SirTheRev / reaver-wps

Automatically exported from code.google.com/p/reaver-wps
0 stars 0 forks source link

Reaver successfully decrypted key, but impossible to reproduce ! #192

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
Hello,

I'm working on a Cisco/Linksys WRT320N, and Reaver had found the WPA2-PSK Key 
successfully the first time !!
I worked on a Backtrack 5 R1 over VirtualBox with an Alfa AWUS036h (rtl8187 
driver). Backtrack was just downloaded, only synaptic updates, and Reaver 
compiled from subversion.

I try to reproduce it, with same distribution, same laptop, same alfa, same 
router => No software/hardware changes.
But impossible to get the key or the PIN ...

I've tried on 3 different PCs, on Backtrack and Ubuntu, in VirtualBox and on 
Hard installation, with 3 different alfa awus036h and same result : impossible 
to get PIN or KEY!!!!

What's wrong ???

After about 1% of work I get these errors again and again and again :
[+] Trying pin 13325671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 13325671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 13325671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 13325671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin

Regards,
Clement

Original issue reported on code.google.com by thecle...@free.fr on 27 Jan 2012 at 8:24

GoogleCodeExporter commented 8 years ago
Sorry, I forgot some information :
Command used and worked only one time : reaver -i mon0 -b 00:25:9C:CA:AC:8A -c 
11 -vv

Dash output :
BSSID                  Channel       RSSI       WPS Version       WPS Locked    
    ESSID
--------------------------------------------------------------------------------
-------------------------------
00:25:9C:CA:AC:8A      11            -14        1.0               No            
    WifiTutRT

Airodump output :
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
 00:25:9C:CA:AC:8A  -13 100       27        0    0  11  54e  WPA  TKIP   PSK  WifiTutRT

Regards.

Original comment by thecle...@free.fr on 27 Jan 2012 at 9:17

GoogleCodeExporter commented 8 years ago
i have a very similar setup: only difference is my router is a WRT350N. i use 
backtrack 5 r1 CD.

one thing i notice about this setup is that if i use mac spoofing with reaver 
it will rarely associate with the router. without mac spoofing it associates 
MUCH more reliably.

i wonder if mac spoofing is part of your workflow? 

Original comment by damonswi...@gmail.com on 28 Jan 2012 at 3:39

GoogleCodeExporter commented 8 years ago
Hello,

No MAC spoofing, and no MAC filter on the router. I'm not sure this is an 
association problem, Cheff will tell us if he's agree.

Big problem is when I have blocks of timeout and WPS 0x02 code, AP WPS function 
crashes completely. Impossible to reassociate with any device.
I have to power off/on the router to restart reaver.

I just try this command : reaver -i mon0 -b 00:25:9C:CA:AC:8A -vv -a -d 5 
--recurring-delay=5:10 -c 11 -N -E -L
But it's strange because with -N (no nacks) I have always the same output : [+] 
Sending WSC NACK

Original comment by thecle...@free.fr on 28 Jan 2012 at 11:11

GoogleCodeExporter commented 8 years ago
this can be many things

1 - bad signal
2 - with the AP count already at the limit
3 - Problem in the firmware of the AP
4 - Lag sending and receiving packets

Hard to know exactly what can be

Original comment by gcarval...@gmail.com on 31 Jan 2012 at 4:31

GoogleCodeExporter commented 8 years ago
Thanks for your help.

- Signal is at -14dBm which is OK.
- AP is Linksys WRT320N which is the same AP used by Craig Heffner
- Firmware is basic 1.0 so vulnerable.
- With 10 seconds timeout, I have same errors, so I think it isn't lag problems.

If this is a AP count limit, how to change it, is it possible to flash AP with 
a completely vulnerable firmware?

Original comment by thecle...@free.fr on 31 Jan 2012 at 5:49

GoogleCodeExporter commented 8 years ago
Message to craig :
Hi!

Finally it works, I've just use --dh-small option.
I have had about 4x (0x02 errors) per minute after M4 message, during the test 
on 1st half of PIN code.
But when Reaver found it and go to M5 + M6 messages, NO ANY errors to the end !

So it can tell you where looking for, to resolve timeouts for identity. (I say 
again, it starts by 0x02 error on M4 messages)

Regards,
Clem

Original comment by thecle...@free.fr on 18 Feb 2012 at 4:14