Reaver Wps For Mac

Most networks will now be running the much more robust WiFi Protected Access (WPA), with WEP running mainly on the older systems that haven’t been updated or maintainedBut while it’s not as trivial as breaking into a WEP network, WPA is not completely infallible. Here we will take a look at one of the methods used to crack into a WPA network, and some of the pitfalls you may encounter.
  • Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases. Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations.
  • Reaver-wps brute forces the first half of the pin and then the second half of the pin, meaning that the entire key space for the WPS pin number can be exhausted in 11,000 attempts. The speed at which Reaver can test pin numbers is entirely limited by the speed at which the AP can process WPS requests.
  • REAVER WPS modified version with MAC Address last character changer to speed up the attack. Well, some times the AP will reject the 'EAPOL Request' after a success pin try. I made some tests with simultaneous reaver instances running with different MACs (the -m argument), and when one instance gets 'WARNING: Receive timeout occurred', the other.

Reaver provides one more way to crack Wi-Fi access. It only works on systems with WPS enabled and unlocked, so it it crucial that you run the recon tool wash first. When you find a WPS enabled and unlocked device, Reaver is capable of finding the PIN by running through all 11,000 possibilities within a few hours! Reaver mac of the host system. Reaver (reaver-wps-fork-t6x) One of the most popular adapters that use the Atheros chipset is from Alfa. The problem is that it became too much popular, thus some chineses started to faking it. This finding was shocking for me. To verify if what you bought was counterfeited or not, you can ask Alfa.

WPS Pin Attack

An often overlooked feature on many WiFi routers and access points is WiFi Protected Setup (WPS). This is a convenient feature that allows the user to configure a client device against a wireless network by simultaneously pressing a button on both the access point and the client device (the client side “button” is often in software) at the same time. The devices trade information, and then set up a secure WPA link.

Wps office

On the surface, this is a very clever feature. It allows less savvy users to establish a secure connection between their devices quickly and easily, and as it requires physical access to the hardware, it would seem relatively secure.

But a tool called Reaver has been designed to brute-force the WPA handshaking process remotely, even if the physical button hasn’t been pressed on the access point.

While some newer devices are building in protection against this specific attack, the Reaver WPS exploit remains useful on many networks in the field.

Note: To be clear, WPS is the vulnerable system in this case, not WPA. If a network has WPS disabled (which they should, given the existence of tools such as this), it will be immune to the following attack.

Finding a Network

If you’ve read the previous tutorial on cracking into a WEP network, you’ll recognize the command used to get the hardware into monitor mode:

airmon-ng start wlan0

From here you could use airodump-ng to look for networks, but Reaver actually includes its own tool for finding vulnerable WPS implementations which is much more straightforward. To start it, run the following command:

wash -i mon0

Reaver Wps For Mac Download

The output will look something like this:

This shows two networks which are, at least in theory, vulnerable to the WPS brute force attack Reaver uses. Note the “WPS Locked” column; this is far from a definitive indicator, but in general, you’ll find that APs which are listed as unlocked are much more likely to be susceptible to brute forcing. You can still attempt to launch an attack against a network which is WPS locked, but the chances of success aren’t very good.

Launching Reaver

Once you’ve found a network you wish to run the attack against, operating Reaver is very straightforward. The basic command needs only the local interface,

channel, and ESSID to be specified. The command to launch Reaver against the “linksys” network above would look like this:

reaver -i mon0 -c 6 -b 00:23:69:48:33:95 -vv

The only part of the above command that might not be immediately obvious is “-vv”; this enables verbose output which greatly helps when trying to gauge how well Reaper is (or is not) progressing.

Once you’ve started Reaver, you’ll start seeing output like this:

This output shows that WPS pins are successfully being tried against the target (here we see 12345670 and 00005678 are being tested), and Reaver is operating normally.

Advanced Options

Ideally, the basic command works and the attack progresses as expected. But in reality, different manufacturers have been trying to implement protections against Reaver-style attacks, and additional options may be required to get the attack moving.

As an example, the following command adds a few optional switches that can help to get Reaver working on more picky devices:

reaver -i mon0 -c 6 -b 00:23:69:48:33:95 -vv -L -N -d 15 -T .5 -r 3:15

The core command hasn’t changed, the additional switches just change how Reaver behaves: Flash cs6 for mac.


Ignore locked WPS state.


Don’t send NACK packets when errors are detected.

-d 15

Delay 15 seconds between PIN attempts.


Set timeout period to half a second.

-r 3:15

After 3 attempts, sleep for 15 seconds

This is by no means an exhaustive list of Reaver options, but it gives an idea on what kind of things you might want to try.

Attack Duration

Even under ideal conditions, Reaver can take a very long time to complete its run. There is an element of chance involved, the brute forcing could theoretically discover the PIN very quickly, but in general it is going to take many hours to even make a dent in the possible pool of PINs.


Luckily, Reaver keeps a progress log file automatically, so you can stop the attack at any time and resume whenever it’s convenient. Spending a few hours a day running Reaver against the same network should uncover its PIN and through that the WPA passphrase..eventually.

Reaver Wps For Mac

Disclaimer: This is for educational and personal use only. This was originally done as an assignment for SEC701 – Ethical Hacking. I do not condone potential illegal uses of this information. However it is perfectly legal to “hack” your own equipment or equipment you’re authorized to administer. If you use this for malicious purposes, it is not my fault.


WPS is a security standard that allows users to connect to WPA/WPA2 networks easier, through use of an 8 digit pin code. As a result this actually weakens the security of WPA/WPA2 as this can be brute forced, and once compromised allows the hacker the ability to access the router/access point and have it provide it’s own passphrase or PSK (pre-shared key). The tools used in this attack are as follows, all included in Kali linux.

  • macchanger (for MAC spoofing, not directly connected to the attack)
  • airmon-ng
  • wash
  • reaver

The video used as a basis for this attack (and shown for demonstration in class) can be found here:

Part 1 – MAC Spoofing

While not essential to our hack, in order to simulate doing this for real we’re going to spoof our MAC Address to limit the potential for getting caught. To do this requires only a few steps. For demonstration purposes, show the current MAC address:

The first thing we do is bring the interface down and stop network manager, by issuing the following commands:

Now we generate a random MAC address using macchanger. There are a couple of different options here, either using -r which will generate a random MAC or -a which will generate a random MAC with the same manufacturer prefix (if it can determine the manufacturer). In my case, it couldn’t so the output is the same as using -r.

Reaver Wps For Mac

Finally bring the interface up, and note the MAC has changed (the previous step actually shows you the original MAC and the new MAC).

Part 2 – Hacking WPS

Hacking WPS was actually less work than hacking WEP, though it took a lot longer. The first thing we need to do is run airmon-ng without options to ensure our wireless interface is being detected properly.

Next issue the command again with the interface included to start monitoring.

Issue the wash command to scan for access points in the area.

The output should look something like the following.

Now we’re going to run reaver with the MAC address of the access point as an argument, which was obtained as a result of the command used in the previous step. This step can take anywhere from 4 to 20+ hours. In my case it took about 6 hours to successfully crack the WPS pin.

Reaver Wps For Mac Os

Once you have the pin, run reaver again providing it the pin as an argument and it will return the PSK fairly quickly.

Reaver-wps Mac Osx

Which resulted in the following output.

Reaver Wps For Mac Download


Reaver Wps For Mac Installer

The attack method used to compromise WPA/WPA2 by way of hacking the WPS was in my opinion much easier than that used to hack WEP in a previous demonstration this semester. While WEP took about 30 minutes to crack, hacking WPS took approximately 6 hours. After some very brief research online I discovered that this process can take anywhere from 4 to 30 hours. You would think the length of time required to perform the hack would be somewhat of a deterrent, however once WPS has been compromised it opens up a permanent vulnerability (unless one disables WPS) as the same key can be used to repeat the process once the Administrator for the access point changes the pre-shared key. To further complicate matters the WPS key is hard coded for each router, and cannot be changed. Which leads us to another problem. Some access points don’t actually disable WPS even when you’ve disabled the ability in the device’s settings. This has been patched by many of the leading manufacturers, but it is up to the Administrator responsible for the access point to see if this is in fact an issue for their particular hardware.