WPS Attacks with Reaver & Bully

Introduction

Even secure-looking WPA2 networks can have a hidden vulnerability — WPS. Wi-Fi Protected Setup (WPS) was introduced to simplify connections between routers and devices. But this convenience comes with a cost: it’s brutally insecure.

In this post, you’ll learn how to perform WPS attacks using tools like Reaver and Bully — and how to identify vulnerable networks.

❓ What is WPS?

Wi-Fi Protected Setup (WPS) is a feature that allows users to connect to a Wi-Fi network by:

Pressing a button (WPS Push)
Entering an 8-digit PIN (WPS PIN mode)

The problem? That 8-digit PIN can be brute-forced in a few hours or less using the right tools.

🧰 Tools Needed

Kali Linux
Wi-Fi adapter supporting monitor mode
Tools: Reaver, Bully, wash

Step-by-Step: Attacking WPS with Reaver

1. Put Adapter in Monitor Mode

Enable monitor mode on your wireless adapter:

sudo airmon-ng start wlan0

2. Scan for WPS-Enabled Routers

Use wash to scan for routers that have WPS enabled:

sudo wash -i wlan0mon

Look for routers with the following:

WPS Locked: No
Good signal strength
WPS version is visible

3. Launch Reaver Attack

Once you’ve found a suitable target, launch Reaver:

sudo reaver -i wlan0mon -b <BSSID> -c <channel> -vv

Explanation of options:

-i: Your interface in monitor mode (e.g., wlan0mon)
-b: Target router’s MAC address
-c: Channel of the target network
-vv: Verbose output (shows detailed process)

Reaver will try known WPS PINs until it finds the correct one. Once successful, it will display:

WPS PIN: 12345670
WPA PSK: password123

✅ You now have the actual Wi-Fi password (WPA PSK).

🔁 Alternative: Using Bully

Bully is a faster, smarter WPS cracker.

Example:

sudo bully wlan0mon -b <BSSID> -c <channel> -v 3

It can handle errors, locked APs, and even guess missing data.

Tips to Improve WPS Attacks

Look for routers with WPS locked = No
Keep the interface close to the router
Be patient — some routers delay responses or throttle attempts
Combine wash, reaver, and bully for best success

Defense Against WPS Attacks

Disable WPS in router settings (always!)
Use routers that don’t support PIN-based WPS
Upgrade firmware
Monitor unusual login attempts

Legal & Ethical Warning

Never attempt a WPS attack without explicit authorization. Just because a router is vulnerable doesn’t mean you can ethically or legally attack it.

These tools are for:

Lab environments
Red teaming engagements
Authorized pentests

Wrapping Up

WPS attacks exploit a flaw in router convenience — not encryption. With Reaver or Bully, you can retrieve a WPA2 password without cracking a handshake or brute-forcing.

Next up:
🕵️‍♂️ Part 12 – MITM Attacks with Bettercap (Wi-Fi Edition)
Learn to intercept traffic over Wi-Fi with full man-in-the-middle capabilities.