NoPantsLance / reaver-wps

Automatically exported from code.google.com/p/reaver-wps
0 stars 0 forks source link

Belkin Routers-WPS No then Yes #389

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
We used revear to clear(crack) out all the near-earth routers in our area and 
began running tests against those that either were far out ie have weak RSSI's 
in the 70's or were simply just tempermental.

We came across one router worthy of note.  It appears to be a Belkin TP Link 
D8:5D:4C:XX:XX:XX. When wash does it's initial WPS check it notes that the WPS 
is not locked. However after running a reaver attack some pins were very slowly 
recovered and at that point wash decided the WPS was locked.

To continue the attack we had to set the delay -l at 180 secs and pin recovery 
then  proceeded very very slow BUT the process seems to be orgerly and 
continuing.

Our conclusions so far in this case are that even if the WPS is reported as 
locked, if a single pin can be recovered the attack still might prove 
successfull if enough time is given.
We used revear to clear(crack) out all the near-earth routers in our area and 
began running tests against those that either were far out ie have weak RSSI's 
in the 70's or were simply just tempermental.
We used revear to clear(crack) out all the near-earth routers in our area and 
began running tests against those that either were far out ie have weak RSSI's 
in the 70's or were simply just tempermental.

We came across one router worthy of note.  It appears to be a Belkin TP Link 
D8:5D:4C:XX:XX:XX. When wash does it's initial WPS check it notes that the WPS 
is not locked. However after running a reaver attack some pins were very slowly 
recovered and at that point wash decided the WPS was locked.

To continue the attack we had to set the delay -l at 180 secs and pin recovery 
then  proceeded very very slow BUT the process seems to be orgerly and 
continuing.

Our conclusions so far in this case are that even if the WPS is reported as 
locked, if a single pin can be recovered the attack still might prove 
successfull if enough time is given.

We came across one router worthy of note.  It appears to be a Belkin TP Link 
D8:5D:4C:XX:XX:XX. When wash does it's initial WPS check it notes that the WPS 
is not locked. However after running a reaver attack some pins were very slowly 
recovered and at that point wash decided the WPS was locked.

To continue the attack we had to set the delay -l at 180 secs and pin recovery 
then  proceeded very very slow BUT the process seems to be orgerly and 
continuing.

Our conclusions so far in this case are that even if the WPS is reported as 
locked, if a single pin can be recovered the attack still might prove 
successfull if enough time is given.

A few things to consider before submitting an issue

0. We write documentation for a reason, if you have not read it and are
having problems with Reaver these pages are required reading before
submitting an issue:
http://code.google.com/p/reaver-wps/wiki/HintsAndTips
http://code.google.com/p/reaver-wps/wiki/README
http://code.google.com/p/reaver-wps/wiki/FAQ
http://code.google.com/p/reaver-wps/wiki/SupportedWirelessDrivers
1. Reaver will only work if your card is in monitor mode.  If you do not
know what monitor mode is then you should learn more about 802.11 hacking
in linux before using Reaver.
2. Using Reaver against access points you do not own or have permission to
attack is illegal.  If you cannot answer basic questions (i.e. model
number, distance away, etc) about the device you are attacking then do not
post your issue here.  We will not help you break the law.
3. Please look through issues that have already been posted and make sure
your question has not already been asked here: http://code.google.com/p
/reaver-wps/issues/list
4. Often times we need packet captures of mon0 while Reaver is running to
troubleshoot the issue (tcpdump -i mon0 -s0 -w broken_reaver.pcap).  Issue
reports with pcap files attached will receive more serious consideration.

Answer the following questions for every issue submitted:

0. What version of Reaver are you using?  (Only defects against the latest
version will be considered.)

1. What operating system are you using (Linux is the only supported OS)?

2. Is your wireless card in monitor mode (yes/no)?

3. What is the signal strength of the Access Point you are trying to crack?

4. What is the manufacturer and model # of the device you are trying to
crack?

5. What is the entire command line string you are supplying to reaver?

6. Please describe what you think the issue is.

7. Paste the output from Reaver below.

Original issue reported on code.google.com by muske...@yahoo.com on 27 Aug 2012 at 8:15

GoogleCodeExporter commented 8 years ago
Reference the above Belkin router. If the router inititally doesnot lock and 
then locks try the following reaver command to slowly access the key

reaver -i mon0 -a -f -c XX -b D8:5D:4C:XX:XX:XX -vv -x 60 -L 
--mac=00:11:22:33:44:55 # Router Name

Note you can remove the --mac command. However if you do wish to spoof the mac 
code you must preload other commands prior to using the above command indicated 
above or the spoof will not work and reaver will fail. We have noted this 
problem elsewhere in the forum.

Original comment by muske...@yahoo.com on 15 Apr 2013 at 12:45

GoogleCodeExporter commented 8 years ago
We have done further work on this router. If the router initially displays its 
ESSID name, AND 1. at first is seen to not have its WPS locked by wash but 
latter after starting a reaver attack is shown as WPS locked OR 2. allows 
association but fails to complete any pins or 3. allows association, obtains a 
few pins and then locks try using the -e command and the "ESSID name" in the 
reaver command string.

MTA

Original comment by muske...@yahoo.com on 22 May 2013 at 2:51

GoogleCodeExporter commented 8 years ago
[deleted comment]
GoogleCodeExporter commented 8 years ago
[deleted comment]
GoogleCodeExporter commented 8 years ago
Hi, I had two Arris routers available in wash with lock status as NO initially. 
I tried the basic command of reaver to do them, and after 3 attempts, it kept 
on showing "detected ap rate limiting waiting 60 seconds before re-checking". I 
stopped the attack and when I try to resume it, I couldn't even accociate with 
them, accosiate fail message and timeout message kept on showing. I checked 
wash list, they both disappeared from the wash list. I don't know if my initial 
attack was discovered by their security software and they turned off the WPS 
feature or the two routers turned off the WPS by temselves due to my attack. 
Later I got familiar with reaver and tried to play with those arguements but 
none of them were working, which showed their WPS seemed already turned off 
permanently for sure.

So what should I do?

I have some plans in mind.

1. Try to force these APs to reboot or reset, either by crash them via DDos or 
anything else that will bring the similar results and then they will reboot or 
reset by themselves or their holders will find their network are not working so 
manually reset their routers. So by that I can use reaver again, but yet the 
new problem is how to prevent they lock the WPS again.

2. I also tried the aircrack, but since their default passwords are up to 16 
chacacters with combination of numbers and letters, the dictionary would be 
extremely large. So after a try, I gave up.

3. As I know I can somehow use the MAC address or the manufactuer of the router 
to search for their default PIN and WEP online(I believe they are still 
defalut).

4. I don't know if I can log in to the routers' gateway page (192.168.100.1) 
without actually successfully connected to the router(I mean just type a random 
password when I try to connect them and it will still show the status as 
"connected" in my connection panel). (And again, I still believe that username 
and password are still default, which are admin and 1234).

Above are all the ways I can think of, could you please give me some 
suggestions or how did you successfully crack those self-locked-permanently 
routers?

Many many thanks for your help in advance.

Original comment by fdsavv...@gmail.com on 4 Aug 2013 at 8:01

GoogleCodeExporter commented 8 years ago
If the router ends up becomming locked at any point in your attack.. it may be 
helpful to change your --lock-delay to 330 even though its default should be at 
315 (5min 15 sec) i run reaver using reaver -i mon0 -b XX:XX:XX:XX:XX:XX -c 11 
-d 180 --lock-delay=330 -vv

it may also be helpful to use wicd network manafer and run a false connection 
(bad password) to take the router out of lock mode. works very seldomly but has 
been known to work for me here and there.

Good luck and happy hacking. 

please do not use any of this advice for illegal usage. this is for educational 
purposes only. send attacks to your own router.

Original comment by dj.kil...@gmail.com on 1 Sep 2013 at 5:50

GoogleCodeExporter commented 8 years ago
Hi My Dear Brothers,
I got success in cracking over WPA-PSK routers/modem by using Reaver1.4 and 
Currently i am using BackTrack5R3.
While cracking WPA2-PSK ( Wash tell me that -WPS Locked-"No". So i run 
Reaver1.4 to crack it, i use Reaver -i mon0 -c XX -b XX -S -L -vv
Then
" switching mon0 channel xx
Waiting Becon from xx:xx:xx:xx:xx
associating with xx:xx:xx:xx:xx (ESSID:XXXX)
Trying Pin 12345670
Sending EAPOL start request
Received Identity request
Sending Identity Repose.
--------------------------------------------------
Now it stop here does not go further. Even waited one hour.
Then i Saw in google code that in this case open another konsol and try
aireplay-ng -1 120 -a BSSID mon0
But Issue remain same. Is there any issue over attacking WPA2-Psk Pin Codes.

Guidance is required about this Issue on this forum.
Thanks

Original comment by farrukhb...@gmail.com on 20 Dec 2013 at 5:28