First load up your Backtrack VM, once its done then connect your usb wireless network adapter. It may automatically be connected to the VM but if it does not then in the bottom right of your VMware Player you will see little icons like the one's in the picture below:
The icon that looks like a usb stick and is faded is usually the one that represent the wireless network adapter. Simply click on it and select Connect (disconnect from host).
Now we have are wireless card connected lets give it an interface to operate from, to do this we will it in monitor mode. We do this by opening a new terminal and entering the text in bold below:
airmon-ng start wlan1
(Note: your wlan may have a diffrent number but they are usually 1 or 0)
When done correctly it will put you wireless network adapter into monitor mode, which allows us to examine packets being sent wirelessly. This will also start an inteface called mon0 which we will be running are attack trough.
Using Wash to Find a Vulnrable Router
This is easy to do, just open up a terminal end enter in the text in bold below:
wash -i mon0
This will start the wash program and it will use the mon0 interface to find the vulnerable wireless routers and display them in the terminal on a table like in the picture below:
After about 2 minutes wash will have found all vulnerable wirless routers so we will have to stop it running to do this make sure you have the terminal as your active window and Press and hold 'ctlr' and then press 'z'
DO NOT CLOSE THE TERMINAL
Using Reaver to Get the Password
Reaver will use a bruteforcing method to attack the wps pin trying a total of 11k pins. its very simple to use but first we need to pick are target from the table in wash.
I suggest picking the one with the lowest RSSI because it will have the best signal. When you pick your target copy the MAC address. The mac address is 12 charchter long and seprated using collens every two characters for example A3:ED:S2:22:SD:FF.
Now open a new terminal and enter the bold text below but replace the example MAC address with the one you copied.
reaver -i mon0 -b C0:3F:0E:C2:D4:C4 -v
Reaver can get the right pin first time or it could be the last one it tries but if the router is accepting the pins then reaver will get it! and display the correct WPS pin and password in the terminal!