Reaver | Cracking WPS Pin To Recover WPA & WPA2 WiFi Passwords!

In this tutorial, we’ll use Reaver for cracking WPS Pin so that we can recover WiFi passwords of WPA2 and WPA wireless networks.

PREREQUISITE: First Read Basics of WiFi Hacking & Security!

About Reaver

Reaver is an opensource tool whose source code is available at Google Code. It implements a brute force attack against WiFi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 password.

Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations.


On average Reaver will recover the target AP’s plain text WPA/WPA2 password in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the WiFi password.

Steps | Attacking WPS Enabled WiFi

When nothing works – we just need reaver. Sometimes WPA/WPA2 password is too strong that offline brute-forcing is meaningless. But we can always hack a WiFi if WPS is enabled there.

Step 1: I believe you are already running Kali. So, open the terminal and run the following programs with commands:

Terminal | Puts Wireless Card into Monitoring Mode
[email protected]:~# airmon-ng start wlan0
Terminal | Shows List of WPS Enabled WiFi
[email protected]:~# wash -i mon0 -C

Step 2: Choose a WiFi target from result show by wash program, Now run the reaver tool to crack the WPS pin.

Kali Linux Terminal
[email protected]:~# reaver -i mon0 -b 00:90:4C:C1:AC:21 -vv

Now reaver will start WPS attack on the WiFi access point with MAC Address 00:90:4C:C1:AC:21.


If you already know the pin then just use the argument -p [PIN]. Just add -p 12345670 (this is example pin number) to your previous command.

And here are few important points if you are using this tool:

  • To know about more this tool just type reaver into the terminal and hit enter.
  • AP’s which are locked (as shown by wash) are difficult to brute-force.
  • You need to be very close to the WiFi source, low signal strength make it too difficult to actively brute-force. 

Video Tutorial: Reaver in Action

So, I searched and watched several videos online found a video on How to Crack WiFi Password of WPA and Embedded here for you. This video will make the instruction more clear!

Handling Issues:

Some routers now come with WPS Pin lock down that means you might have hard time cracking WPS pin. In this case here are few options you can try:

If 10 consecutive unexpected WPS errors are encountered, a warning message will be shown. This may be a sign that the AP is rate limiting pin attempts. A waiting command can be issued whenever these warning messages appear. Use the following command:

Kali Linux Terminal
[email protected]:~# reaver -i mon0 -b 00:01:02:03:04:05 –fail-wait=360

The default receive timeout period is 5 seconds. This timeout period can be set manually if necessary (minimum timeout period is 1 second):

Kali Linux Terminal
[email protected]:~# reaver -i mon0 -b 00:01:02:03:04:05 -t 3

The default delay period between pin attempts is 1 second. This value can be increased or decreased to any value. Please note that 0 means no delay:

Kali Linux Terminal
[email protected]:~# reaver -i mon0 -b 00:01:02:03:04:05 -d 0

Countermeasures |Protect You WiFi

We had already talked about protecting our WiFi in several tutorials e.g. basics of WiFi Hacking and Security. Here are some countermeasures especially for WPS security:

  • Disable WPS: Audit your WiFi security and analyze whether you WPS is secure or not.
  • Increase WPS timeout period: For advanced routers, we can increase the Receive timeout to slow down the attack
  • WPS Lock: Set the WPS Lock time to a large value. That means after certain fail attempts, the router should lock WPS feature for longer.
  • MAC Filtering: One of the oldest way but sometimes can protect against script kiddies.
  • Physically Secure the Router!

But as mentioned by in WPS research (PDF linked below), a determined attacker might still be able to successfully attack a WPS-enabled AP. This attack is low-cost and has a high success guarantee compared to cracking WPA/WPA2-PSK.

External Resources

Recommended Books

Here are recommended books on WiFi hacking that includes reaver tool.

References and Further Readings

You may also like...