Show Menu
Cheatography
  1. Home >
  2. Programming >

Reaver Cheat Sheet Cheat Sheet (DRAFT) by

Reaver has been designed to be a robust and practical attack against Wi-Fi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases. It has been tested against a wide variety of access points and WPS implementations. Homepage: https://github.com/t6x/reaver-wps-fork-t6x

This is a draft cheat sheet. It is a work in progress and is not finished yet.

Required Arguments

-i, --inte­rfa­ce=­<wl­an>
Name of the monito­r-mode interface to use
-b, --bssi­d=<­mac>
BSSID of the target AP

Optional Arguments

-m, --mac=­<ma­c>
MAC of the host system
-e, --essi­d=<­ssi­d>
ESSID of the target AP
-c, --chan­nel­=<c­han­nel>
Set the 802.11 channel for the interface (implies -f)
-o, --out-­fil­e=<­fil­e>
Send output to a log file [stdout]
-s, --sess­ion­=<f­ile>
Restore a previous session file
-C, --exec­=<c­omm­and>
Execute the supplied command upon successful pin recovery
-D, --daem­onize
Daemonize reaver
-f, --fixed
Disable channel hopping
-5, --5ghz
Use 5GHz 802.11 channels
-v, --verbose
Display non-cr­itical warnings (-vv or -vvv for more)
-q, --quiet
Only display critical messages
-h, --help
Show help
 

Advanced Options

-p, --pin=­<wps pin>
Use the specified pin (may be arbitrary string or 4/8 digit WPS pin)
-d, --dela­y=<­sec­ond­s>
Set the delay between pin attempts [1]
-l, --lock­-de­lay­=<s­eco­nds>
Set the time to wait if the AP locks WPS pin attempts [60]
-g, --max-­att­emp­ts=­<nu­m>
Quit after num pin attempts
-x, --fail­-wa­it=­<se­con­ds>
Set the time to sleep after 10 unexpected failures [0]
-r, --recu­rri­ng-­del­ay=­<x:­y>
Sleep for y seconds every x pin attempts
-t, --time­out­=<s­eco­nds>
Set the receive timeout period [10]
-T, --m57-­tim­eou­t=<­sec­ond­s>
Set the M5/M7 timeout period [0.40]
-A, --no-a­sso­ciate
Do not associate with the AP (assoc­iation must be done by another applic­ation)
-N, --no-nacks
Do not send NACK messages when out of order packets are received
-S, --dh-small
Use small DH keys to improve crack speed
-L, --igno­re-­locks
Ignore locked state reported by the target AP
-E, --eap-­ter­minate
Terminate each WPS session with an EAP FAIL packet
-n, --nack
Target AP always sends a NACK [Auto]
-w, --win7
Mimic a Windows 7 registrar [False]
-K, -Z, --pixi­e-dust
Run pixiedust attack

Reaver Examples

reaver -i <in­ter­fac­e> -b <MA­C>
Usually, the only required arguments to Reaver are the interface name and the BSSID of the target AP.
reaver -i <in­ter­fac­e> -b <MA­C> -vv
It is suggested that you run Reaver in verbose mode in order to get more detailed inform­ation about the attack as it progre­sses.
reaver -i <in­ter­fac­e> -b <MA­C> -c <ch­ann­el> -e <es­sid>
The channel and SSID (provided that the SSID is not cloaked) of the target AP will be automa­tically identified by Reaver, unless explicitly specified on the command line.
reaver -i <in­ter­fac­e> -b <MA­C> --dh-small
Since version 1.3, Reaver implements the small DH key optimi­zation which can speed up the attack speed.
reaver -i <in­ter­fac­e> -b <MA­C> --fixed
By default, if the AP switches channels, Reaver will also change its channel accord­ingly. However, this feature may be disabled by fixing the interf­ace's channel.
reaver -i <in­ter­fac­e> -b <MA­C> --mac=­<sp­oofed MAC>
When spoofing your MAC address, you must set the desired address to spoof using the ifconfig utility, and additi­onally tell Reaver what the spoofed address is.
reaver -i <in­ter­fac­e> -b <MA­C> -t <se­c>
The default receive timeout period is 5 seconds. This timeout period can be set manually if necessary (minimum timeout period is 1 second).
reaver -i <in­ter­fac­e> -b <MA­C> -d <se­c>
The default delay period between pin attempts is 1 second. This value can be increased or decreased to any non-ne­gative integer value. A value of zero means no delay.
reaver -i <in­ter­fac­e> -b <MA­C> --lock­-de­lay­=<s­ec>
Some APs will tempor­arily lock their WPS state, typically for five minutes or less, when "­sus­pic­iou­s" activity is detected. By default when a locked state is detected, Reaver will check the state every 315 seconds (5 minutes and 15 seconds) and not continue brute forcing pins until the WPS state is unlocked. This check can be increased or decreased to any non-ne­gative integer value.
reaver -i <in­ter­fac­e> -b <MA­C> -T <sec, .2-1se­c>
The default timeout period for receiving the M5 and M7 WPS response messages is .1 seconds. This timeout period can be set manually if necessary (max timeout period is 1 second).
reaver -i <in­ter­fac­e> -b <MA­C> --fail­-wa­it=­<se­c>
sending an EAP FAIL message to close out a WPS session is sometimes necessary. By default this feature is disabled, but can be enabled for those APs that need it. When 10 consec­utive unexpected WPS errors are encoun­tered, a warning message will be displayed. Since this may be a sign that the AP is rate limiting pin attempts or simply being overlo­aded, a sleep can be put in place that will occur whenever these warning messages appear.