jadgorre / reaver-wps

Automatically exported from code.google.com/p/reaver-wps
0 stars 0 forks source link

Reaver optimization #335

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
I see that reaver check the first 4 digits before check the next 3 digits. It 
makes a maximum 10000 + 1000 = 11000 attempts.
1234 5670
0000 567x
0001 567x
0002 567x

If I'm not wrong, 4 digits confirmation is separated from 3 digits 
confirmation. Then, reaver could check the 3 digits simultaneous with checking 
4 digits:
1234 5670
0000 999x
0001 998x
0002 997x

This makes maximum 10000 attempts (we could determine 3 digits in the first 
1000 attempts of it).

Original issue reported on code.google.com by almaro.r...@gmail.com on 15 Jun 2012 at 11:39

GoogleCodeExporter commented 9 years ago
Yes, but I think that to go to the second part of the PIN the AP needs you to 
send it the correct first part of the PIN.

Original comment by BHT...@gmail.com on 17 Jun 2012 at 3:52

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
Reaver can only start cracking the second half once it's done with the first 
one. Thats how WPS connection is made, routers will NOT ask for the second half 
unless the first half is correct. 

It kinda goes like this:

Identity request - Who are you?
Identity response - I am device such and such. 
M1 - What do you want?
M2 - Connect via WPS.
M3 - What are the first 4 digits of the pin?
M4 - They are xxxx.
M5 - Correct, what are the last 4 digits of the pin?
M6 - They are xxxx.
M7 - Correct, the PSK is yyyyyyyyyyyyyy. 

Each NACK from router:
Instead of M1 - You're not allowed to connect. (Mac filtering, lockdown, etc). 
Instead of M3 - WPS connection is currently not allowed (likely unreported 
lockdown). 
Instead of M5 - First half of the pin is wrong. 
Instead of M7 - The last half of the pin is wrong. 

Original comment by nexdem...@gmail.com on 26 Jun 2012 at 8:49