PDA

View Full Version : REAVER - non-stop repeating



7hr08ik
2013-06-12, 10:52
Hey guys,

Ive been challenged by my mate next door to hack his wifi....I am by no means even considered profficient, but i am learning and competent. Im having a few problems.

Firstly ive already got the handshake, and gone through it with Elcomsoft WSA on my main PC. Ran through 13Gb of wordlists and no use......expected.

So now im on to WPS cracking. Ive been using aireplay-ng to get the association, and using reaver to crack. Ive have tried all sorts of configs but this is what ive been using lately:

aireplay-ng -a xx:xx:xx:xx:xx:xx -e virginmediaxxxxxxxxxx mon0 -1 120

reaver -i mon0 -b xx:xx:xx:xx:xx:xx -vv -c 11 -A -N -S -L

So this is my current procedure:

1. airmon-ng start wlan1
2. ifconfig wlan1 down
3. ifconfig mon0 down
4. macchanger wlan1 -A
5. macchanger mon0 -A
6. ifconfig wlan1 up
7. ifconfig mon0 up
8. aireplay-ng -a xx:xx:xx...........
9. (new teminal window) reaver -i mon0 -b xx:xx:x.......................

First issue is that the fastest i can get it to run is 23 pin/sec
Not sure if killing any of the processes listed by airmon-ng will help, but anything i can do to speed up would be good

Second and MAIN issue is that ive hit a wall...I`ve got to 90.90% and its just repeating the same pin number over and over again. Wash reports the AP is not locked, and reaver just goes round in circles, reporting m1,m2,m3,m4,timeout, retrying.

Ive tried some googlefoo but all i can come up with is old bt4 posts, saying to reconfigure the SVN and that as far as my knowlege goes. I dont really want to start faffing around with the drivers etc, unless i really need too.

Spyslab
2013-06-15, 00:09
See if the AP's admin has locked WPS midway through your procedure by running wash -i mon0 -C and try relocating closer to the AP. Also KILL the processes called out at the start of your procedure when you ran airmon-ng the first time... the warmings spelled out stand.

russ
2013-06-15, 11:40
virginmedia routers have wps pin association disabled by default. so even if you sent correct pin the router will just ignore it

7hr08ik
2013-06-17, 08:20
even though wash reports its accessible and unlocked?

Chaos
2013-06-17, 09:37
Just an idea! No warranty! (A bit strange but if there is a lazy programmer ...)

If the router send Beacons and also the Wireless managemant frame, its possible that
even if wps was locked the router maybe dont set wps locked inside the beacon/managemand-frame
so wash will tell you that wps wasnt locked.

Similar here with some Routers, they just ignore the pin after 30 failed attemps but wps seems not locked.
Some of them unlock wps after hours again ... (from less than 6 up to 24 hours or maybe more)
And others must be "unlocked" from the webinterface while thy got a better implementation of wps.

@russ


virginmedia routers have wps pin association disabled by default. so even if you sent correct pin the router will just ignore it


That must not mean that they arent vulnerable. Here are routers from one vendor with a bad implemented wps procedure, they also disable wps by default but will respond to a vendor specific pin (01234567 OR 12345678) and deliver the key but thats not all, if you set a new pin they will respond to the new and the vendor pin.

Maybe he is lucky and got therefor already 90.90%.

Good Luck!

Chaos

russ
2013-06-18, 21:22
yes, wps is only set to push button by default now, they disabled pin request due to reaver attacks. it can be changed manually by user, but there is no way of knowing, unless you get to 90.90%(all first 4 pin combinations).

7hr08ik
2013-06-24, 10:55
Im trying again from start.

I have no choice but to use aireplay to assoc coz reaver just wont do it. but appart from that im only using the additional -w and -N commands.
The signal is nice and strong (-50Db) and there doesnt seem to be any issues with the quality or anything, just that reaver got to 90.90% and got stuck.

I found some posts on the github for it saying lots ppl were getting the issue but they were quite old and nobody seemed to find the reason or a fix

Chaos
2013-06-30, 01:28
Try to downgrade to reaver 1.3 there is a known bug in 1.4 maybe you get around of this with an older version.

(I didnt try it under debian based os but under BT5 you just need to download it set permissions if needet and run it from the download folder)

Good Luck!

Chaos

GreyHat
2013-06-30, 03:46
In my experience virgin media routers have WPS disabled, normally i get nothing...

VM standard passwords are 8 digit lower case all letters, ive been meaning to try a crunch/pyrit/cowpatty type attack on a handshake from a VM router for a while now but haven't got round to it yet. No use if the neighbour has changed the password of course. ..

GreyHat
2013-07-01, 19:03
In your experience? Funny, it looks like this one doesn't have have it disabled. Other wise he wouldn't have gotten to 90% now would he.

I tried a new talk-talk router the other day, reaver said it was at 92.90% rather quickly but this router also had WPS locked. I suspect it was some sort of error ;) (the fact that it stopped and didnt get the key suggests the same).

Virgin medias superhubs, which they have been supplying for a quite a while now, are 100% not susceptible to a WPS attack. I suspect that the older routers have had software updates to prevent WPS attacks too. Of course the OP's neighbour could have an older router that is susceptible, which i why i said 'in my experience'. :rolleyes:

budgreen24
2013-07-15, 22:41
I'm not sure how current this information is, but here is a listing of WPS Flaw Vulnerable Devices.

https://docs.google.com/spreadsheet/lv?key=0Ags-JmeLMFP2dFp2dkhJZGIxTTFkdFpEUDNSSHZEN3c

doggy
2013-09-12, 12:50
hi 7hr08ik

Second and MAIN issue is that ive hit a wall...I`ve got to 90.90% and its just repeating the same pin number over and over again. Wash reports the AP is not locked, and reaver just goes round in circles, reporting m1,m2,m3,m4,timeout, retrying.



You'll find the solution to this at reaver-wps site (Issue 195: Stuck 99.99%, repeats one key )
the link is http://code.google.com/p/reaver-wps/issues/detail?id=195
post comment #57 [email protected] has the solution to the problem.

hope this helps