Brute-Forcing WPS Pins with Reaver in Linux

Step 1: First we have to put our wireless interface in monitor mode. To do this type the following command in the terminal.

sudo airmon-ng start wlan0

As you can see in the above image wlan0 is now in monitor mode named wlan0mon.

Step 2: Now we can search for any Access Point which has WPS enabled and it is unlocked. Type the following command to do so.

sudo wash -i <interface>

Note: wlan0mon is the wireless interface which is in monitor mode.

You can see the list of APS with WPS versions and whether it’s locked or unlocked.

Step 3: Copy the BSSID of the AP which you want to get connected to by cracking WPS Pin.

Step 4: Type the following command to run reaver and see all the commands to crack WPS Pin.

reaver -h

Step 5: Type the following command to run the Brute-Forcing WPS Pins with Reaver.

sudo reaver -i wlan0mon -b 4C:22:F3:FA:60:9D -S -v

-i – It states the name of the interface to be used.

-b – It states the bssid of the Victim AP.

-S – It tells the tool to use small DH (Diffie–Hellman) keys to improve crack speed.

-v – It Display non-critical warnings.

Now the tool will try all the possible pins to crack the WPS Pin of the target. Once the correct pin found, It will display it and you can now connect to the network without the password.

As you can see, the Pin has been cracked.

Here are some of the things to keep in mind when using Reaver:

• Reaver can only be used against APs that support WPS.
• Reaver is a brute-force attack, so it can take a long time to crack the WPS PIN.
• Reaver can be detected by some APs, which may cause the AP to lock its WPS functionality.
• Using Reaver to crack the WPS PIN of an AP is illegal in some jurisdictions.

Reaver is a free and open-source tool that can be used to brute-force WPS PINs. Reaver works by sending a series of deauthentication packets to the target Wi-Fi router. These deauthentication packets force the router to disconnect all connected devices. Once all devices are disconnected, Reaver then attempts to connect to the router using the WPS PIN. If the PIN is incorrect, Reaver will try the next PIN in the list. This process continues until the correct PIN is found.

The primary method employed by Reaver involves initiating a series of deauthentication packets sent to the targeted Wi-Fi router. By flooding the router with these deauthentication packets, Reaver effectively forces the router to disconnect all devices connected to it. This disruption in the connection enables Reaver to exploit the weaknesses in the WPS protocol.

Once the router has disconnected all devices, Reaver proceeds to systematically attempt to establish a connection with the router by guessing the WPS PIN. The WPS PIN is typically an eight-digit numeric code used to authenticate devices to the router without the need for a lengthy passphrase. Reaver operates by cycling through a list of possible PIN combinations, attempting each one until it either successfully connects or exhausts all the options.