Haggis990 / reaver-wps

Automatically exported from code.google.com/p/reaver-wps
1 stars 0 forks source link

Triggering WPS lock outs on BTHUB3 #499

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
A few things to consider before submitting an issue:

0. We write documentation for a reason, if you have not read it and are
having problems with Reaver these pages are required reading before
submitting an issue:
http://code.google.com/p/reaver-wps/wiki/HintsAndTips
http://code.google.com/p/reaver-wps/wiki/README
http://code.google.com/p/reaver-wps/wiki/FAQ
http://code.google.com/p/reaver-wps/wiki/SupportedWirelessDrivers
1. Reaver will only work if your card is in monitor mode.  If you do not
know what monitor mode is then you should learn more about 802.11 hacking
in linux before using Reaver.
2. Using Reaver against access points you do not own or have permission to
attack is illegal.  If you cannot answer basic questions (i.e. model
number, distance away, etc) about the device you are attacking then do not
post your issue here.  We will not help you break the law.
3. Please look through issues that have already been posted and make sure
your question has not already been asked here: http://code.google.com/p
/reaver-wps/issues/list
4. Often times we need packet captures of mon0 while Reaver is running to
troubleshoot the issue (tcpdump -i mon0 -s0 -w broken_reaver.pcap).  Issue
reports with pcap files attached will receive more serious consideration.

Answer the following questions for every issue submitted:

0. What version of Reaver are you using?  (Only defects against the latest
version will be considered.)

1. What operating system are you using (Linux is the only supported OS)?

BACKTRACK

2. Is your wireless card in monitor mode (yes/no)?

yes

3. What is the signal strength of the Access Point you are trying to crack?

-61

4. What is the manufacturer and model # of the device you are trying to
crack

It's a BTHub3

5. What is the entire command line string you are supplying to reaver?

reaver -i mon0 -b bssid -vv -c 6 -d 45 -5

reaver -i mon0 -b bssid -vv -c 6 -S -N -L -d 30 -r 3:15 -T .5 -x 360

6. Please describe what you think the issue is.

The router firmware is resisting by means of locking WPS seemingly permanently 
(2 days so far[confirmed with wash]), possibly because they have been speaking 
to the author of weaver and have modified their firmware to lockout on more 
than 30 odd failed attempts to log in with WPS.

I hope not but I can't see what else is going wrong.

7. Paste the output from Reaver below.

[+] Waiting for beacon from 00:00:00:00:00
[+] Switching mon1 to channel 1
[+] Associated with 00:00:00:00:00: (ESSID: BTHub3-xxx)
[+] Trying pin 12345670
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response

And so on and so on, Wash tell's me that WPS has become locked.

I have managed to get 0.12% at a rate of 7100 seconds / pin but all that seemed 
to do was slow down the rate at which i hit the magic number of failed pins 
where the router locks itself down.

Can anyone suggest some new switches / commands to try or confirm that reaver 
no longer works with BTHub3's?

All suggestions gratefully received, thanks

Original issue reported on code.google.com by mat.flet...@gmail.com on 29 Apr 2013 at 2:29

GoogleCodeExporter commented 8 years ago
Presently tinkering with a BTHub3-xxxx & BTHub4-xxxx and I feel your pain. 

The -o and -s commands for saving the output to file and restoring previous 
attempts respectively are going to be useful. So when the router becomes 
unlocked you can pick up the attack where it left off.

Unfortunately.. unless the user manually reboots, the firmware updates or gets 
a power outage these routers will stay locked down once tripped. 

Original comment by BishopPa...@gmail.com on 20 Sep 2013 at 12:57

GoogleCodeExporter commented 8 years ago
Try using reaver 1.5 fork as I'm currently cracking a 2nd BTHH3 which so far 
hasn't had it's pin attempts blocked! I haven't managed to get a pin yet as I 
started the 2nd one when the other had done 300+ pin attempts just to make sure 
it wasn't a fluke! 
The commands to use in terminal to update to the newer version of reaver are as 
follows -

svn checkout http://reaver-wps-fork.googlecode.com/svn/trunk/ 
reaver-wps-fork-read-only
cd reaver-wps-fork-read-only/src
./configure
make distclean && ./configure 
sudo make
sudo make install

You only need to use the make sidtclean && ./configure if you've already got a 
rever version installed. This new reaver has been brought out to switch to 
cracking 8 digit pins without the checksum so it attempts 20,000 keys (I think) 
but only after it's gone through the original 11,000 pins with checksum.

Original comment by mletherl...@gmail.com on 16 Jun 2014 at 6:18

GoogleCodeExporter commented 8 years ago
Cool thanks, I gave up a year ago but I'll try the fork out sometime and
post back

Original comment by mat.flet...@gmail.com on 16 Jun 2014 at 7:46

GoogleCodeExporter commented 8 years ago
any of you have luck with reaver 1.5 and home hub 3? I see i'm not getting 
locked out but wondering whether I'll get there - about 15% through now.

Original comment by azim.hus...@gmail.com on 17 Sep 2014 at 10:06