Kali Linux – Reaver / WPS Cracking (Raspberry Pi)

Before proceeding I need to make this very clear:


Sorry, I know that may seem very heavy handed but the majority of countries have laws covering computer misuse and I do not want to see anyone get in trouble / break the law. Now that that is out of the way…

Back in March 2017 I saved up some money and used it to have the great pleasure of attending a hacking workshop / training course where I got to expand on my security / Linux knowledge whilst being taught by the excellent Hacker House (Twitter: @myhackerhouse ).

Hands On Hacking Cert
Hands On Hacking Cert

During the workshop Hacker House gave us virtual machines to run and attack via Kali Linux; which I found to be fun and eye opening. Since then I’ve played with the virtual machines and wanted to expand on that knowledge. So with some free time over this festive break I’m getting out some of my older computer equipment and building some labs that I can hack, break and play with as much as I want without the risk of breaking my regular home network or breaking any laws (harking back to my opening paragraph).

My current set up is a Netgear router that is broadcasting a wireless SSID of “geektechstuff.com” and has WPS enabled. I’m going to look into connecting to the wireless network without knowing the WPS pin. For this I am using:

The Raspberry Pi does not currently know the connection details of the wireless network.

With Kali Linux booted up on the Pi run the usual commands to make sure it is up to date:

  • apt-get update
  • apt-get upgrade

and it is then time to install “reaver”:

  • apt-get install reaver

With Reaver installed we’ll need to search for our wireless network’s details, which requires our network card/dongle to be in monitor mode. To place the card/dongle into monitor mode type:

  • airmon-ng start interface

Replacing interface with the name of your wireless interface e.g. wlan0 or wlan1. With the card/dongle set-up we can then scan for our wireless network by typing:

  • wash -i interface

Again replacing interface with the name of the wireless interface e.g. wlan0 or wlan1. A list of wireless networks that support WPS should now be displayed. At this stage be very careful to only attack your network and not someone else’s! Note down the MAC address of your SSID and the channel it is broadcasting on. Then to activate Reaver type:

  • reaver -i interface -b SSID MAC ADDRESS -c channel -vv

So for me this was:

  • reaver -i wlan0 -b 84:1B:5E:B1:7A:8B -c 1 -vv

Reaver will then kick in and started trying to connect to the wireless network using WPS.

Reaver in action
Reaver in action

So what is WPS? Well WPS is Wi-Fi Protected Set-Up. It is an 8 digit numerical PIN and allows for “easier” set up of wireless networks. However around 2011 it transpired that WPS can be broken using a brute force attack, which is what Reaver does. Reaver attempts to connect to the wireless network over and over, each time attempting a different PIN. Once it has found the PIN then I can successfully connect to the wireless network with originally knowing the PIN and without the need to know the key/passcode needed if trying to connect via WPA2.

More information can be found on WPS at Wikipedia – https://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup

If possible I would recommend that WPS is disabled on devices, I’ve got it enabled on my lab device as I wanted to test breaking it.

Edit: I’m currently running Reaver and will post the results/timings when finished.