reaver -i <interface> -b <target bssid> -vv
Reaver implements a brute force attack against WiFi Protected Setup which can crack the WPS pin of an access point in a matter of hours and subsequently recover the WPA/WPA2 passphrase.
Specifically, Reaver targets the registrar functionality of WPS, which is flawed in that it only takes 11,000 attempts to guess the correct WPS pin in order to become a WPS registrar. Once registred as a registrar with the access point, the access point will give you the WPA passphrase.
MAC of the host system (should be resolved automatically)
ESSID of the target AP. Unless cloaked, this will be resolved automatically.
Set the 802.11 channel for the interface (implies -f)
Send output to a log file [default: stdout]
Disable channel hopping
Use 5GHz 802.11 channels
Display non-critical warnings (-vv for more)
Only display critical messages
Name of the monitor-mode interface to use
BSSID of the target AP
-p, --pin=<wps pin>
Use the specified WPS pin
This manual page was written by Craig Heffner <firstname.lastname@example.org>, Tactical Network Solutions. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL.