Brute Force Attack Against WPS – Reaver

Last Release: 03/16/2020     Last Commit: 02/11/2022

Brute Force Attack Against WPS – Reaver


Reaver is an open-source tool for performing brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases. This tool has been designed to be a robust and practical and has been tested against a wide variety of access points and WPS implementations.

Wifi Protected Setup (WPS)

Wi-Fi Protected Setup is an optional certification program from the Wi-Fi Alliance that is designed to ease the task of setting up and configuring security on wireless local area networks. Wi-Fi Protected Setup enables typical users who possess little understanding of traditional Wi-Fi configuration and security settings to automatically configure new wireless networks, add new devices and enable security. (Brute forcing Wi-Fi Protected Setup – When poor design meets poor implementation by Stefan Viehbck).

Reaver: Brute force attack against WiFi Protected Setup

The original Reaver performs a brute force attack against the AP, attempting every possible combination in order to guess the AP’s 8 digit pin number. Depending on the target’s Access Point (AP), Reaver will recover the AP’s plain text WPA / WPA2 passphrase in 4-10 hours, on average.  But If you are using offline attack and the AP is vulnerable, it may take only a few seconds/minutes.

The first version of reaver-wps (reaver 1.0) was created by Craig Heffner in 2011.

You can find the original Reaver, version 1.0 to 1.4,  in google code archives. From version 1.4, reaver-wps comes with a simple and fast WPS scanner – wash.

Supported wireless drivers:

  • ath9k, rtl8187, carl19170, ipw2000, rt2800pci, rt73usb
  • partially supported: ath5k, iwlagn, rtl2800usb, b43


Reaver-wps-fork-t6x version 1.6.x is a community forked version of the original Reaver, which includes various bug fixes, new features and additional attack method – offline Pixie Dust attack. Since this fork supports Pixie Dust attack, you’ll be able to preform it against modern routers.


  • Support for the offline Pixie Dust attack.
  • Improved argument -p with an Arbitrary String (-p, --pin=<wps pin> )
  • New wash: Compatibility with all supported WiFi chips, wash now displays the correct signal level with all the (supported) WiFi chips.
  • Power to the user with the pipe compatibility: You can now modify “on the fly” wash’s stdout with pipe compatibility.


Build-time dependencies:

  • libpcap-dev
  • build-essential

Runtime-time dependencies:

  • pixiewps (optional, required for Pixie Dust attack)
  • aircrack-ng (optional, though recommended)

To install dependencies, run the following:

$ sudo apt -y install build-essential libpcap-dev aircrack-ng pixiewps
Note: In order to perform Pixie Dust attack, you need to have Wiire’s Pixiewps installed.


Reaver-wps comes preinstalled in Kali Linux & BlackArch Linux. It can be installed on any other Linux via source code.

First of all, clone it from the github:

$ git clone

or download:

$ wget && unzip

Then locate the shell:

$ cd reaver-wps-fork-t6x*
$ cd src

and compile:

$ ./configure
$ make

Now you can install it with the following:

$ sudo make install

Basic Reaver Usage

Use -h to list available options:

Reaver v1.6.5 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <>

Required Arguments:
	-i, --interface=<wlan>          Name of the monitor-mode interface to use
	-b, --bssid=<mac>               BSSID of the target AP

Optional Arguments:
	-m, --mac=<mac>                 MAC of the host system
	-e, --essid=<ssid>              ESSID of the target AP
	-c, --channel=<channel>         Set the 802.11 channel for the interface (implies -f)
	-s, --session=<file>            Restore a previous session file
	-C, --exec=<command>            Execute the supplied command upon successful pin recovery
	-f, --fixed                     Disable channel hopping
	-5, --5ghz                      Use 5GHz 802.11 channels
	-v, --verbose                   Display non-critical warnings (-vv or -vvv for more)
	-q, --quiet                     Only display critical messages
	-h, --help                      Show help

Advanced Options:
	-p, --pin=<wps pin>             Use the specified pin (may be arbitrary string or 4/8 digit WPS pin)
	-d, --delay=<seconds>           Set the delay between pin attempts [1]
	-l, --lock-delay=<seconds>      Set the time to wait if the AP locks WPS pin attempts [60]
	-g, --max-attempts=<num>        Quit after num pin attempts
	-x, --fail-wait=<seconds>       Set the time to sleep after 10 unexpected failures [0]
	-r, --recurring-delay=<x:y>     Sleep for y seconds every x pin attempts
	-t, --timeout=<seconds>         Set the receive timeout period [10]
	-T, --m57-timeout=<seconds>     Set the M5/M7 timeout period [0.40]
	-A, --no-associate              Do not associate with the AP (association must be done by another application)
	-N, --no-nacks                  Do not send NACK messages when out of order packets are received
	-S, --dh-small                  Use small DH keys to improve crack speed
	-L, --ignore-locks              Ignore locked state reported by the target AP
	-E, --eap-terminate             Terminate each WPS session with an EAP FAIL packet
	-J, --timeout-is-nack           Treat timeout as NACK (DIR-300/320)
	-F, --ignore-fcs                Ignore frame checksum errors
	-w, --win7                      Mimic a Windows 7 registrar [False]
	-K, --pixie-dust                Run pixiedust attack
	-Z                              Run pixiedust attack

	reaver -i wlan0mon -b 00:90:4C:C1:AC:21 -vv

New Options/Features:

  • -K or -Z // --pixie-dust:  perform the offline attack, Pixie Dust (pixiewps), by automatically passing the PKEPKRE-Hash1E-Hash2E-Nonce and Authkey variables.
  • -p with arbitrary string // --pin=: can be used against Access Points that do not follow the WPS checksum on the last digit of the PIN.
Important: If you are attacking a Realtek AP, do NOT use small DH Keys (-S) option. User will have to execute Reaver with the cracked PIN (option -p) to get the WPA pass-phrase.


To use reaver  you’ll only need the interface name and the BSSID of the target AP.  If you want to get more detailed information about the attack as it progresses, run the reaver in the verbose mode.

$ reaver -i wlan0mon -b 00:01:02:03:04:05 -vv

Basic Wash Usage

You can also type -h to list all available wash options:

Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <> 

Required Arguments:
	-i, --interface=<iface>              Interface to capture packets on
	-f, --file [FILE1 FILE2 FILE3 ...]   Read packets from capture files

Optional Arguments:
	-c, --channel=<num>                  Channel to listen on [auto]
	-n, --probes=<num>                   Maximum number of probes to send to each AP in scan mode [15]
	-F, --ignore-fcs                     Ignore frame checksum errors
	-2, --2ghz                           Use 2.4GHz 802.11 channels
	-5, --5ghz                           Use 5GHz 802.11 channels
	-s, --scan                           Use scan mode
	-u, --survey                         Use survey mode [default]
	-a, --all                            Show all APs, even those without WPS
	-j, --json                           print extended WPS info as json
	-h, --help                           Show help

	wash -i wlan0mon

New Options/Features:

  • -a // --all: this option will list all access points, including those without WPS enabled.
  • -j // --json: the extended WPS information (serial, model…) from the AP probe answer will be printed in the terminal (in json format).


To scan for networks you can use option --scan, just run:

$ wash -i wlan0mon --scan
Documentation Box
Download Box