WPS Testing Errors

[Auxh]

I have been trying to test pen my network since it has WPS for the past few days with no success. I also finally got an adapter that supports monitor mode and packet injection!

I've been getting two errors

• Failed to associate with blahblah
• EAPOL START receive timeout

Sometimes it associates sometimes it doesn't.. i've tried using aireplay as an article suggest to associate first but then that leads to the timeout error.
My adapter is awus036nh and the command I input is:

reaver -i mon0 -b [bssid] -vv
I've also tried

reaver -i mon0 -b -a -S -N -c -vv -w as someone suggest and received the same thing

Any thoughts would be helpful!

[duxim]

first what Kali you used?
if you used 2.0 then you did everything wrong. to bring interface in monitor mode read this
https://forums.kali.org/showthread.p...n-Kali-Linux-2

[rev1500]

try this

airmon-ng start wlan0

airmon-ng check kill

wash -i wlan0mon

pick target

reaver -i wlan0mon -b bssid -c channel -vvv -K 1 -f

[John_Doe]

rev1500's advice is correct. However, I would add that, when you mostly get receive timeouts/fail to associate, it's likely that you are not close enough to the wifi router.

[Auxh]

Thanks for the replies! Hmm.. would you guys say would be the minimum reqs for a successful crack then?
Also I have found bad packet with bad FCS when i try regular wash command.. does this correlate to anything?
I have to add ignore fcs or -C to make it work

[John_Doe]

That's two questions in one reply...
#2: "Bad fcs"? But this works?:
wash -i wlan0mon --ignore-fcs
I guess your particular hardware will have to be used that way.

Back to #1: "What are minimum requirements for success"?
Do you mean, how strong a signal must you receive? If you're in a rural area with few wifi signals, you might have acceptable reception over a surprisingly long distance. However, in city areas with dozens or even hundreds of wifi routers in range, you might not be able to connect to even a fairly strong signal.
Trial and error, trial and error.
Good luck!

[Auxh]

That's two questions in one reply...
#2: "Bad fcs"? But this works?:
wash -i wlan0mon --ignore-fcs
I guess your particular hardware will have to be used that way.

Back to #1: "What are minimum requirements for success"?
Do you mean, how strong a signal must you receive? If you're in a rural area with few wifi signals, you might have acceptable reception over a surprisingly long distance. However, in city areas with dozens or even hundreds of wifi routers in range, you might not be able to connect to even a fairly strong signal.
Trial and error, trial and error.
Good luck!

Ok .. this is starting to seem fishy. The network I attempted has a PWR/RSSI of -20 and yet it still sometimes gives me associate/eapol timeout errors. I live in a rural area with not too many wifi signal and i'd say the connection is fairly consistent. Any other diagnosis John Doe?

[Auxh]

Alright.. been fairly patient with this forum. 300+ views and hardly any useful advice. Anyone who can help me with this problem .. i'll be willing to pay. Only incentive that works around these parts. Paypal only.

[John_Doe]

I feel your pain, Auxh... I've made threads that went unsolved even after thousands of views.
Your adapter should have the RTL8187L chipset, and that should work... however, your bad fcs results suggest you may have one of those fake Alfa's. (I myself have seen more than one fake Alfa! lol)
My best advice: I suggest that instead of paypal'ing for advice, you spend just a few bucks getting an X-Media wifi adapter with a Ralink 3072 chipset: they're under twenty bucks delivered off Ebay. I predict it will make you very happy!

[John_Doe]

EDIT: oops, I guess the 036NH -should- have the RT3070 chipset, which is a fairly good chip, is that what you have? (I have in my hand a fake Alfa 036NH so that's why the discrepancy.)
If you DO have the RT3070 chipset, and reaver isn't giving good results, I have to share a couple stories. Just now I'm playing with a Netgear WGR614v10 - it allows thirty wps tries, then goes "Detected AP rate limiting" for five minutes, then allows another thirty tries. But after four hours it stalls completely and allows no more attempts till after I reboot it.
I've also seen wifi routers that just plain work lousy with reaver, lots of errors despite excellent signal strength.
Recently I saw an issue with a Ubee Arris that was on the same frequency as another Arris, both with the same signal strength (but different SSIDs). When I changed one from channel 1 to channel 6, both responded to reaver perfectly.
Just a few thoughts for you to chew on. Good luck with it!

[Noobkin187]

When you run the wash command is the router in the locked state? Have you had any pin attempts successfully tried?

[soxrok2212]

Hey, if you can get me a capture file of the network including:

Code:

+Beacon Frame
+Probe Response

I can take a look. The WPS protocol is very finicky (if that's the right word and spelling...) There are various things that cause it not to work and it has to be examined thoroughly to come to any conclusions.

[kcdtv]

RT3070 is not recommended with reaver.(association is difficult + a lot of time out)
You could try bully.

[Noobkin187]

Hey, if you can get me a capture file of the network including:

Code:

+Beacon Frame
+Probe Response

I can take a look. The WPS protocol is very finicky (if that's the right word and spelling...) There are various things that cause it not to work and it has to be examined thoroughly to come to any conclusions.

How do you go about getting that information?

[soxrok2212]

Run airodump and have it save a capture and either just wait a bit until a client joins the network, or send a deauth so the client probes the network before joining. Just make sure it's in there before you post it.

[John_Doe]

Run airodump and have it save a capture and either just wait a bit until a client joins the network, or send a deauth so the client probes the network before joining. Just make sure it's in there before you post it.

So basically, you're requesting that he capture a handshake and upload it. BE AWARE YOU WILL BE DISCLOSING YOUR APPROXIMATE REAL WORLD LOCATION if you do that. If that's OK, then go ahead, I'm really interested in soxrok's input.

[soxrok2212]

So basically, you're requesting that he capture a handshake and upload it. BE AWARE YOU WILL BE DISCLOSING YOUR APPROXIMATE REAL WORLD LOCATION if you do that. If that's OK, then go ahead, I'm really interested in soxrok's input.

I have a good reputation on this forum, I'm not looking for information like that. Within the Beacon Frames and Probe Responses there is a lot of information regarding WPS (and more about configuration). I don't even need a handshake as long as you get a probe response and beacon. You can even filter out ever other packet if you wish.

The following must be included by the WPS protocol.

Code:

Version
Wi-Fi Protected Setup State
AP Setup Locked
Selected Registrar
Device Password ID
Selected Registrar
Config Method
Response Type
UUID-E
Manufacturer
Model Name
Model Number
Serial Number
Primary Device Type
Device Name
Config Methods
RF Bands
Other

This is what I'm looking for and more often than not, if there is a problem it will be notified here.

[kcdtv]

BE AWARE YOU WILL BE DISCLOSING YOUR APPROXIMATE REAL WORLD LOCATION

It is not false but that's a bit exaggerated,
By giving your probes+handshake to soxrok2212 he would know the name of your network (eSSID) and your bSSID (router' mac adress). So if he has a actualized WiFi map of the world he could know where you are. If you have any fear about soxrok2212 (maybe you should ) you can "spoof" your bSSID (change your mac adress) and change the name of your network to capture the handshake. Like this he won't be able to track your network name/mac address to get your "real world location".
this is a therocial risk : it is very unlikely that your network would appear. You have people that practice what is called "wardriving", they go around with cars and check the wifi network. like wigle. Maybe the NSA have a good wifi map of the world... google was condemned in Germany and France because they made a wifi-map of this country while they went around with the street view cars. They had to give the disk where they strored this datas.

I have a good reputation on this forum

That's true : He is the drug dealer of many users of this forum and everybody will tell you that he always have first quality products. A very good reputation indeed.
(@ DEA : That's a joke, don't break into his house for nothing )

[John_Doe]

lol kcdtv!

Dear soxrok, please don't think I am accusing you of anything, because actually I think VERY HIGHLY of you. I'm just pointing out that uploading a handshake identifies one's approximate vicinity. (because there IS such a thing as a partial worldwide map of wifi networks - ask Edward Snowden!)
So, that being said, I'm very interested. What program should I open my .cap files with to see all that interesting information?

[soxrok2212]

lol kcdtv!

Dear soxrok, please don't think I am accusing you of anything, because actually I think VERY HIGHLY of you. I'm just pointing out that uploading a handshake identifies one's approximate vicinity. (because there IS such a thing as a partial worldwide map of wifi networks - ask Edward Snowden!)
So, that being said, I'm very interested. What program should I open my .cap files with to see all that interesting information?

Wireshark will do the trick