Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations. Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases
On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase.
Prerequisites
You must be running Linux
You must have a wireless card capable of
raw injection
You must put your wireless card into monitor mode. This is most easily done using airmon-ng from the aircrack-ng tool suite.
Basic Usage
First, make sure your wireless card is in monitor mode:
# airmon-ng start wlan0
Then Start ./wash -i mon0 to scan for valid Wifis.
To run Reaver, you must specify the BSSID of the target AP and the name of the monitor mode interface (usually 'mon0', not 'wlan0', although this will vary based on your wireless card/drivers):
# reaver -i mon0 -b 00:01:02:03:04:05
You will probably also want to use -vv to get verbose info about Reaver's progress:
# reaver -i mon0 -b 00:01:02:03:04:05 -vv
Speeding Up the Attack
By default, Reaver has a 1 second delay between pin attempts. You can disable this delay by adding '-d 0' on the command line, but some APs may not like it:
# reaver -i mon0 -b 00:01:02:03:04:05 -vv -d 0