Step # 1 - Discover WPS-enabled networks
First of all, we need to set our wireless connection to monitor mode, using airmon-ng, by typing the following command:
kali> airmon-ng start wlan0 the wlan1
Now, let's check to see if any of the APs (Access Points) in our area have WPS enabled and unlocked. The command we will use now is:
kali> wash -i <interface>
If the wireless network device is wlan0, airmon-ng will probably change its name to something like wlan0mon. So we need to change the command, as you will see below:
kali> wash -i wlan0mon
As you can see, there are many APs near us with WPS enabled and unlocked. Note that the first column shows the BSSID that we will need in the next step.
Step # 2 Break the PIN with Reaver
Let's start the process of breaking it WPS PIN. Remember we have to try up to 11.000 possible PINs. This will probably take us several hours, so we will have to be patient enough. The basic syntax of the command to operate the Reaver as follows:
kali>Reaver -i wlan0mon -b <BSSID> -S -v
wlan0mon The name of our wireless device in monitor mode
BSSID This is the MAC address from the AP (Access Point) that we will attack
Starting the break process, we determine the access point name, the number of maximum attempts, the manufacturer and the model name. It then starts testing all 11.000 possible PINs.
If the Reaver manages to find the correct PIN, it will show it to you in the form you see below
Now that you have the correct PIN, you can log in to the access point without having its password router!