Reaver problem, please help!

[machx]

Reaver was able to crack the WPS PIN of the router.

Wireless Manufacturer: Wireless
Model number: WR1500N

But the output comes likes this:

Pin cracked in 2968 seconds
[+] WPS PIN: '11665670'
[+] WPA PSK: '53D93E54D92D97142D6342DBEF952740DFBA88B43ED4BA96E 5DDA1F5226FEC22'
[+] AP SSID: 'Network-D92D97142D6342DBEF952740 '

I'm pretty sure that, its not the PSK and not the SSID name, SSID name is different.

Please advice, Thanks

[kcdtv]

maybe with one theme... it is enough
Could you give us the real ssid? (the one that appears in wash or airodump-ng)
it looks like there is a security breach and a way to generate the WPA with the SSID (or reduce brute force at least)
That is not the PSK (63 asci caracters max) but the PMK (I didn't count but should be 64 caracters)

[machx]

Hi kcdtv,

This is the router: http://setuprouter.com/router/binato...500n/login.htm
Real SSID is Binatone_3FC7E6
when running with reaver it shows router manufacturer as Wireless WR1500N

Thanks for your help

Even the WPS PIN is incorrect as its more than 8 digits.

[kcdtv]

Mmm the PIN looks correct to me, 8 digits long and the checksum is OK
i am a bit rusted and was never good wit that, that's the PMK formula (you are able to connect with it anyway)

Code:

PBKDF2(passphrase, ssid, 4096, 256)

what is weird is that the ssid given is part of the PMK

D92D97142D6342DBEF952740
53D93E54D92D97142D6342DBEF952740DFBA88B43ED4BA96E 5DDA1F5226FEC22

And i don't get it... If i remember well the formula means that you take the passphrase and the ssid, make a string, use 4096 SHA1 over this tring and than keep the 256 first bits.
I got exited when i saw this repetition thinking that the ssid (real one) was used in the passphrase but that doesn't make sense.
And before i saied "that's the PMK and not the PSK" but i was confused, what i meant was "that the PMK, not the passphrase"
reaver is confusing for that, it should be wirtten "passphrase" because what you usaly get is the passphrase, not the PSK (which is the same as PMK in WPA-PSK, i think)

[mmusket33]

There are at least two possibilites here.

1. The character string is the WPA key. We cracked a router that gave us a long key. We captured a handshake and ran the key against the handshake and it worked. You could also just try associating to the Network using the key and as long as mac blocking is not in residence you will get association if it is the WPA key.
In the case above we got thru the router logon page and found that the key was generated by the routers firmware ie was a computer generated key and was 63 characters long.

2 Test to see if the key changes everytime reaver cracks the key. This was covered by WPS-Reaver. MTeams will see if the thread can be found

[machx]

To mmusket33 and kcdtv,

Thank you for you prompt reply,

Appreciate it

I ran reaver with the WPS PIN, and the PSK and the PIN is same everytime I ran it.

I ran the WPS PIN with bully and got the same result.

I tried connecting to it with the PSK, it says "bad password'

I was looking for a hash key, so that I can further crack it. But no luck

Seems like reaver doesnt support this kind of routers.

I'm also making a spreadsheet consisting of all router vulnerable to reaver or wifite and tools used and the final outcome.

[ayesco]

Its a reaver error