allishwell / reaver-wps

Automatically exported from code.google.com/p/reaver-wps
0 stars 0 forks source link

Reaver finds PIN but not passphrase #203

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
computer with backtrack and Reaver is in other room, so cant cut and paste 
outputs etc...  Reaver works just fine, except when it completes the attack it 
returns the PIN but NOT the passphrase.  anyone know why?

Original issue reported on code.google.com by Bel.Mard...@gmail.com on 30 Jan 2012 at 10:51

GoogleCodeExporter commented 8 years ago
I am having the same issue.

I use lates SVN code (r112) and this command
reaver -i wlan0 -b 00:B0:0C:55:9B:88  -vvv -c 7 -N --pin=56103762 -A
(using aireplay-ng to associate)

here is the capture
http://www.mediafire.com/?uxe795qpzu7zldt

when not using aireplay-ng the output is the same

on the other hand when I remove the -N switch, I am no longer able to crack it

I am always getting this output and not cracking it

Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 56103762

Original comment by jcdento...@gmail.com on 30 Jan 2012 at 7:36

GoogleCodeExporter commented 8 years ago
here is the capture when not using the -N switch (with or without aireplay-ng 
to associate)

http://www.mediafire.com/file/6xp7wghzy947pl1/WPA__.cap
http://www.mediafire.com/file/nc7dgvdp775wdvy/WPA____.cap

Any ideas what might be wrong?

usually it prints out time, ESSID, PIN, WPA-PSK

in this case only time and PIN
no WPA-PSK, no ESSID

Original comment by jcdento...@gmail.com on 30 Jan 2012 at 7:45

GoogleCodeExporter commented 8 years ago
Same issue where reaver-1.4 would find the WPS pin but not reveal the WPA 
password.  Ran reaver-1.4 several times with the -p argument and WPS pin but it 
never showed the WPA password.  Removed reaver-1.4 and ran reaver-1.3 and the 
password showed up first attempt.

Original comment by brian...@gmail.com on 12 Feb 2012 at 1:13

GoogleCodeExporter commented 8 years ago
unfortunately most of the APs I have here are sending multiple WPS packets at 
once so older revisions of reaver interpret that as out-of-orders messages

-N switch was first implemented in in revision 106/107 so I guess reaver v 1.3 
does not support that

any other ideas?

Original comment by jcdento...@gmail.com on 20 Feb 2012 at 7:01

GoogleCodeExporter commented 8 years ago
Yeah I am having the same issue as above. All nearby AP's return multiple 
packets.
Also, if let's say the "correct pin" is  12213456 (without returned wpa) and I 
run reaver .... -p 12215678 it yet once again says "correct pin" (even after 
reboot on Live CD)

Those sent multiple wps packets seem to be the problem I believe.

Also from what I've read you can CHANGE the WPA using the WPS pin with 
wpa_supplicant, but not sure if you can read the current password somehow 
through that WPS pin.

Hopefully Craig hasn't abandoned this little project.

Original comment by xFxIxC...@gmail.com on 29 Feb 2012 at 3:54

GoogleCodeExporter commented 8 years ago
Hopefully this helps out any future wanderers who recover a PIN w/reaver but no 
PSK, as I have had this happen a few times myself with different testing 
devices and firmwares.

I am not 100% certain why this occurs, but I have a feeling that there’s more 
than one reason behind it.  Regardless, it's important to know that you CAN 
authenticate to the AP with just the pin, and in many cases, you will be able 
to recover that sessions PSK, albeit a manual processes.

I use debian squeeze (6.0), with kernel 3.2.0-0 from backports, along with 
latest compat-wireless (3.3.1).  I have tested this with wpa_supplicant from 
the repos (v0.6.10), and not from source.

First, set yourself up a very basic wpa_supplicant.conf in 
/etc/wpa_supplicant.conf:
--
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
update_config=1
--
Second, start wpa_supplicant in daemon mode:
wpa_supplicant -Dwext -iwlan0 -c/etc/wpa_supplicant.conf –B

Third, run wpa_cli, and verify that it's working by issuing command 'status'.  
You should see wpa_state=INACTIVE

Fourth, lets add our BSSID and PIN:
wps_reg xx:xx:xx:xx:xx:xx 12345678

You should see an "OK".  Wait a few more seconds as wpa_supplicant picks up the 
BSSID and tries to associate and perform key negotiation.  What you want to see 
is "CTRL-EVENT-CONNECTED", which will indicate that the PIN was accepted and 
that you're now associated.

At this point, if you were to exit wpa_cli, you could run dhclient on wlan0 and 
would be offered an IP from the AP, assuming DHCPd were enabled.

Go ahead and type the command 'save', which should output another "OK".  This 
will update the wpa_supplicant.conf file, as specified from the command line, 
with a static configuration for this new network.

Verify by:  cat /etc/wpa_supplicant.conf

If all went well, you should have a line under this new network titled 'psk'.
Good luck!

Original comment by ryanjna...@gmail.com on 11 Apr 2012 at 2:26

GoogleCodeExporter commented 8 years ago
I came across this issue as well when first running reaver, I believe it is 
because i used the -N option but not too sure. After receiving the correct pin 
i then tried this command "reaver -i wlan0 -b 58:6D:8F:D3:8C:AA -vv -T 2 -p 
32410648" it took about an hour but it eventually spit out the psk.

Original comment by str8...@gmail.com on 19 Apr 2012 at 6:39

GoogleCodeExporter commented 8 years ago
solution mentioned above about wpa supplicant worked for me!!!!!!!reaver only 
gived to me pin but no psk , but launching wpa_supplicant as he mentioned it 
worked!!!! thanks i hope this can help more people with same problem

Original comment by totten.s...@gmail.com on 25 May 2012 at 10:53

GoogleCodeExporter commented 8 years ago
tried the solution, but still couldn't get the pin, what could have wrong.

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
update_config=1

network={
    ssid="XXXX"
    bssid=XXXX
    psk="44122317"
    key_mgmt=WPA-PSK
    auth_alg=OPEN
}

Original comment by sammun...@gmail.com on 3 Jun 2012 at 2:48

GoogleCodeExporter commented 8 years ago
Ugh. Still after doing this it outputs int wpa_supplicant.conf a 64 hex number 
and a ssid which is totally random and not the network. Oh well.... not other 
solutions? Have tried everything (including running reaver with the -p setting 
like 100 times). 

Original comment by factoryu...@gmail.com on 17 Sep 2012 at 3:47

GoogleCodeExporter commented 8 years ago
Hello,

I am running backtrack 5 R3 with a alfa network AWUSO36H and when i run the 
command river -i mon0 -b XXXXXXXXXXXXXX -vv, the pin blocks first at 90.90 but 
i solved the problem and second at 99.99% but there is nothing i can do... can 
anyone help me plz ?

Thank's

Original comment by contulme...@gmail.com on 18 Sep 2012 at 12:28

GoogleCodeExporter commented 8 years ago
hi,

not clear for me how to run wpa_supplicant if i type the same commands as above 
dont suceed can anyone explain or recommend a page step by step thank you

Original comment by gergo.la...@gmail.com on 22 Oct 2012 at 2:35

GoogleCodeExporter commented 8 years ago
I also tried to do as written in Comment 6 with wpa_supplicant.conf and I get 
result same as Comment 10.

"Ugh. Still after doing this it outputs int wpa_supplicant.conf a 64 hex number 
and a ssid which is totally random and not the network. Oh well.... not other 
solutions? Have tried everything (including running reaver with the -p setting 
like 100 times)."

But, I was connected to the Internet and was able to get into the router page 
at 192.168.1.1 but the router password was different from admin, so how to get 
router password or change PSK without geting router password?

Original comment by vli...@gmail.com on 18 Nov 2012 at 8:27

GoogleCodeExporter commented 8 years ago
same here... :( im using ALfa 036H... what would be the problem? pls any one

Original comment by johnnn.g...@gmail.com on 25 Nov 2012 at 10:17

eliddell1 commented 8 years ago

i actually am having the same problem, but only with one wifi card.. if i use my TP-link card it works and spits out the pin, but if i use my alpha card it only spits out the cracked pin with no passphrase.. so i assume there is something wrong with the alpha card any help? this card by the way seems to work on my kali linux 2.0 but not on a rolling distort of kali on a raspberry pi