Wireless Attackswpswifibrute-forcewpacrackingwash

Reaver

Reaver is a brute force attack tool against Wi-Fi Protected Setup PIN numbers. Once the WPS pin is found, the WPA PSK can be recovered or the AP's wireless settings reconfigured.

Description

Reaver performs a brute force attack against an access point's Wi-Fi Protected Setup pin number. This package also provides the Wash executable, a utility for identifying WPS enabled access points. Reaver is used to target access points vulnerable to WPS attacks, allowing recovery of WPA PSK or reconfiguration of wireless settings.

Use cases include penetration testing of wireless networks with WPS enabled. Wash scans for networks to identify targets with WPS support. Reaver then brute forces the WPS PIN on the selected access point.

The tool operates on monitor-mode interfaces and requires the BSSID of the target AP. Sessions can be saved and restored for interrupted attacks.

How It Works

Reaver implements a brute force attack against the Wi-Fi Protected Setup (WPS) protocol PIN. It associates with the target AP, sends WPS registration protocol messages with sequential PIN attempts, and processes responses to validate pins. Upon successful PIN recovery, it derives the WPA PSK from the WPS handshake or reconfigures AP settings. Wash discovers WPS-enabled APs by scanning beacons and probe responses for WPS information elements.

Installation

bash

sudo apt install reaver

Flags

-i, --interface=<wlan>Name of the monitor-mode interface to use

-b, --bssid=<mac>BSSID of the target AP

-m, --mac=<mac>MAC of the host system

-e, --essid=<ssid>ESSID of the target AP

-c, --channel=<channel>Set the 802.11 channel for the interface (implies -f)

-s, --session=<file>Restore a previous session file

-C, --exec=<command>Execute the supplied command upon successful pin recovery

-f, --fixedDisable channel hopping

-5, --5ghzUse 5GHz 802.11 channels

-v, --verboseDisplay non-critical warnings (-vv or -vvv for more)

-p, --pin=<wps pin>Use the specified pin (may be arbitrary string or 4/8 digit WPS pin)

-d, --delay=<seconds>Set the delay between pin attempts [1]

Examples

Scan for networks using the monitor mode interface (wlan0mon) on channel 6, while ignoring frame checksum errors

wash -i wlan0mon -c 6 -C

Use the monitor mode interface (wlan0mon) to attack the access point (E0:3F:49:6A:57:78), displaying verbose output

reaver -i wlan0mon -b E0:3F:49:6A:57:78 -v

Attack the specified BSSID with increased verbosity

reaver -i wlan0mon -b 00:90:4C:C1:AC:21 -vv

Display help for reaver showing required and optional arguments

reaver -h

Display help for wash showing scan tool arguments

wash -h

Attack access point using mon0 interface with verbose output (adapted from example interface)

reaver -i mon0 -b E0:3F:49:6A:57:78 -v

Updated 2026-04-16kali.org ↗