rileywold / reaver-wps

Automatically exported from code.google.com/p/reaver-wps
0 stars 0 forks source link

reaver resume from certain pin nr. #233

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
Hello. First of all great job on reaver. Amazing work and dedication to 
networking. Now on to my problem. I run a live BT4 (for some reason bt5 is more 
problematic with drivers and i don't want to install every reboot)... and just 
started testing reaver. I was looking at the progress after 14 hours of work 
and my laptop shutdown. I thought i was in luck cause i could remember the 
first 3 digits from the last pin it tryed but as it turns out I was unable to 
find the comand line ...if it exist to do this. Needless to say the reaver 
sesion file got lost when rebooted.

EX: got the pin 678x xxxx 
Tryed out reaver -i mon0 -b XX:XX:XX:XX:XX --pin=678xxxxx -vv
Help on this would be apreciated 

Original issue reported on code.google.com by Podea...@gmail.com on 13 Feb 2012 at 12:29

GoogleCodeExporter commented 8 years ago
I think they are the first 4 or 8 to get started to try.

Original comment by demon.ia...@hotmail.com on 13 Feb 2012 at 2:13

GoogleCodeExporter commented 8 years ago
Let me be clearer : I want to start pin guesing from 67800000. Is there a 
comand line to do this?

Original comment by Podea...@gmail.com on 13 Feb 2012 at 5:54

GoogleCodeExporter commented 8 years ago
You could just restart the process from the beginning, then stop it and modify 
the session file. The very first line in the session file says which line 
number it's currently at. (But note that the pins aren't in perfect order; some 
combinations are tried first, before the sequential attack.)

Original comment by vidar...@gmail.com on 14 Feb 2012 at 7:43

GoogleCodeExporter commented 8 years ago
you can make it possible by trying this code
reaver -i mon0 -b XX:XX:XX:XX:XX:XX -p (67800000)

after it start the and check for the first pin (67800000) 
press ctrl+c it will save the process then 
then start reaver without -p option  then it will ask you to resume the old 
process
say yes
:))))))))))))))))

Original comment by alhorani...@gmail.com on 14 Feb 2012 at 8:12

GoogleCodeExporter commented 8 years ago
great thx a lot for the answers :)

Original comment by Podea...@gmail.com on 14 Feb 2012 at 11:00

GoogleCodeExporter commented 8 years ago
This is my first post here, and im new testing Reaver 1.4

For does who wonder how to set a start pin on reaver, guess what? It seems 
reaver dont have any command for that. But is there any solution? 
Using [ -p ]  option will NOT work, because it only establish a static Pin , 
and will NOT continue from on to the next consecutive number.

So we are all F**** up?
Not really , you can always re-start the search from Zero, and in case you are 
one of the lucky one trying to hack a WPA2 PSK with Attack detections and AP 
rate limiting, then you will have to wait like 4 days till you finish testing 
all 100 millions PINs. But here are 2 more options:

1. Stop hacking other people's network and start pay  an internet service. 
    For this write:

    aircrack-ng stop hacking
    get -apt your own internet service

2. If you still want to F*** your neighbor, you on your own. 

- Edit the file [BSSID].wpc

Notes:  
(The file name will have the BSSID as the name and will end with < .wpc >)   
(This file contains the list of all pins to be tested, but the first Pin is the 
las that you tested on the last session. So this allow you to set the start PIN 
that Reaver will take to continue from it)

For BackTrack 5, under Device - enter File System
This file is at the following directory:
[ usr/local/etc/reaver  ]

Original comment by AeonL...@gmail.com on 2 Jun 2012 at 6:05

GoogleCodeExporter commented 8 years ago
hello there. hope someone out here can help me with some kind of funny problem.

i just run reaver on my backtrack 5 r2, wait it for about 9 hours and get 
complete around 35%, but suddenly it get shutdown because of electricity 
congestion in my home.i'm running my laptop without the battery,just the plug 
in.

my question is, how do i continue to the last process which is the 35% complete?

or i have to start it all over again like 10hours to only get 35% and continue 
another 1 day to complete it? it is such a long time to take. if someone can 
help me,please !! i'm begging you. can't take to wait such a long time.

thanks in advance. :D

Original comment by syahiqba...@gmail.com on 4 Dec 2012 at 2:39

GoogleCodeExporter commented 8 years ago
ok, i have figured out this issue of having reaver start from a certain pin in 
case system restarted or you lost the session file. please consider the steps 
below.

First plz let me explain a litle of how session file works so you can do it 
easily.

Reaver attacks on WPS supported routers and WPS pin consist of 8 digits.

This key is divided in 2 parts, 1 part consisting of 4 digits and other part of 
3 digits, last digit is some random index number i think.

Anyway, This makes upto 11,000 key combinations which reaver brute forces one 
by one.

First reaver will break firt part (10,000 combinations) and then 2nd part (1000 
combinations)

You can observe it while reaver is attacking,

56871103 (seperated as 5687-110-3)
56881105 (seperated as 5688-110-5)
56891102 (seperated as 5689-110-2)
--------------------------------------
------- assuming first part is broken which is 5689, now -----------
----------------------------------------------
56891112 (seperated as 5689-111-2)
56891125 (seperated as 5689-112-5)
56891139 (seperated as 5689-113-9)
56891143 (seperated as 5689-114-3)

OK, NOW THE SESSION FILE AND PIN PART

Now, in case you had lost the session file, lets first look how session file is 
working.

session file is saved in folder /usr/local/etc/reaver as <bssid>.wpc

suppose the bssid we are working on was 8C:0C:A3:2B:19:D7

this session file will be saved in folder as folder /usr/local/etc/reaver as 
8C0CA32B19D7.wpc

This session file consists of 11,000 keys in 2 parts
1. 4 Digits (until 9998, one on each line)
2. 3 Digits (until 998, one on each line)

To know the bssid, you can check it through airodump-ng

Remeber we have lost the session file, so first we will create the session file 
using another bssid.

1. start reaver attack using any random bssid and after 1 or two pin attempts, 
prezz Ctrl+Z to stop the process.
2. Now goto /usr/local/etc/reaver folder and there you will see the .wpc file 
with that random bssid you just attacked on.
3. Provided that you have noted the target bssid for which you had lost the 
session file, change the name of this wpc file to that bssid, e-g from 
8C0CA32B19D7.wpc to 001122334455.wpc (assuming that my target bssid id I was 
working on before was 00:11:22:33:44:55)
4. Now open this wpc file in any text edtitor and you will see the keys written 
as i told above, but
5. In first line is the pin which reaver was cracking, let say you remembered 
it or you knew the average percentage reaver was completed. Let say 49%.
6. Now from that we can assume that there are 10,000 combinations first, and it 
was done 49% so ping might be somewhere around 4900.
7. Just change that pin in first line to 4900 or any closest according to the 
analysis.
8. 2nd and 3rd lines are saying 0 and 0 and rest are combinations.
9. Save the file.
10. start reaver with that exact target bssid which you were working on before.
11. Voila, say thanks to me in your heart because i can see that smile of 
winning on your face :P

Original comment by muneeb.x...@gmail.com on 13 Mar 2013 at 9:49

GoogleCodeExporter commented 8 years ago
Good job!! tkss

Original comment by robinson...@gmail.com on 1 May 2013 at 6:36

GoogleCodeExporter commented 8 years ago
Thank you very much :)))))))))))))

Original comment by Nano.R...@gmail.com on 12 Jun 2013 at 3:13

GoogleCodeExporter commented 8 years ago
Good man you just saved the day muneeb GOD BLESS YOU!!

Original comment by Computer...@gmail.com on 19 Dec 2013 at 10:44

GoogleCodeExporter commented 8 years ago
is the 11th requirement done yet, muneeb? :)

Original comment by HuyNguye...@gmail.com on 6 Feb 2014 at 12:37

GoogleCodeExporter commented 8 years ago
Hy guys. First of all thx all for the answers. Now on to more important things. 
Lately I have a very small amount of free time but last night I got a couple of 
hours playing with reaver again. I was comparing some routers and wi-fi dongles 
to check signal strengt and security to see wich one is best. After the 2 hours 
have past I had this Ideea: IS IT POSSIBLE TO USE THE SAME COMPUTER IN ORDER TO 
RUN 2-3 SIMULTANEOUS REAVER ATTACS WITH 3 WI-FI ADAPTERS? meaning that I could 
run reaver at the same time on mon0,mon1, mon2 maybe? If so how to do this ? 
cause I would like for ex to do it like this: mon0 firts 4000 combinations mon1 
from 4 k to 7k and mon2 from 7k to 10k until one hits the first 4 pin no. This 
will increase speed up to 300%. I did not check it because probably the file 
would be the same and keep rewriting. how to make it save sessions in different 
files so i can edit ? is this possible? what do you think?. I will play around 
and try to find an answer but if you have some imput please write to all 
listening :D 

Original comment by Podea...@gmail.com on 6 Feb 2014 at 7:35

GoogleCodeExporter commented 8 years ago
Here is my conjecture. 

8 digit WPS pin is divided into groups of 4-3-1

Last digit is checksum of seven previous digits and can be calculated as 
follows:

Assume seven digits FGHJBNM
Add the even ones plus three times the odd ones, change sign and do MOD 10.

CHKSUM = MOD( -(3*(F+H+B+M) + (G+J+N)) ,10)

CHKSUM (1234567) = 0 , CHKSUM (4561237) = 4

This is just for explanation because Reaver does it automatically.

The file where reaver keeps the information has 11003 lines which we divide in 
three groups.

Lines 1-3 (3 lines) where it keeps track of the numbers tested.

Lines 4 to 10003 (10000 lines) are the four digit numbers in the order they are 
tested. Note that they are not in order and that more frequent numbers are 
tested first.

Lines 10004 to 11003 (1000 lines) are the three digit numbers in the order they 
are tested.  

Line 1 contains the line number (address) of the last four digit number tested, 
not the number itself. The relative line number begins  at #4 so if line 1 
reads 2528 it means the last number tested is located at line number 2528 
beginning at line 4 which is absolute line number 2532.

Note that the list of numbers are not in nummerical order and most frequent 
numbers are tested first.

Once the first four digits have been found the process goes on with the three 
following digits in a similar manner except that the number in the second line 
will be the line number of the three digit code beginning at line 10004 so we 
have to add 10004 to the number in line 2. 

I have not tested this thoroughly but I believe that if it is not exactly right 
at least it comes very close. 

Note also that you can change the order of the numbers tested by editing the 
list. You can start at the top and go down or you can alternate.  

Original comment by alfgo...@gmail.com on 8 Mar 2014 at 6:15

GoogleCodeExporter commented 8 years ago
i know first two digits of pin like 98 and total number of digits are 8 so what 
i can do for this please help ?

Original comment by eaglesta...@gmail.com on 23 Jul 2015 at 4:42