Beginners guide to reaver

Hello, aspiring ethical hackers. In our previous blogpost on wifi hacking, you learnt what is a WPS pin, why it is used, it’s strengths and weaknesses etc. In this article, you will learn about Reaver, a tool that brute force attacks WPS pins in order to retrieve WPA/WPA2 passphrases.

Let’s see how this tool works. For this we will be using Kali Linux as reaver is installed by default on it. We will also need a wifi adapter that allows packet monitoring. For this, we will be using ALFA AWVS036NHA wifi adapter.

After turning on Kali and plugging in the wireless adapter, the first thing we need to do is enable monitoring mole on our wireless adapter as shown below. Monitoring mode allows the wifi adapter to see all the available wireless networks.

Let’s use airodump to dump all the wifi access points it is monitoring.

Here are the wifi access points detected by our adapter.

We can also use wash to detect WPS enabled access points.

Next, we have to set our target. For this tutorial, we will be setting “Hackercool_Labs” access point as our target. We need to note its MAC address. Then, use reaver as shown below.

Here is the explanation for the options we set.

-i: interface

-b: -bssid or MAC address of the wireless access point.

-c: Channel on which this access point is advertising.

-V: Verbose output

Reaver starts trying to crack the WPS pin as shown below.

You can even use Pixiedust attack to crack WPS pins by specifying the “-k” option.

You can even specify the channel of the wifi access point for quicker cracking using the ‘-c’ option as shown below.

Depending on the access point, reaver can take between 4-10 hours to retrieve the WPA/WPA2 passphrase from the WPS pin while it takes around half of this time to crack the WPS pin itself. Learn how to crack WPS pins with Bully tool.

Follow Us

• 
• 
• 
•