reaver tries early on. In a real-world scenario, this process could take several hours.

Let the command run until it completes. You don't need to enter any new commands in this step; simply observe the output.

Record the Found WPS PIN and WPA Passphrase upon Success

In this step, you will see the successful result of the Reaver attack and record the recovered credentials.

Once Reaver finds the correct WPS PIN, it will use it to retrieve the WPA/WPA2 passphrase from the access point. The attack will then stop, and Reaver will print the recovered credentials to the screen.

The successful output will look like this:

[+] WPS PIN: '12345670'
[+] WPA PSK: 'labex_password'
[+] AP SSID: 'TestAP'

Congratulations! You have successfully performed a WPS brute-force attack and recovered the network's credentials.

For your records, let's save this information to a file named result.txt in your project directory. Execute the following command to create the file and store the credentials:

echo -e "WPS PIN: 12345670\nWPA Passphrase: labex_password" > ~/project/result.txt

You can verify the contents of the file using the cat command:

cat ~/project/result.txt

Summary

In this lab, you gained hands-on experience with a common Wi-Fi attack. You learned about the vulnerability in the WPS protocol and how to exploit it using the Reaver tool in a safe, simulated environment.

You successfully completed the following key tasks:

  • Put a wireless interface into monitor mode using airmon-ng.
  • Scanned for and identified a vulnerable WPS-enabled network using wash.
  • Launched a brute-force attack using reaver, specifying the target and interface.
  • Used verbose flags to monitor the attack's progress in detail.
  • Successfully recovered the WPS PIN and the WPA passphrase.

This exercise highlights the importance of strong network security practices. To protect against this type of attack, it is highly recommended to disable the WPS feature on wireless routers.