Wi-Fi Security Audit: Testing WPS Vulnerabilities with Reaver

In today's digital world, wireless network security is a critical aspect of protecting personal data. Many users still rely on default router settings, unaware that the default protocol WPS (Wi-Fi Protected Setup) can be an open door for attackers. Understanding how auditing tools like Reaver, is necessary not so much for hacking other people's networks, but for checking your own infrastructure for vulnerabilities.

The security testing process requires a deep understanding of network protocols and responsibilities. The tools discussed here allow for attacks such as brute-force (brute-force) the WPS PIN, which, if successful, gives full access to the WPA/WPA2 encryption key. However, it's important to understand that using these methods outside of your own network or without the owner's written permission is illegal.

The purpose of this article is to provide an expert perspective on the mechanics of the vulnerability and how to mitigate it. We'll cover the technical details of protocol implementation, the steps involved in preparing a testing environment, and, most importantly, methods for protecting your equipment from similar attacks. The WPS vulnerability is a fundamental design issue with the standard, not just a bug in a particular router's firmware.

How the WPS vulnerability works and how it works

The WPS protocol was developed by the Wi-Fi Alliance to simplify connecting devices to a wireless network. The idea was to allow users to connect a device by simply pressing a button on the router or entering an 8-digit PIN. However, the implementation of this mechanism contained a critical flaw in the authentication logic, which is exploited. Reaver.

The problem lies in the way the PIN is validated. Instead of checking all eight digits at once, the protocol checks them in two separate groups: the first four digits and the second four digits. This dramatically reduces the number of attempts required to successfully guess the PIN. If brute-force testing were used, the number of combinations would reach 100 million, which would take years.

By splitting the verification process, an attacker only needs to guess two short sequences. The first half is verified separately, and only after it is confirmed by the server (access point) does the second half begin to be verified. This reduces the number of required attempts to approximately 11,000, which takes anywhere from a few minutes to several hours, depending on the router's settings.

⚠️ Warning: The WPS mechanism often cannot be completely disabled on some router models, even through the web interface. In such cases, the vulnerability remains active at the firmware level, requiring the device to be flashed to alternative firmware (OpenWrt, DD-WRT) to completely eliminate the risk.

To successfully execute the attack, the tool requires confirmation from the access point that the entered portion of the PIN is correct. If the router doesn't have brute-force protection (for example, blocking after several unsuccessful attempts), the attack is successful. Modern devices have learned to implement delays or temporary blocking, but older models remain extremely vulnerable.

Necessary equipment and preparation of the environment

Before testing, you need to prepare the appropriate hardware and software. Standard laptop network cards often don't support monitor mode, which is critical for packet interception and analysis. You'll need a specialized Wi-Fi adapter with a chipset that supports packet injection.

The most common and recommended chipsets for security auditing tasks are Atheros AR9271, Ralink RT3070 And Realtek RTL8812AUThese chips work stably in the operating system. Kali Linux, which is the de facto standard for information security professionals. Using a virtual machine can lead to driver instability, so using a Live USB or installing on a separate disk partition is preferable.

In addition to the hardware, it's important to ensure the software environment is configured correctly. The wireless card's interface must be set to monitor mode. This allows the card to listen to the entire broadcast, not just packets addressed specifically to it. Without this step, interaction with Reaver impossible.

☑️ Preparing for a network audit

Completed: 0 / 1

Legal considerations should also be taken into account. Only conduct testing on your own equipment or with a documented Letter of Authorization from the network owner. Otherwise, your actions may be considered unauthorized access.

Scanning and target selection process

The first step is to detect the target network and check if it has an active WPS connection. This is done using a utility wash, which is included in the Reaver package or available separately. It scans the airwaves and filters networks, displaying only those with an open WPS port.

Scanning is started via the terminal. You will need to know the name of your interface (usually wlan0 or wlan1mon after enabling monitoring mode). The command looks like this:

wash -i wlan0mon --ignore-fcs

Parameter --ignore-fcs This is often necessary to ignore frame checksum errors that can occur with some adapters, preventing false scan interruptions. The results will show a list of networks with their ESSID (network name), channel, and WPS status.

Parameter Description Significance for attack
ESSID Wireless network name Target network
BSSID MAC address of the access point Required to run Reaver
WPS Protocol status Must be "Yes" or "Open"
WPS Locked Blocking status It should be "No"

Pay attention to the "WPS Locked" column. If it says "Yes," it means the WPS Lockout mechanism is enabled on the router. In this case, a standard attack Reaver will be blocked after several unsuccessful attempts. There are methods to bypass this protection, but they require more complex manipulations and are not guaranteed to succeed.

📊 Have you encountered WPS blocking on routers?
Yes, the router blocked after 2 attempts: No, the brute force was successful: I don't know, I haven't tested it: My router doesn't support WPS

Launching a brute-force attack using Reaver

Once the target network has been found and its BSSID has been copied, the attack process itself can begin. Reaver Automates the process of sending PIN codes and waiting for a response from the access point. The basic command syntax requires specifying the interface and BSSID of the target.

reaver -i wlan0mon -b 00:11:22:33:44:55 -vv

There is a flag here -i specifies the interface, -b specifies the MAC address of the target access point, and -vv Enables detailed logging (verbose mode), allowing you to monitor progress in real time. You'll see which PINs are being verified and the percentage of progress achieved.

An important parameter is the delay between attempts. Some routers may not be able to handle too many requests and may freeze or reboot. To mitigate this effect, you can use the flag -d (delay), which sets the delay in seconds between attempts, or -T to set the response timeout.

⚠️ Warning: While running, Reaver may report NACK packets. This indicates that the access point has rejected the request. If there are too many of these messages (more than 70-80%), the attack may be blocked or become ineffective. In this case, it's worth increasing the latency or trying a different strategy.

The process can take anywhere from a few minutes to tens of hours. The speed directly depends on the router model, signal strength, and delay settings. Interrupting the process (Ctrl+C) does not reset the progress, as Reaver saves the state to a file .wps, and the next time you start it, it will continue from the same place.

Analyzing the results and obtaining the key

If the PIN code is successfully selected, Reaver The master network encryption key (WPA/WPA2 Passphrase) will automatically be calculated. The logs will show the message "WPA PSK: [your_key]." This means the network security has been completely breached, and the resulting password can be used to connect to any device.

However, success is not 100% guaranteed. There are many factors that influence the outcome of an operation. Some manufacturers implement randomized response delays, making it impossible to predict the response time and breaking the logic of the standard Reaver. Others may require confirmation via a physical button (PBC), making a remote attack impossible.

If an attack is successful, it's crucial to take immediate action to eliminate the vulnerability. The resulting breach is proof that your network was exposed to anyone with a laptop. Ignoring this fact could lead to data leakage or the use of your internet connection for illegal activities.

What to do if Reaver freezes?

If the process gets stuck at a certain percentage or stops receiving responses, try adding the -N flag (ignore NACK packets) or reducing the number of threads. Changing the channel or moving closer to the signal source may also help. Sometimes, manually resetting the state by deleting the .wps files in the /etc/reaver/ directory helps.

To document audit results, it is recommended to save logs to a file. This can be done by redirecting terminal output or using built-in automation scripts. The report should include the date, time, target BSSID, method used, and the result.

Protection methods and vulnerability mitigation

Understanding how hacking works allows you to effectively defend yourself. The most reliable way to protect yourself from WPS attacks is to completely disable this feature in your router's settings. Go to the device's web interface (usually at 192.168.0.1 or 192.168.1.1), find the Wireless or Wi-Fi section, and disable WPS.

If the interface doesn't have a disable button, but the feature still works, this is a sign of poor implementation on the manufacturer's part. In this case, we recommend:

  • 🔄 Update your router firmware to the latest version, where the vulnerability can be fixed programmatically.
  • 🛡️ Install third-party firmware (OpenWrt, DD-WRT), which allows flexible management of security settings.
  • 🚫 Use MAC address filtering as an additional, but not primary, security measure.

It's also critical to use a strong password for WPA2/WPA3. Even if WPS is disabled, a weak password can be cracked using other methods. The password must contain at least 12 characters, including uppercase and lowercase letters, numbers, and special characters.

Regularly auditing your network helps you stay on top of security. Check the list of connected clients in your router's admin panel and keep an eye out for any unfamiliar devices. A sudden drop in internet speed can also be an indirect sign of compromise.

Frequently Asked Questions (FAQ)

Is it possible to hack WPS if the WPS indicator on the router is on?

The presence of a lit indicator only indicates that the function is enabled. However, this does not guarantee a successful attack, as many modern routers have software protection against brute-force attacks (WPS Lockout), which blocks attempts after several failures. Without knowing the "WPS Locked" status via a scanner, wash It's impossible to say for sure.

Does Reaver work on Windows operating system?

Native Reaver It's written for Linux and requires specific drivers for monitoring mode, which are difficult to install on Windows. Although ports and versions for Windows exist (for example, via Cygwin or WSL), their stability is poor. Professionals use Kali Linux in a virtual machine or Live USB.

How long does it take to crack a WPS PIN?

The time varies from 2 hours to 10-12 hours depending on the router model, signal strength, and the presence of latency. Some routers can process requests very slowly, stretching the process out to a day. Newer models with brute-force protection may not be hacked at all.

Is Reaver dangerous for the router itself?

By myself Reaver It doesn't damage hardware. However, an intense attack can cause the router's processor to overheat or a buffer overflow, resulting in a freeze and the need for a reboot. In rare cases, intense traffic on older models could cause a reset, but this is the exception.

Will WPA3 replace protection against such attacks?

Yes, the WPA3 protocol fixes the vulnerabilities of WPS and implements stronger handshake mechanisms. If your equipment supports WPA3, upgrading to this standard will significantly improve network security. However, WPS may still be enabled for compatibility with legacy devices, so it's best to disable it manually.