jbond42 / reaver-wps

Automatically exported from code.google.com/p/reaver-wps
0 stars 0 forks source link

WPS transaction failed (code: 0x2), and (code: 0x03) #167

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
When attempting to attack WPS Pin mode on wireless router, attacking device 
successfully associates, tries a pin, sends EAPOL Start request, etc all the 
way up until a 'Wps transaction fail code 0x02' is shown. It will cycle between 
this error and another error verbatim, except the error code is 0x03 No keys 
are actually successfully tested: It will stay on the first key indefinitely. 

Scenario - Setup a Netgear WNR2000 wireless router with WPS Pin mode enabled, 
running wpa2 psk.

The laptop running reaver-wps rev 110 from svn, is running backtrack 5 R1 with 
newer compat-wireless drivers after the first few attempts failed 
(compat-wireless-2012-01-22 is what i am now using). I have also tried multiple 
wireless cards (usb ralink RT2860, internal chipset that is also a ralink 
RT2860 using rt2800pci and another usb ralink 2573 using rt73usb - All of which 
i noticed have been reported to be working) , all of which can inject 
successfully to the wireless access point (Yes. It is in monitor mode.) Signal 
strength is -120dB (The laptop and wireless router are actually on the same 
desk, i have also tried moving further away from the AP in case of 
interference, turned off other access points in the same house - only one other 
AP is in use here, it's for personal internet, NOT using WPS:) )

What do i think the issue is? I'm not sure if it's either a issue in my set up 
- my wireless cards (perhaps they are having issues with this attack, even 
though they support injection mode and have worked fine for breaking WEP, 
WPA1/2 and have been thoroughly used for the last year), or possibly the 
wireless router I have used either blocks this sort of attack, or is not 
handling WPS as per spec. I have also tested with a borrowed wireless AP (Older 
thomson TG782T), both have reported to be running WPS 1.0 according to WASH, 
although i am not sure about the thomson being configured to be used for WPS 
Pin.  

The commandline string used is as follows:
<Against Netgear WNR2000>
reaver -i mon1 -b 00:1F:33:F7:EA:59 -vv -a
<Against old thomson TG782T>
^same as above, except seperate address

Have also tried giving it my adapters mac address with -m (just for testing)
have tried with and without -a, sometimes experimenting with --win7 too.

The output from reaver is as follows:
[+] Waiting for beacon from 00:1F:33:F7:EA:59
[+] Switching mon2 to channel 1
[+] Associated with 00:1F:33:F7:EA:59 (ESSID: PEN_LAB_01)
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 12345670
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 12345670
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Nothing done, nothing to save.
[+] 0.00% complete @ 2012-01-23 15:54:52 (0 seconds/pin)
[+] Trying pin 12345670
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
<It goes on for another 300 lines, i can attach those too if you'd like>

Also, the output of WASH is as follows:
BSSID                  Channel       RSSI       WPS Version       WPS Locked    
    ESSID
--------------------------------------------------------------------------------
-------------------------------
08:76:FF:0F:E6:5A       1            -54        1.0               No            
    BigPond0FE65A
00:1F:33:F7:EA:59       1            -39        1.0               No            
    PEN_LAB_01
 <sorry about the formatting!>

-Unfortunatly i'm getting a message about issue attachment storage quota 
exceeded, so I cannot post a pcap dump here. Would it be acceptable if I posted 
on my own webserver and provided a link?

<PS, sorry for the essay. I've tried a bit to get this to work!>

Original issue reported on code.google.com by m...@c0refailure.com on 23 Jan 2012 at 5:03

GoogleCodeExporter commented 9 years ago
Hi guys, gone through issue, reaver 1.4 trying same pin everytime. 

Noticed that, Reaver 1.4 tried same pin specified (-p xxxxxxxxx), when resumed 
from previous session (where specified pin was stored).

Started same  : reaver -i mon0 -b xx:xx:xx:xx:xx:xx -c 1 -vv
Without : resuming previous session

Now it tried new set of pin.

Hope it helps some

Original comment by dominiq....@gmail.com on 5 Jun 2015 at 6:26