Reaver - Attack against Wi-Fi Protected Setup (WPS)

Reaver has been designed to be a robust and practical attack against Wi-Fi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases. It has been tested against a wide variety of access points and WPS implementations.

The original Reaver implements a online brute force attack against, as described in reaver-wps-fork-t6x version 1.6b is a community forked version, which has included various bug fixes and additional attack method (the offline Pixie Dust attack).

Depending on the target's Access Point (AP), to recover the plain text WPA/WPA2 passphrase the average amount of time for the transitional online brute force method is between 4-10 hours. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase. When using the offline attack, if the AP is vulnerable, it may take only a matter of seconds to minutes.

apt-get -y install build-essential libpcap-dev aircrack-ng pixiewps
The example uses Kali Linux as the Operating System (OS) as pixiewps is included.
You must already have Wiire's Pixiewps installed. The latest version can be found here:

git clone

wget && unzip

cd reaver-wps-fork-t6x*/
cd src/
sudo make install

About Reaver Options
Please notice that work is in progress and the situation will progress soon, stay tuned! ;)

-K and-or -Z // --pixie-dust (in reaver)
The -K and -Z option perform the offline attack, Pixie Dust (pixiewps), by automatically passing the PKE, PKR, E-Hash1, E-Hash2, E-Nonce and Authkey variables. pixiewps will then try to attack Ralink, Broadcom and Realtek detected chipset. Special note: If you are attacking a Realtek AP, do NOT use small DH Keys (-S) option. User will have to execute reaver with the cracked PIN (option -p) to get the WPA pass-phrase. This is a temporary solution and an option to do a full attack will be implemented soon

-a // --all (in wash)
The option -a of Wash will list all access points, including those without WPS enabled.

Deprecated and temporary left behind options
  • - n (reaver): Automatically enabled, no need to invocate it.
  • - W (reaver): Temporary left behind. Integration of the default PIN generators was unstable, leading to many warnings at compilation time. It was also an issue to use a PIN attempt (risk of AP rating limit) in order to get a BSSID and an ESSID. For the moment PIN generation has to be done externally using the scripts provided in "doc".
  • - a (reaver): This option was the only option which required sqlite3 adding an extra dependency. It was only designed for automation scripts and this task (execute the last reaver command again) can be easily done internally by the script that calls reaver
  • - p1 and -p2 (reaver): Too much warnings and bugs.
  • -H (reaver): There is a need to find a way to perform it more cleanly, work is in progress.
  • - vvv (reaver): The highest level of verbose is temporary removed for the same reason.
  • - g (wash): Option was broken in latest release and need to be seriously rethought.

Reaver - Attack against Wi-Fi Protected Setup (WPS) Reaver - Attack against Wi-Fi Protected Setup (WPS) Reviewed by Lydecker Black on 6:30 PM Rating: 5