reaver
Brute-force WPS PIN to recover WPA key
SYNOPSIS
reaver [options] -i <interface> -b <BSSID>
PARAMETERS
-i <interface>
Specifies the wireless interface to use.
-b <BSSID>
Specifies the BSSID (MAC address) of the target access point.
-p <PIN>
Specifies the WPS PIN to use (optional, for testing a specific PIN).
-a
Auto-detect the best advanced options for the target AP.
-s <seconds>
Sleep time between pin attempts (default: 1 second).
-m <MAC>
Manually specify the client MAC address to use.
-vv
Enable verbose mode to print all messages.
-h
Shows the help menu and exits.
DESCRIPTION
Reaver is a powerful command-line tool in Linux designed to exploit weaknesses in Wi-Fi Protected Setup (WPS) implementations.
Its primary function is to recover the WPA/WPA2 passphrase of a target access point by brute-forcing the WPS PIN. It works by attempting numerous PINs until the correct one is found. This is done by exploiting a flaw in some WPS implementations that can leak information about the PIN.
Reaver does NOT crack WPA/WPA2 encryption itself. Instead, it exploits a vulnerability in WPS, which is a separate protocol meant to simplify Wi-Fi device connection. Because of this vulnerability, it is illegal to use without permission of the network's owner.
Reaver's capabilities make it a valuable tool for security audits, penetration testing, and assessing the robustness of wireless network security.
CAVEATS
Reaver can be a slow process, taking hours or even days to complete, depending on the access point's WPS implementation and security measures.
Some access points implement countermeasures to prevent brute-force attacks, such as locking WPS after several failed attempts. This can significantly hinder or prevent Reaver from succeeding.
Using Reaver without permission is illegal and unethical.
WPS VULNERABILITIES
Reaver relies on exploiting vulnerabilities in the WPS protocol implementation. Specifically, it targets the vulnerability where access points may disclose whether the first or second half of the WPS PIN is correct after an authentication attempt. This allows Reaver to significantly reduce the number of PINs it needs to test.
HISTORY
Reaver was initially developed by Tactical Network Solutions and released as an open-source tool.
It gained popularity due to its effectiveness in exploiting WPS vulnerabilities and became a standard tool for wireless security assessments.
Over time, various forks and modifications of Reaver have emerged, addressing bugs and adding new features, but the core functionality remains the same: brute-forcing WPS PINs.
SEE ALSO
airodump-ng(1), airmon-ng(1), wash(1)