wrong PSK about reaver-wps HOT 32 CLOSED

Hmmm, that is odd. What access point are you testing against? Since you know 
the pin, you can try using wpa_supplicant to become a registrar and see if that 
works.

Found this in the wpa_supplication source code:

"By default, the AP that is started in not configured state will generate a 
random PSK and move to configured state when the first registration protocol 
run is completed successfully."

I'm guessing that's what is happening here. There is an option that can be set 
that supposedly will tell the AP to not generate a random PSK; I'm adding that 
option into Reaver's WPS packets now.

Just made a code check in that should disable this feature. See if that fixes 
things.

Any word on if this fixed your problem?

I'm sorry, I was away for NYE.

Just checked out the svn source, and the issues is not fixed.
I'm still not sure tho if it's the issue with the reaver or my AP 
since I tested it only on my cheap Tenda wifi router. 
I'll soon have some free time, and will look into it with more care.

No worries, just got back myself. 

Something to try would be to use wpa_supplicant and see if it gives you the 
same results (I think in verbose mode it should give you enough info to 
determine this).

It could be that the AP always generates a new PSK regardless, it wouldn't 
surprise me. If this is the case, one thing you can do though is once you have 
the WPS pin, you can reconfigure the AP with any PSK of your choosing using 
wpa_supplicant. Certainly not ideal as it will DoS other wireless users, but it 
may still be useful.

Nickolic, have you been able to re-test this?

Same problem over here on ath5k: One of my APs each time returns a different 
WPA key (using R55).
[+] WPS PIN: '19380247'
[+] WPA PSK: 'ddf522a4f84e27683958df41c082b69a0c43e370a6f610a1f4dd744463c65b73'

[+] WPS PIN: '19380247'
[+] WPA PSK: 'de5934e6149bbb2b5c117f2f836001e1a1928037081ec40c837ad5a1a1af44fe'

(Haven't tried reconfiguring the AP using wpa_supplicant yet)

What make/model is the AP? This sounds like an AP-specific thing. 
wpa_supplicant should work for reconfiguration though.

What make/model is the AP? This sounds like an AP-specific thing. 
wpa_supplicant should work for reconfiguration though.

I too am having this issue,

entire sting bellow:

# reaver -i wlan0 -vv --pin=53363480 -b c0:3f:0e:bb:23:8e

Reaver v1.3 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<[email protected]>

[+] Waiting for beacon from C0:3F:0E:BB:23:8E
[+] Switching wlan0 to channel 11
[+] Associated with C0:3F:0E:BB:23:8E (ESSID: Orange)
[+] Trying pin 53363480
[+] Key cracked in 4 seconds
[+] WPS PIN: '53363480'
[+] WPA PSK: 'VM1AsogutopuYnoke7kAJ'
[+] AP SSID: 'NTGR_T'
[+] Nothing done, nothing to save.

Used Components/Software

Reaver v1.3
Using Backtrack 5 R1
Atheros Communications Inc. AR5001 Wireless Network Adapter (rev 01)
Netgear Router WGR614v10

The AP Model that has this issue: Sweeex LW150 

Unfortunately, AFAIK there isn't anything Reaver can do to stop this behavior, 
short of the code change that has already been made. If the AP is ignoring the 
"do not generate new key" option, I can't control that (as much as I'd like 
to... :).

One option (which might not be a valid option depending on your situation) is 
to change the WPA key to something of your choosing; this can be done using 
wpa_supplicant/wpa_cli. You need to know the AP's WPS pin, but of course you 
already have that. Obviously this will DoS any legitimate clients on the 
wireless network though.

Would be really nice to have a wpa_supplicant example documented within the 
tool. I, for one, am struggling to understand how this works.

i'm not sure what changed, but it successfully recovers the passphrase on
my ap now

Well, if I read this thread correctly you were using 1.1 at start and you 
probably got the 1.3 version now. I was using 1.3 from the very begining soI 
think it's a different usecase for me

I had the exact same issue. Reaver would return a random string of 64 hex 
digits each time it matched the pin. The target AP is a new TP-Link TL-WR1043ND 
I had just set up for testing. I had never established a wireless connection to 
the AP before my initial testing. Once I made a connection to the device with 
my iPad it started returning the configured PSK rather than the random strings.

Hmm interesting, i'll check that out. Btw, when you refer to establishing a 
connection, do you mean by PSK or by PIN input ?

PSK

Correction - I found that establishing the wireless connection was not the 
trigger that caused the AP to stop returning random 64 hex character keys when 
reaver matched the PIN. After resetting my router back to factory defaults (and 
the random key problem came back) I found that changing the encryption field in 
my wireless security settings from "Automatic(Recommended)" to "AES" is the 
trigger. After this change reaver will consistently return my configured PSK. 
In fact I haven't been able to find any AP configuration screen changes that 
will cause the AP to return the random keys again. I had to reset the device to 
factory defaults and set it up with the "Easy Setup Assistant" program (not the 
browser interface) in order to get the random keys back. Unfortunately this 
behavior is probably unique to the WR1043ND AP.

I'm having the same issue, reaver detects the correct PIN but it retrieves a 
different PSK every time, also displays an incorrect AP SSID along with it 
(wrong SSID doesn't change, it's always the same but not the correct one).

I noticed the incorrect SSID as well, it was "Network-nnn" where "nnn" is the 
bssid of my AP. I'd be interested in hearing if any change to the AP encryption 
field will change this behavior on your AP. In my case any change to the 
encryption field (to TKIP, or AES, or changing it back) stopped the random PSK 
behavior.

SSID is exactly as you explain. Tomorrow I'll test changing the encryption in 
the AP but it's definitely not the same model.

I got the same problem with PSK key and SSID on ath9k

Issue confirmed on a AP WNR1000v2-VC, generates a new PSK which Dos other 
connected clients... Thus defeating the purpose of the exploit. So I guess its 
a good thing, seems to be more a Netgear AP issue. 

I tested it against my cheap Tenda router, same problem here:
    [+] Pin cracked in 11041 seconds
    [+] WPS PIN: '16275362'
    [+] WPA PSK: 'bbc20c6e1c91d3dbf1e2780bb261ab693761eb8a72b4ec8654b093f8c3ed1a68'
    [+] AP SSID: 'Tenda'

Seems cheap routers help.

I'm running BT5 R1, Reaver 1.4.

Greetings from Bulgaria. I'm having the same issue, reaver detects the correct 
PIN but it retrieves a different PSK every time. Each time is 64bit hex 
password and i found some information about on:
http://code.google.com/p/reaver-wps/issues/detail?id=343
http://code.google.com/p/reaver-wps/issues/detail?id=25
http://code.google.com/p/wifite/
https://github.com/derv82/wifite
http://code.google.com/p/reaver-wps/issues/detail?id=282
https://code.google.com/p/reaver-wps/issues/detail?id=203
http://code.google.com/p/reaver-wps/issues/detail?id=282
I hove this will be helpful for some one.

I'm too having the same issue, reaver detects the correct PIN but it retrieves 
a different PSK every time, also displays an incorrect AP SSID along with it. 
this change affects clients with old psk?

[deleted comment]

hello friends, I found the code of wifi wpa, with reaver but can't connect, and 
I have the wps code and every time the code change I get another one but can't 
connect help please.

same here...