Method for users having trouble with reaver operating very slow.

[Str8fe]

So I decided to play around with Reaver against my Belkin N150 wireless router. First thing i noticed was a lot of time outs and reaver was attempting the same pin over and over. Eventually it did move on to another pin but the second per pin ratio was 365s/pin. After 20h or so I reached 10% of pins used.. I knew something had to be wrong seeing it is advertised that it could be used to get the wpa passkey under 10 hours. I scoured the internet for why this might be happening and didn't find anything useful so i just started playing around with the different options it has and finally found something that worked.. it brought me down to 12s/pin.. so it's definitely operating a lot faster.

This is what I did.
1. switch interface to same channel as my wireless router by opening a konsole and using this command;
"iwconfig (my wireless interface name ..wlan0, mon0 ect..) channel (channel of my router)"
(without quotes)

2. Manually associate to my router using aireplay-ng;
"aireplay-ng -1 0 -a (router bssid) -h (my mac address) -e (router essid) (name of my wireless interface)"

3.Use reaver to bruteforce WPS pin with these options;
"reaver -i (name of my wireless interface) -b (bssid of my router) -T 1 -f -N -S -vv"

That's it, I hope this helps for those having the same problem. Let me know if it works for you or if you find something even faster

~Str8fe

[Darxis]

Hi,
Thank you! Before doing your steps I had about 30s/pin and now I'm having less than 5s/pin
For those who have the same problem I recommend to read this thread and do the steps mentioned above.

[TAPE]

And the issues I was having with the association appear to have
been solved with the release of BT5 R2.
Have no idea what was going on with that, but hey, it works now

So if you are having issues, would suggest you try the latest and greatest as well.

[1gcrazy]

1. I'm still trying to wrap my mind around this stuff since i'm an ubernoob BUT, how are you supposed to switch the interface if the device is in monitor mode? I'm gettin:
"Error for the wireless request "Set Frequency" (8B04) :
SET failed on device wlan1 ; Network is down.

I've even exited monitor mode and still getting the same error.

2. I've tried manually associating my router which was interesting. It said:
Waiting for beacon frame (BSSID: XX:XX:XX:XX:XX:XX) on channel -1
Couldn't determine current channel for wlan1, you should either force the operation with --ignore-negative-one or apply a kernel patch

Uh... what?

EDIT:
Figured it out... obviously whichever device is set to monitor mode, it takes on a new name? which is mon0 or mon1 depending on how many are in monitor mode and which is which. Can NOT believe I figured that out. Goes to show what a little whiskey will do for me. Had a few drinks the first time I figured out how to fix layered copper laptop mobo's too... don't like where this trend is going hah! Or do I?

EDIT #2:
Now what can I do about keeping it from getting stuck in the multiple pin issue. It will get stuck trying the same pin over and over again. I'm guessing thats because the AP realizes it's being attacked and tries to protect itself right? What can I do to figure out where it's lines are drawn?

[ternarybit]

So I decided to play around with Reaver against my Belkin N150 wireless router. First thing i noticed was a lot of time outs and reaver was attempting the same pin over and over. Eventually it did move on to another pin but the second per pin ratio was 365s/pin. After 20h or so I reached 10% of pins used.. I knew something had to be wrong seeing it is advertised that it could be used to get the wpa passkey under 10 hours. I scoured the internet for why this might be happening and didn't find anything useful so i just started playing around with the different options it has and finally found something that worked.. it brought me down to 12s/pin.. so it's definitely operating a lot faster.

This is what I did.
1. switch interface to same channel as my wireless router by opening a konsole and using this command;
"iwconfig (my wireless interface name ..wlan0, mon0 ect..) channel (channel of my router)"
(without quotes)

2. Manually associate to my router using aireplay-ng;
"aireplay-ng -1 0 -a (router bssid) -h (my mac address) -e (router essid) (name of my wireless interface)"

3.Use reaver to bruteforce WPS pin with these options;
"reaver -i (name of my wireless interface) -b (bssid of my router) -T 1 -f -N -S -vv"

That's it, I hope this helps for those having the same problem. Let me know if it works for you or if you find something even faster

~Str8fe

Hey Str8fe, thanks for the info!

I'm currently blackbox pentesting with Reaver 1.4, and started triggering WPS lockout with Reaver's default settings, just -i and -b. It ended up running about 120s/pin overnight—very slow.

After quite a lot of tweaking, I found that adding -d 5 (wait 5 seconds between pin attempts) and -r 10:60 (after 10 pins, sleep for 60 seconds) seemed to avoid lockouts. Now we're down to about 16s/pin. Faster, but with current progress that sets me up for about a 2 day crack time.

I'm not on-site with the reaver machine, not even on Linux, so can you please explain your tweaks? I know -S uses small Diffie-Hellman numbers, but I can't remember what -T, -f and -N switches do. Will they possibly get me more pins/s without triggering lockouts?

Thanks again!

-ternarybit

[unxited]

Thank you, your method changed 3 sec/pin to 2 sec/pin on BackTrack 5 R3. Signal strength of access point is about -40,
I'm using rtl8187. Seems like fakeautentificating with aireplay-ng also helps to start attack more quickly. For now reaver runs really fast.
Will update post after attack will succeed/fail

[msramalho]

IT worked just fine
foun everything

[msramalho]

Hey Str8fe, thanks for the info!

I'm currently blackbox pentesting with Reaver 1.4, and started triggering WPS lockout with Reaver's default settings, just -i and -b. It ended up running about 120s/pin overnight—very slow.

After quite a lot of tweaking, I found that adding -d 5 (wait 5 seconds between pin attempts) and -r 10:60 (after 10 pins, sleep for 60 seconds) seemed to avoid lockouts. Now we're down to about 16s/pin. Faster, but with current progress that sets me up for about a 2 day crack time.

I'm not on-site with the reaver machine, not even on Linux, so can you please explain your tweaks? I know -S uses small Diffie-Hellman numbers, but I can't remember what -T, -f and -N switches do. Will they possibly get me more pins/s without triggering lockouts?

Thanks again!

-ternarybit

Unfortunately, it still locks.
What about the option "--auto"?

[Sohrab]

thanks a lot str8fe, worked great, i went from 10 seconds to 4 seconds!!! 1 day down to 8 hours or less!!!