Sbeiersc / reaver-wps

Automatically exported from code.google.com/p/reaver-wps
0 stars 0 forks source link

stuck at 99.9%, keeps trying the same pin #129

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago

0. What version of Reaver are you using?  (Only defects against the latest
version will be considered.)

version 1.3

1. What operating system are you using (Linux is the only supported OS)?

bactrack 5 (reaver installed with " apt-get install reaver"

2. Is your wireless card in monitor mode (yes/no)?

yes

3. What is the signal strength of the Access Point you are trying to crack?

pwr : -55
rxq : 70

5. What is the entire command line string you are supplying to reaver?

"reaver -i mon0 -b 00:25:XX:XX:XX:XX -vv"

6. Please describe what you think the issue is.

gets to 99.9% then keeps trying the same pin over and over.
after waiting for half an hour, stopped with ctrl+c and saved.
restarted, restored the session but keeps trying same pin over again

Original issue reported on code.google.com by ismailce...@gmail.com on 12 Jan 2012 at 11:37

GoogleCodeExporter commented 8 years ago
0. What version of Reaver are you using?  (Only defects against the latest
version will be considered.)

version 1.4 r_84

1. What operating system are you using (Linux is the only supported OS)?

Back|Track5 r1 (reaver dowload with "svn checkout 
http://reaver-wps.googlecode.com/svn/trunk/ reaver"
And installed : 
root@bt:~/reaver/src# ./configure && make && make install

2. Is your wireless card in monitor mode (yes/no)?

yes.
Note the wireless network card:
root@bt:~# lspci -v

"03:04.0 Ethernet controller: Atheros Communications Inc. Atheros AR5001X+ 
Wireless Network Adapter (rev 01)
    Subsystem: D-Link System Inc Device 3a13
    Flags: bus master, medium devsel, latency 168, IRQ 16
    Memory at fbff0000 (32-bit, non-prefetchable) [size=64K]
    Capabilities: [44] Power Management version 2
    Kernel driver in use: ath5k
    Kernel modules: ath5k
"

3. What is the signal strength of the Access Point you are trying to crack?

root@bt:~# iwlist mon0 scanning
" Cell 04 - Address: 00:B0:0C:XX:XX:XX
                    Channel:6
                    Frequency:2.437 GHz (Channel 6)
                    Quality=27/70  Signal level=-83 dBm  
                    Encryption key:on
                    ESSID:"Tenda"
                    Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 9 Mb/s
                              18 Mb/s; 36 Mb/s; 54 Mb/s
                    Bit Rates:6 Mb/s; 12 Mb/s; 24 Mb/s; 48 Mb/s
                    Mode:Master
                    Extra:tsf=000001b496a94a42
                    Extra: Last beacon: 612ms ago
                    IE: Unknown: 000554656E6461
                    IE: Unknown: 010882848B961224486C
                    IE: Unknown: 030106
                    IE: Unknown: 2A0104
                    IE: Unknown: 32040C183060
                    IE: Unknown: 2D1AEE1117FF000000010000000000000000000000000C0000000000
                    IE: Unknown: 3D1606050000000000000000000000000000000000000000
                    IE: Unknown: 3E0100
                    IE: IEEE 802.11i/WPA2 Version 1
                        Group Cipher : CCMP
                        Pairwise Ciphers (1) : CCMP
                        Authentication Suites (1) : PSK
                    IE: Unknown: DD180050F2020101000003A4000027A4000042435E0062322F00
                    IE: Unknown: 7F0101
                    IE: Unknown: DD07000C4304000000
                    IE: Unknown: 0706434E20010E10
                    IE: Unknown: DD1E00904C33EE1117FF000000010000000000000000000000000C0000000000
                    IE: Unknown: DD1A00904C3406050000000000000000000000000000000000000000
                    IE: Unknown: DD9A0050F204104A0001101044000101103B000103104700102880288028801880A88000B00C482D881021001852616C696E6B20546563686E6F6C6F67792C20436F72702E10230011576972656C6573735F4E20526F75746572102400065254323836301042000831323334353637381054000800060050F204000110110011576972656C6573735F4E20526F75746572100800020084103C000101
"

5. What is the entire command line string you are supplying to reaver?

"eaver -i mon0 -b 00:B0:0C:48:2D:88 -c 6 -e Tenda -S -w -vv"

6. Please describe what you think the issue is.

gets to 90.90% then keeps trying the same pin (13695675) over and over.
after waiting for half an hour, stopped with ctrl+c and saved.
restarted, restored the session but keeps trying same pin over again.
Attached files .cap .png referring to the problems.

I am wait response.

Original comment by suzuk_1...@hotmail.com on 12 Jan 2012 at 1:49

Attachments:

GoogleCodeExporter commented 8 years ago
@ismailcemoz: this sounds like a dup of issue 88. I would also suggest using 
the latest SVN code instead of 1.3 (1.4 will be released soon!) as 1.3 had some 
bugs with false pin matches.

@suzuk: looking at your iwlist output you have a pretty low signal strength and 
receive quality, which is reflected in the pcap file. Reaver is having trouble 
even establishing a WPS session. However, with that said, I'm seeing some 
strange behavior from Reaver in that it is sending M6 packets out of order. I 
think I know what might be causing this, I'll take a look at the code and let 
you know when I have a fix.

Original comment by cheff...@tacnetsol.com on 12 Jan 2012 at 2:46

GoogleCodeExporter commented 8 years ago
I have the exact same issue but at 90.90% :
Output:
reaver -i mon0 -b 00:26:11:22:33:44 -L -E -vv

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner

[?] Restore previous session? [n/Y] y
[+] Restored previous session
[+] Waiting for beacon from 00:26:11:22:33:44
[+] Switching mon0 to channel 1
[+] Associated with 00:26:11:22:33:44 (ESSID: AP_NAME)
[+] Trying pin 77424013
[+] Sending EAPOL START request
[+] Sending identity response
[+] Sending M2 message
[+] Sending M4 message
[+] Sending WSC NACK
[+] Trying pin 77424013
[+] Sending EAPOL START request
[+] Sending identity response
[+] Sending M2 message
[+] Sending M4 message
[+] Sending WSC NACK
[+] Trying pin 77424013
[+] Sending EAPOL START request
[+] Sending identity response
[+] Sending M2 message
[+] Sending M4 message
[+] Sending WSC NACK
[+] Trying pin 77424013
[+] Sending EAPOL START request
[+] Sending identity response
[+] Sending M2 message
[+] Sending M4 message
[+] Sending WSC NACK
[+] Trying pin 77424013
[+] Sending EAPOL START request
[+] Sending identity response
[+] Sending M2 message
[+] Sending M4 message
[+] Sending WSC NACK
[+] Trying pin 77424013
[+] Sending EAPOL START request
[+] Sending identity response
[+] Sending M2 message
[+] Sending M4 message
[+] Sending WSC NACK
[+] 90.90% complete @ 2012-01-12 15:24:15 (5 seconds/attempt)
[+] Trying pin 77424013
[+] Sending EAPOL START request
[+] Sending identity response

Version:
Version 1.4_88

Back|Track5 r1 (reaver dowload with "svn checkout 
http://reaver-wps.googlecode.com/svn/trunk/ reaver"
And installed : 
root@bt:~/reaver/src# ./configure && make && make install

I'm using a AWUS036H adapter (RTL8187) in monitor mode. I've now had this issue 
against 2 AP's. 1 is a Thomson the other I'm not sure about.

I have a pcap of this with a eap display filter as suggested in issue 94. 
Please let me know where I can send it to.

Original comment by alphe...@gmail.com on 12 Jan 2012 at 3:04

GoogleCodeExporter commented 8 years ago
Just mailed the pcap file to Craig.

Original comment by alphe...@gmail.com on 12 Jan 2012 at 3:09

GoogleCodeExporter commented 8 years ago
@suzuk: I just checked in some code that should fix your issue, but I can't 
reproduce it on my end so please verify.

@alphenit: From Reaver's output it seems that the first half of the pin is 
incorrect. I just got your pcap, will look it over.

Original comment by cheff...@tacnetsol.com on 12 Jan 2012 at 3:10

GoogleCodeExporter commented 8 years ago
@alphenit: Yes, looking at the pcap the first four of the pin that Reaver is 
trying is definitely wrong, but it looks like Reaver has run out of pins to 
test so it keeps trying the last one. Can you give Reaver the correct pin with 
the --pin option and make sure that it works?

Original comment by cheff...@tacnetsol.com on 12 Jan 2012 at 3:13

GoogleCodeExporter commented 8 years ago
@Craig
The AP belongs to a neighbor of mine who went abroad for work a couple of days 
back. I asked him if I could "play" with his router which he was fine with. (so 
I don't have physical access to the bloody thing)
He's on a flexible contract abroad so could be weeks or months before he 
returns :( .

Original comment by alphe...@gmail.com on 12 Jan 2012 at 3:24

GoogleCodeExporter commented 8 years ago
i have same problem in 90.90% its repeat same pin 

Original comment by 1achr...@gmail.com on 12 Jan 2012 at 3:30

GoogleCodeExporter commented 8 years ago
Issue 130 has been merged into this issue.

Original comment by cheff...@tacnetsol.com on 12 Jan 2012 at 3:39

GoogleCodeExporter commented 8 years ago
The same problem at 90.90% with Reaver v1.4.

Ubuntu x86_64, Linux 3.0.0-14-generic
$ ./reaver -i mon0 -b 00:00:00:00:00:0 -e xxx -c 1

Original comment by ViktorMa...@gmail.com on 12 Jan 2012 at 4:10

GoogleCodeExporter commented 8 years ago
have the same issue, stuck at 90.90% tried two times with my different routers

Original comment by piort...@gmail.com on 12 Jan 2012 at 7:33

GoogleCodeExporter commented 8 years ago
[deleted comment]
GoogleCodeExporter commented 8 years ago
I'm trying to reaver 1.4 r_90. I'll take 24 hours in a test and see if the 
problem of catching the 90.90% has been resolved and the other place.
When you have it or I'll post the results here in this topic.

Original comment by suzuk_1...@hotmail.com on 12 Jan 2012 at 9:59

GoogleCodeExporter commented 8 years ago
@suzuk_1 Ok Plase post the result here ok? tanks

Original comment by 1achr...@gmail.com on 12 Jan 2012 at 10:00

GoogleCodeExporter commented 8 years ago
@1achraf3  OK :D

@cheffner  I'm trying to reaver 1.4 r_90. 
I'll take 24 hours in a test and see if the problem 
of catching the 90.90% has been resolved and the other place.
When you have it or I'll post the results here in this topic.

Original comment by suzuk_1...@hotmail.com on 12 Jan 2012 at 10:05

GoogleCodeExporter commented 8 years ago
I'm also taking 1.4 r90, clearing the current progress and start over to see 
how this version works out.
Is there an easy way to see what 1.4.xx version we are using..? I now use the
svn checkout http://reaver-wps.googlecode.com/svn/trunk/ reaver_versionnumber
then  ./configure && make && make install and I assume it will replace the 
older version which is now 1.4. If possible maybe add the .xx so 1.4.90, could 
make it  easier when determining which version is actually used?

Original comment by alphe...@gmail.com on 12 Jan 2012 at 10:31

GoogleCodeExporter commented 8 years ago
Working test error 90.90% New revision R90

Original comment by 1achr...@gmail.com on 12 Jan 2012 at 10:45

GoogleCodeExporter commented 8 years ago
[deleted comment]
GoogleCodeExporter commented 8 years ago
[deleted comment]
GoogleCodeExporter commented 8 years ago
I finished the test took 6:45 minutes each.
WPS PIN found. Not if the PIN is really what is in the access points, because I 
have no access to it was just a test
I used the Back|Track 5 r1,Gnome
reaver 1.4 r90
Attached the PrintScreen:
@cheffner If the PIN is true it is possible to know the WPA2 CCMP PSK?
Iam wait response.

Original comment by suzuk_1...@hotmail.com on 13 Jan 2012 at 4:27

Attachments:

GoogleCodeExporter commented 8 years ago
I think after it cracks the WPS key, reaver is supposed to show the WPA key. At 
least it did so in cracking my own router, show the pin, followed by the wpa 
key and then the SSID..

Original comment by alphe...@gmail.com on 13 Jan 2012 at 7:48

GoogleCodeExporter commented 8 years ago
I just completed another test. But with different results, 5:10 hours / minutes 
and with different PIN.
I can not make if the PIN is correct, because the access point is not
mine is just for testing.
I used Back|Track 5 r1 Gnome
reaver 1.4 r_90
Follow the PrintScreen:
@ cheffner took the test twice and have different PINs, is it a mistake or not?
First test Second test PIN PIN = 47303089 = 47306868
Ing the first test and second test in the first four digits
were = "4730"
I await answers ..
thank you

Original comment by suzuk_1...@hotmail.com on 13 Jan 2012 at 10:26

Attachments:

GoogleCodeExporter commented 8 years ago
I finished trying with r90 but the issue remains, at 90.90% it keeps trying the 
same pin :(
Let me know if you need anything else..

Original comment by alphe...@gmail.com on 13 Jan 2012 at 1:13

GoogleCodeExporter commented 8 years ago
Issue 135 has been merged into this issue.

Original comment by cheff...@tacnetsol.com on 13 Jan 2012 at 1:49

GoogleCodeExporter commented 8 years ago
So I haven't tracked down the exact cause of this problem, but it is pretty 
obvious that it has been caused by one of the more recent code changes or else 
we would have been seeing this earlier.

At the moment Reaver is undergoing a code clean up - a lot of code was reused 
from wpa_supplicant, and for Reaver's purposes it is overly complex. 
Refactoring the code will probably take a few days, but should clean up this 
(and other) issues and with simplified code make it easier to track down future 
issues, so please be patient with me. :)

In the mean time, reverting to a previous revision should clear this problem 
up, though I'm not sure yet which rev exactly introduced this bug.

Original comment by cheff...@tacnetsol.com on 13 Jan 2012 at 1:53

GoogleCodeExporter commented 8 years ago
The version 1.3 no have problem 90,90 %

Original comment by 1achr...@gmail.com on 13 Jan 2012 at 1:59

GoogleCodeExporter commented 8 years ago
I'm not sure about the 1.3 version. I've installed it through apt-get install 
reaver in BackTrack and trying it on the same router. I'll share results if I 
have any :)

Original comment by alphe...@gmail.com on 13 Jan 2012 at 3:14

GoogleCodeExporter commented 8 years ago
Im working in 14.R90 and i dont see the problem 90.90 ok?

Original comment by 1achr...@gmail.com on 13 Jan 2012 at 5:12

GoogleCodeExporter commented 8 years ago
I've tried 1.4 R90 yesterday and I DID see the 90.90% error so it is still 
there.
I'm now running the 1.3 version to see what happens there.

Original comment by alphe...@gmail.com on 13 Jan 2012 at 6:59

GoogleCodeExporter commented 8 years ago
Found 14 r.90 Cracked 100% WPA2-PSK[TPIK] + WPA2-PSK[AES]

Bactrack 5 R1 

Reaver 1.4 R.90

Terminal:

reaver -i mon0 -b 00:11:22:33:44 -vv

Key Cracked in: 10396 Seconds

Password Type: WPA2-PSK[TPIK] + WPA2-PSK[AES]

Original comment by 1achr...@gmail.com on 13 Jan 2012 at 7:34

Attachments:

GoogleCodeExporter commented 8 years ago
Well that is nice but what did you change since everyone in this thread has 
tried 1.4 r90 and gets the 90.90% error.

What version were you using yesterday when you reported the 90.90% error and 
what changed since then..?

QUOTE:
Comment 8 by 1achr...@gmail.com, Yesterday (28 hours ago) i have same problem 
in 90.90% its repeat same pin 

Original comment by alphe...@gmail.com on 13 Jan 2012 at 7:57

GoogleCodeExporter commented 8 years ago
[deleted comment]
GoogleCodeExporter commented 8 years ago
[deleted comment]
GoogleCodeExporter commented 8 years ago
Alphe the bug is in version Reaver 1.4 r89 

work yesterday with 1.4 r89

Today i update to r90

Time : 00:00 finish to 19:30

R90 is found 100% some errors but not serious

Original comment by 1achr...@gmail.com on 13 Jan 2012 at 8:04

GoogleCodeExporter commented 8 years ago
Alphe the bug is in version Reaver 1.4 r89 

work yesterday with 1.4 r89

Today i update to r90

Time : 00:00 finish to 19:30

R90 is found 100% some errors but not serious

Original comment by 1achr...@gmail.com on 13 Jan 2012 at 8:04

GoogleCodeExporter commented 8 years ago
I updated to r90 yesterday and I still had the issue after rebooting my laptop 
so something is still not right.
Probably like Craig said that Reaver might need some code clean up to see if 
the issue remains after that...

Original comment by alphe...@gmail.com on 13 Jan 2012 at 9:57

GoogleCodeExporter commented 8 years ago
Test in a live bactrack an download reaver with code :

svn checkout http://reaver-wps.googlecode.com/svn/trunk/ reaver

Original comment by 1achr...@gmail.com on 13 Jan 2012 at 10:05

GoogleCodeExporter commented 8 years ago
I have Backtrack 5 R1 installed on my laptop and installed reaver with svn.
I'm now working with 1.3 again from the BackTrack distro to see how that goes.

I might try the live cd again after that, but if I run into connectivity 
problems because of ubuntu as mentioned in another issue, you have to reboot 
into the live environment again and will loose all progress if you use the live 
cd.

Original comment by alphe...@gmail.com on 13 Jan 2012 at 10:18

GoogleCodeExporter commented 8 years ago
Im working in a live usb , check 1.3 an tell me , but I trust 1.4 r90 found 
good 

please format usb and install with unebootin Bactrack 5 R1 then install reaver

and check i dont like install bactrack that the logs not clean good

Original comment by 1achr...@gmail.com on 13 Jan 2012 at 10:27

GoogleCodeExporter commented 8 years ago
just tried again with r90, and blocks at 90,90%. i used live cd backtrack 5 r1

Original comment by piort...@gmail.com on 15 Jan 2012 at 6:28

GoogleCodeExporter commented 8 years ago
This issue appears to be a result of WPS messages being improperly 
identified/processed. The code that handles this has been re-worked and checked 
in as of r91; hopefully that will clear up this issue (having trouble 
reproducing it myself).

Original comment by cheff...@tacnetsol.com on 16 Jan 2012 at 5:03

GoogleCodeExporter commented 8 years ago
I've got the exact same problem, running 1.3 on ubuntu 11.10. I'm going to see 
what happens with the rc91 ;)

Original comment by hadwa...@gmail.com on 16 Jan 2012 at 5:30

GoogleCodeExporter commented 8 years ago
[deleted comment]
GoogleCodeExporter commented 8 years ago
[deleted comment]
GoogleCodeExporter commented 8 years ago
Latest svn trunk, same issue. No M6 messages, no lockouts, it just keeps trying 
the same pin over and over forever while stuck at 90.90% 

I tried giving it my first 4 numbers and it worked flawlessly. It seems to be a 
problem guessing the first 4 numbers.

Original comment by kahakki...@gmail.com on 17 Jan 2012 at 12:24

GoogleCodeExporter commented 8 years ago
Just did a 5 hour run against my AP with r96, got both halves of the pin fine.

kahakkinen, it sounds like you are restoring your old session in which all of 
the possible combinations for the first half of the pin have already been 
exhausted. This will not work. You'll need to start a new session from scratch.

Original comment by cheff...@tacnetsol.com on 17 Jan 2012 at 12:43

GoogleCodeExporter commented 8 years ago
[deleted comment]
GoogleCodeExporter commented 8 years ago
I do that every time I compile a new version. I go to /usr/local/etc/reaver and 
delete every file in there, then I start running reaver again. 

For example, I just deleted the files in /usr/local/etc/reaver and am now 
running it again.. 4.34% and counting. 

Original comment by kahakki...@gmail.com on 17 Jan 2012 at 12:49

GoogleCodeExporter commented 8 years ago
OK, let me know the outcome. Reaver now cycles through pins in order, so it 
should be easy to see when it is approaching the correct first 4 pins. If 
Reaver still does not get the first 4 pins correct, can you provide the reaver 
output (with -vv) when it does attempt the correct 4 pins? And preferably a 
pcap as well.

It would be very odd if Reaver always misses the first half of the pin when 
brute forcing, but works fine when you manually specify the first half of the 
pin...

Original comment by cheff...@tacnetsol.com on 17 Jan 2012 at 1:03

GoogleCodeExporter commented 8 years ago
[deleted comment]