When attempting to attack WPS Pin mode on wireless router, attacking device
successfully associates, tries a pin, sends EAPOL Start request, etc all the
way up until a 'Wps transaction fail code 0x02' is shown. It will cycle between
this error and another error verbatim, except the error code is 0x03 No keys
are actually successfully tested: It will stay on the first key indefinitely.
Scenario - Setup a Netgear WNR2000 wireless router with WPS Pin mode enabled,
running wpa2 psk.
The laptop running reaver-wps rev 110 from svn, is running backtrack 5 R1 with
newer compat-wireless drivers after the first few attempts failed
(compat-wireless-2012-01-22 is what i am now using). I have also tried multiple
wireless cards (usb ralink RT2860, internal chipset that is also a ralink
RT2860 using rt2800pci and another usb ralink 2573 using rt73usb - All of which
i noticed have been reported to be working) , all of which can inject
successfully to the wireless access point (Yes. It is in monitor mode.) Signal
strength is -120dB (The laptop and wireless router are actually on the same
desk, i have also tried moving further away from the AP in case of
interference, turned off other access points in the same house - only one other
AP is in use here, it's for personal internet, NOT using WPS:) )
What do i think the issue is? I'm not sure if it's either a issue in my set up
- my wireless cards (perhaps they are having issues with this attack, even
though they support injection mode and have worked fine for breaking WEP,
WPA1/2 and have been thoroughly used for the last year), or possibly the
wireless router I have used either blocks this sort of attack, or is not
handling WPS as per spec. I have also tested with a borrowed wireless AP (Older
thomson TG782T), both have reported to be running WPS 1.0 according to WASH,
although i am not sure about the thomson being configured to be used for WPS
Pin.
The commandline string used is as follows:
<Against Netgear WNR2000>
reaver -i mon1 -b 00:1F:33:F7:EA:59 -vv -a
<Against old thomson TG782T>
^same as above, except seperate address
Have also tried giving it my adapters mac address with -m (just for testing)
have tried with and without -a, sometimes experimenting with --win7 too.
The output from reaver is as follows:
[+] Waiting for beacon from 00:1F:33:F7:EA:59
[+] Switching mon2 to channel 1
[+] Associated with 00:1F:33:F7:EA:59 (ESSID: PEN_LAB_01)
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 12345670
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 12345670
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Nothing done, nothing to save.
[+] 0.00% complete @ 2012-01-23 15:54:52 (0 seconds/pin)
[+] Trying pin 12345670
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
<It goes on for another 300 lines, i can attach those too if you'd like>
Also, the output of WASH is as follows:
BSSID Channel RSSI WPS Version WPS Locked
ESSID
--------------------------------------------------------------------------------
-------------------------------
08:76:FF:0F:E6:5A 1 -54 1.0 No
BigPond0FE65A
00:1F:33:F7:EA:59 1 -39 1.0 No
PEN_LAB_01
<sorry about the formatting!>
-Unfortunatly i'm getting a message about issue attachment storage quota
exceeded, so I cannot post a pcap dump here. Would it be acceptable if I posted
on my own webserver and provided a link?
<PS, sorry for the essay. I've tried a bit to get this to work!>
Original issue reported on code.google.com by m...@c0refailure.com on 23 Jan 2012 at 5:03
Original issue reported on code.google.com by
m...@c0refailure.com
on 23 Jan 2012 at 5:03