|
FAQ
Frequently Asked Questions
Why do I get timeouts/out of order warnings?This is usually due to interference or low signal strength. The AP's WPS registrar functionality could also be locked. You may get these warnings randomly during an attack, and they may take a few minutes to clear up. This is due to the AP's WPS state machine and Reaver's getting out of sync; the AP's state machine may not be reset for ~2 minutes. After this, things should start working again. Why doesn't MAC spoofing work?It does, but you have to make sure you are spoofing the MAC on the physical card's interface. See the wiki. WEP cracking works fine with low signal strengths, why does Reaver have problems?WEP cracking usually entails re-transmitting captured packets in order to generate more responses from the AP and therefore collect IVs faster. In this situation, it does not matter if some packets get dropped or corrupted as you are simply looking for a quantity of packets. In contrast, attacks against WPS require that specific packets must be exchanged between Reaver and the AP in specific order for each pin that is tested. If a packet gets dropped or corrupted, the transaction may need to be started all over again. This makes WPS attacks much more susceptible to failure due to poor signal strength or interference. Another concern to keep in mind is that just because you can see the AP doesn't mean the AP can see you. You don't know what interference may be at the AP's location, nor do you know how selective the AP's RF front end is, nor how sensitive the AP's receiver is. All of this can contribute to communications problems. Thus, it is best to get the strongest signal possible before running Reaver. Reaver just tries the same pin over and overMake sure your target AP supports WPS. Run the walsh tool to scan for WPS-enabled APs and make sure your target AP is listed. Help, Reaver can't associate with my AP!This could be due to interference or low signal strength. It could also be a driver issue, check the supported drivers wiki. I get a warning "rate limiting detected", over and over againThis earning message means that the AP has locked WPS pin attempts. This is usually only a temporary lock (around 5 minutes typically), but in some cases may be permanent (requires administrator intervention to unlock). There is a known bug in Reaver 1.3 that causes it to not detect when the AP has lifted the lock. Use the --ignore-locks option as a work around, or grab the latest code from the SVN trunk. Can I run more than one instance of Reaver against an AP?Technically yes, but this is ultimately a flawed approach to increasing attack speed. The primary limitation on attack speed is the low resources (memory, CPU, etc) of the AP, so having two simultaneous attackers will result in twice the CPU load. It is better to use Reaver's advanced options to help speed up the attack. |
► Sign in to add a comment
Only CPU matters.
Too Fix a screen full of these
[!] Found packet with bad FCS, skipping...
use Walsh -i mon0 -C -s
@xpeh: unless the AP has memory leaks. Which some do. :P
Then it will reboot somewhen (it doesn't swap, do it?). Since reboot happens relative seldom, i don't think it really matters.
Can you say what particular APs have significant leaks on this attack?
@cheff...@tacnetsol.com: Vulnerable APs often have more bugs than just the WPS bugs, so I wouldn't be surprised if some have memory leaks.
xpeh.o...@gmail.com: Wireless routers never swap, ever, unless you do some hack that is very much non-stock. They typically have as low as 1MB of flash memory to up to 8MB, maybe 16MB if you paid a lot of money for a really nice one. Flash memory would not be good to swap to (limited erase operations before failure) if they did have enough. They never have an internal hard disk drive, and if you plug one into a USB port, they don't (shouldn't?) look for and activate a swap partition.
Routers are embedded systems, and like all embedded systems, there are a wide plethora of operating systems that they run. Linux is a popular one because it's the cheapest and most well-written option, but many run vxWorks, some run obscure real-time operating systems, and a few are even custom from the ground up (!). The more uncommon, the more potential for common mistakes and bugs.
However, this has me thinking... it may be possible to take advantage of this class of bugs if they are ever found for specific models: If an AP locks out for, say, five minutes, it may indeed be faster to try to actively do something to force a reboot than it would be to actually wait out the lock.
@xpeh: No, as matthew stated they don't do swap, but you will see the pin attempts slow down as free memory gets very low. I have specifically watched this happen on several TP-Link routers; they do not reboot, they just lock up and all services stop working until the device is manually power cycled. So yes, you are correct that the CPU is usually the limiting factor, but if other resources are exhausted these can limit that attack as well.
Yeah, I guess those poorly written enough to have memory leaks are also poorly written enough to not bother to use the SoC's watchdog timer.
I'll repeat the question i already asked: since w/o lockdown the bottleneck is poor CPU power, will users somehow notice that AP's CPU load is 100% over several hours?
Heya, I was justing wondering if SecureEasySetup? is in trouble too?, as I’ve read it’s just a different name for WPS.
My router (WRT54G v7.0) only has the option to Enable/Disable SecureEasySetup? , no mention of PINs.
I have tried Reaver which couldn’t associate with my AP, but could on others, and walsh doesn’t list my router, but that could of course just be because it’s not calling its self WPS, so isn’t logged.
Sorry if I should have posted this elsewhere, but wasn't sure where was right.
Only the WPS PIN mode is vulnerable. The push-button mode requires you to prove physical access. As long as you don't let kids play with the button, and it doesn't support PIN mode, you should be safe.
On the WRT54G's configuration pages, there is a page that lets you virtually push this button by clicking a picture of a really huge lock. I haven't used the stock linksys firmware in a while, so I can't remember if it would list a pin there, but check there anyway.
xpeh.o: That's why someone with malicious intent (or a pen-tester with instructions to avoid inconveniencing users) would wait until nobody is using it... like after everyone left and the janitor is the only one still there.
@matthewr... I did assume my router wouldn't have the problem as there was no PIN anywhere, but I just wanted to make sure with someone more in the know than me, so thank you for the reply.
Any chances we get a small help/tutorial on Walsh? That would be very sweet :) Was getting the fcs error, will try --ignore-fcs tonight and lock it on my channel to see if that helps.
Can i run reaver on two different AP:s?
With two machines or one machine with two wifi cards yes.
On Jan 7, 2012, at 12:58 AM, "reaver-wps@googlecode.com" <reaver-wps@googlecode.com> wrote:
Hi again, want to report an odd sitiation here. PIN was cracked but no PSK was displayed: +] 97.46% complete @ 2012-01-07 17:52:58 (2 seconds/attempt)
[+] 97.51% complete @ 2012-01-07 17:53:08 (2 seconds/attempt)
[+] 97.55% complete @ 2012-01-07 17:53:18 (2 seconds/attempt)
[+] 97.60% complete @ 2012-01-07 17:53:28 (2 seconds/attempt)
[+] 97.65% complete @ 2012-01-07 17:53:39 (2 seconds/attempt)
[+] 97.69% complete @ 2012-01-07 17:53:49 (2 seconds/attempt)
[+] WPS PIN: '33797793'
[+] AP SSID: 'NET_12'
Any help and ideas why?? Thanks!
Why there is no version for Windows?
I am sure it is in development also i am sure that a mac client will be in the works. Security now with steve gibson noted today that this would be fairly easy to port to other systems.
On Jan 9, 2012, at 11:51 AM, "reaver-wps@googlecode.com" <reaver-wps@googlecode.com> wrote:
At the last step to "make install" but i get "error 1"
MAsani, I had the same issue. I realized I was still running reaver in another terminal. I did a Ctrl C to stop it, then 'make install' worked.
That is also what i suspect on my end also being closer to the target worked on that ap.
JeffMoses?.com
On Jan 11, 2012, at 12:16 PM, "reaver-wps@googlecode.com" <reaver-wps@googlecode.com> wrote:
Question, how do I update reaver to the newest current revision (exact commands much appreciated, i use backtrack 5 KDE 32bit)
questions about future versions:
1) will Reaver support retrieving WEP keys through WPS attacks ? I know how to retrieve them with aircrack-ng, just asking.
2) I am having the following problem: When I start an attack and I am close to an AP, then I press control + C and the session is saved @ 5.97%, then I resume by using the -r to load the previous session and it resumes, then I re-save @ 22.5% but when I re-boot my PC after like 1 hour or so to work with Reaver again, I load the session but unfortunately it resumes from 5.97% and NOT from where I reached @ 22.5%
Can the Reaver team please look onto this one ?! Thank you ... Reaver rockz !!
Any sollution for this proplem :
iam using reaver 1.3 & 1.4 & i got this output :
[+] Sending M2 message [+] Received M3 message [+] Sending M4 message [+] Received M5 message [+] Sending M6 message [+] Received M7 message [+] Sending WSC NACK [+] Sending WSC NACK [+] Pin cracked in 935 seconds [+] WPS PIN: '01270969' [+] WPA PSK: '9628cae2ca46e3af700fea4b6223b9512dba027c6cf56a0b51dc08f712d89898' [+] AP SSID: 'BMW E46'
this my AP & i know wpa2 key. but the reaver 1.4 output show the WPA PSK like this: 9628cae2ca46e3af700fea4b6223b9512dba027c6cf56a0b51dc08f712d89898
How i can convert this key to ASCI ???
Iam Using TENDA WR311 & walsh (wash) show WPS version 1.0
I know this is possible, it was brought to me via dreams and i do believe, that this can be the best hack ever than to bruteforce, the idea is to create a code, that it will be able to collect the eesid,bssid and create a fake access point, however if the access point is encrypted it will also mimic that, when its broadcasted and it has suffent power, it will cause the various clients who are connected to the access point to come off for a few secs and within that space of time a spoffer will be able to collect there password.
I had a bullet hp2 i wanted to gain access to a isp, they had mac filter on it so i collected there essid and there bssid and i mimic there access point then i was broadcasting there essid and acess point users was able to login to my access point which i was able to get there mac address, what i collected and updated my bullet with and i was able to login to the isp, w00t, my main idea is if there is something to do that but in a encrypted way and to bumb of the users for a few secs, which they will login to our network and because there key is automatically saved into there machine it will try to login our network which a sniffer will be able to get that they that they are trying to authentic with :D, please design a system like this thanks - Saxtor
You are about 8-10 years late with your idea, Saxtor. Do a google search for Man-In-The-Middle (MiTM) wifi attacks.
Dutch
i have used it before many times but it does not work, i have to create a fake webpage
First off thanks so much for this love it.
Questions: 1-reaver is written in C or C++? 2-I understand reaver performs a brute force attack using pins but how does it manage to obtain the wps passphrase ?
Hi,I got A PSK like this db58bd1980d7e80eacd11dc46dccde759722672d1031f7c6b7f5783bbc3d5.
----I want to know how to covert the PSK.Thx!
Hello i kinda like your project, however i have a bullet hp2, its a wireless ap, it has 32mb ram, i would like to know if its possible that if you can create a code for the bullet hp2 to crack various wireless access points which supports wps :D, if it can be created in way that the program can scan all close access points and start cracking them until the password is found :D using the AIROS, that would be freaking wicked.
for practicality and a special need, I a atte,ptig to build a reaver pro like device. I would love to know the specs of reaver pro (cpu, ram, OS) and any helpful hints if possible
How is reaver supposed to behave when you use the -p option with a full 8-digit pin that is not the AP's WPS pin? When I tried it two different times with two different pins, it would behave as though it was cycling through pins as normal, with increasing %complete, varying pins/sec, and an occasional 10 failures reported, except that the pin I originally started at was the only one displayed. This seemed wrong.
The reason I tried this was that twice I ctrl-C stopped reaver and it restarted with a different pin, and I wasn't sure if it completed the last pin from the last run or not, that maybe it skipped a pin. I always run with -v, so maybe -vv would have told me if it was done with the last run pin.
Also, one time I wrote down the pin used at 99.99% because I needed to restart it (it was stuck on that pin). After restarting with -p, it showed something like 92.04% instead of 99.99%. If pins are always tried in the same order, this seems wrong.
Hello everyone, I have a question about reaver and i have no idea where to start. I have been running a copy of Backtrack 5 on an HP Pavilion laptop with Intel 5100 agn integrated wireless card. I followed the instructions over at the Backtrack forums to patch the driver, in order to incorporate packet injection support (http://www.backtrack-linux.org/forums/showthread.php?t=45608) Right after following these instructions, i ran "aireplay-ng -9 mon0" to confirm that packet injection had indeed been properly configured, and it gave me the thumbs up. So very excitedly, i open up a new terminal and execute a basic reaver attack "reaver -i mon0 -b MAC?" and after running this command it stopped after switching to the appropriate channel. It is also worth mentioning that when i was running BT5 from a liveDVD, reaver worked the first time without any additional configuration. One more question i have is that the first time i successfully cracked an AP when running BT5 from the liveDVD, it seemed to be taking quite a bit longer than the reported 4 hours. Any suggestions on how to speed the process up? Or is this due mainly to the capabilities of my integrated wireless card?
root@bt:~# iwconfig
wlan0 IEEE 802.11abgn ESSID:"SBG658023"
mon0 IEEE 802.11abgn Mode:Monitor Frequency:2.462 GHz Tx-Power=15 dBm
root@bt:~# lspci | grep -i Network 02:00.0 Network controller: Intel Corporation PRO/Wireless 5100 AGN Shiloh? Network Connection
Another thing that might be worth noting is that when my card is connected to an access point and i run the aireplay command to test for packet injection, it reports back that injection is working. But as soon as i disconnect from the access point and put the card back into monitor mode, it ceases to produce the same result.
root@bt:~# aireplay-ng --test mon0 19:57:22 Trying broadcast probe requests... 19:57:22 Injection is working!
Once i get pin .......... if i change the wpa2 psk passphare how can i recover it if i had pin???
i m using BTR2, airodump-ng mon0 it shows my BSSID. (ESSID Thomson) but wash -i mon0 cant see my ESSID. ESSID (thomson). But it shows my Neighbour ESSID BSSID except thomcon
Can Reaver begin searching PINs from a set point?
for example I want to start at PIN 8000 (first four) and then search upward.
Note: Search first four only until a match is found, then begin last three search.