This tools is extremely easy to use, I recommend a RTL8187 based wireless adapter (you already have one of these for your WEP pen testing right?).
1. Boot Backtrack 5, establish a network connection and install reaver.apt-get install reaver
2. First lets take a look at the available networks, I still use airodump-ng for this.
3. After finding the BSSID we are interested in (the one you just set up for your proof of concept), issue the following reaver command, replacing "00:11:22:33:44:55" with your target BSSID and "wlan0" with your adapter.
reaver -i wlan0 -b 00:11:22:33:44:55 -c 1 -vv
The above command is attacking BSSID "00:11:22:33:44:55" on interface "wlan0" and channel 1, it is also using a high verbose level.
You can see from the image (click to enlarge) that Reaver begins to brute force combinations of pins. This process can take hours, the Reaver website suggests on average it will take between 4-10 hours to recover a pass phrase. The particular AP I tested the attack against had some PIN rate limiting protection (as reported by Reaver) that significantly delays but doesn't stop the attack. I didn't leave the attack going more than a few minutes but you get the idea.
Fortunately there is a simple fix, disable WPS or even better, move to WPA2-Enterprise with a RADIUS back end. With any luck the WiFi Alliance and associated manufactures will release firmware updates quickly to resolve this issue, but for the time being millions of wireless access points remain vulnerable to this simple attack.