Open GoogleCodeExporter opened 8 years ago
You can try with the -L command, but it's probably gonna end up stucked at
90.90% no matter what version. I tested it thoroughly with 1.4 and now I'm
going to try the same network with 1.3.
Original comment by dukesemt...@gmail.com
on 11 Aug 2012 at 8:43
See note 389 we just posted. We have an on going and what appears to be slow
but successful attack aginst a Belkin router that appear to be locked.
Original comment by muske...@yahoo.com
on 27 Aug 2012 at 8:27
Someone make somthing about WPS lock, i heard they use airplay for this,
anyone have idea about this tell me please. :D
Original comment by matre...@gmail.com
on 29 Oct 2012 at 9:54
yes use aireplay only to associte
then use reaver with the -A command
Original comment by abcdzo...@gmail.com
on 25 Jan 2013 at 5:29
TO: EVERYONE- EFFECTIVE WAY TO RESET A MODERN CISCO ACCESS POINT BY FLOODING
FOR 10-20 SECONDS!
i have found a way to effectively flood a new model (either year 2012/2013
manufactured) cisco router to make it reboot with a wps locked
status as "NO". Also i will prove that using Authentication DOS mode flooding
has no effects of flooding THIS router!
DETAILS OF THIS ROUTER
From one of the M1 EAP packets captured from my wireless card, details of this
router are as follows
bssid c8:d7:19:0a:bf:35
Manufacturer: Cisco
Model Number: 123
Serial Number: 12345
Model Name: WAP
Channel type: 802.11g (pure-g) (0x00c0)
I did some research using these details found found out that this access point
was modern in age.
Behaviour of this CISCO Router
This type of router is not affected by a script changing your mac address. Also
if you try a 3 pins the router starts
an exponential clock that rate limit another counple of pins reaver tries and
then the router totally lock itself for one/two day.
even if i gave reaver the option to try 1 pin every 3 minutes (worthless)..
THIS LINK “https://www.youtube.com/watch?v=hHVPSJn4Fqo” HAS A VIDEO I HAVE
DONE TO SHOW HOW I USE THE TWO ATTACKS AND WHICH ONE WAS MORE EFFECTIVE WITH
THIS PARTICULAR AP.
BRIEF NOTES
I focused on the stated Cisco Access Point that I came across with the new
exponential wps mechanism.
THE TWO ATTACKS I USED ARE:
1. MDK3 Authentication DOS Flood Attack- floods the AP with too much fake
clients so that the router is overloaded
2. EAPOL Start Flood Attack- Authenticates to the AP and sends too much EAPOL
Start requests so that the router is unable to respond to the volume of EAPOL
requests and reboot itself.
MDK3 AUTHENTICATION DOS FLOOD ATTACK
This attack is useful on SOME routers. The important point to note is HOW I USE
THESE ATTACKS!.
( I have three wireless adapter- AWUS036NHA, AWUS036NH and TP-LINK 722N and I
use AWUS036NHA and AWUS036NH to carry out this attack numerous times)
HOW I ATTACKED THIS ACCESS POINT USING AUTHENTICATION DOS FLOOD ATTACK
I started my wireless card on three monitor interface, mon0, mon1 and mon2
In three terminal, I use the command line
mdk3 mon0 a –a C87:19:0A:BF:35 #TERMINAL 1
mdk3 mon1 a –a " " " # TERMINAL 2
mdk3 mon1 a –a " " " #TERMINAL 3
Note:
I ensure that the router was wps locked permanently so that I can test the
effectiveness of the attack. Also, a point to note, I did not use one command
line with one monitor interface since it was futile. I blasted the router on
three monitor interfaces!.Now I am blasting away the router for hours!. After
blasting away the Access Point is still locked! I tried this attack for days to
convince myself!.
MDK3 EAPOL START FLOOD ATTACK
I started my wireless card on three monitor interface, mon0, mon1 and mon2
mdk3 mon1 x 0 –t C87:19:0A:BF:35 –n Riznet –s 100 #TERMINAL 1 (SEE VIDEO
FOR REASON OF USING –S 100 FLAG)
mdk3 mon1 x 0 –t " " " –n Riznet –s 100 # TERMINAL 2
mdk3 mon1 x 0 –t " " " –n Riznet –s 100 #TERMINAL 3
Note: I tried again using 1 monitor interface to carry out the attack but it
took hours for the router to reboot and I was not sure if the attack was the
main reason for the router rebooting!. In this scenario I tried blasting the
router in three terminals. This “Shock Attack” method ran for about 20
seconds and the router reboot with wps locked status as “NO”. I TRIED THIS
ATTACK A COUPLE MORE TIMES FOR ABOUT 20 SECONDS WITH THE ACCESS POINT REBOOTING
AND UNLOCKING ITSELF (WPS) !!. Also packet analysis significantly helped me to
understand the connection between EAPOL and a router behavior to open
authentication request which makes it impossible to stick to one method for
flooding ALL AP (see the video link above).
BASH SCRIPT WRITING
Soon I will write a bash script to execute all the steps in my video (I need
time to chill….).
OTHER ACCESS POINTS INVESTIGATED
I Have Also Assessed The Behaviour Of Three Other Cisco Access Points That Rate
Limit Pin In A Systematic Way But Did Not Locked Up in an exponential manner!.
I will give gave an update if I do come across any other access points that
behaved somewhat different. Do share your experience in relation to any new
updates on wps!
Original comment by repzerow...@gmail.com
on 12 Apr 2014 at 12:38
TO: EVERYONE-THREE OTHER ACCESS POINTS THAT WERE DEFEATED BY THE MDK3 EAPOL
START ATTACK!!
I have underestimated this attack!. IT WORKS ON ALMOST ALL THE AP THAT I PICKED
UP THAT HAS THE WPS RATE LIMITING FEATURE..Despite some AP refuses to accept to
many eapol packets, one mdk3 authenticates it floods the AP quickly until a
deauthentication packet is sent from the AP to break the connection.
FOR FURTHER PROOF CHECK ANOTHER VIDEO IS POST ON MY CHANNEL LINK
https://www.youtube.com/watch?v=_uVv...ature=youtu.be
Also, instead of running three attacks in three terminal, i used one terminal
to carry out three attacks using
EXAMPLE
#timeout <seconds> mdk3 mon0 x 0 -t <bssid> -n <essid> -s <no. of packets/sec>
& timeout <seconds> mdk3 mon1 x 0 -t <bssid> -n <essid> -s <no. of packets/sec)
& timeout <seconds> mdk3 mon2 x 0 -t <bssid> -n <essid> -s <no. of packets/sec>
PENDING: I AM CURRENTLY WRITTING A GENERAL INTERACTIVE BASH SCRIPT TO CARRY OUT
ANY MDK3 ATTACK USING MY METHOD WITH REAVER! I WILL POST ONCE FULLY FINSHED.
IF ANYONE HAS A SCRIPT FOR REAVER AND MDK3 (TO CARRY OUT ANY ATTACKS) DO SHARE
SO THAT I CAN COMPARE IT WITH MY WORK IN PROGRESS SCRIPT!
Original comment by repzerow...@gmail.com
on 17 Apr 2014 at 2:34
check out ANOTHER video that showed how the EAPOL Start flood attack caused two
other access points to unlock WPS status to "NO" !
LINK
https://www.youtube.com/watch?v=_uVvi8qf7JY
Original comment by repzerow...@gmail.com
on 18 Apr 2014 at 12:26
hello repzerow...@yahoo.com
This doesn't work for me
Original comment by cln...@gmail.com
on 28 Apr 2014 at 8:58
TO: cln...@gmail.com
are you getting alot of "Failed authentication with the mdk3 eapol start flood
attack? then it can be an authentication problem due to signal strength.
failing to authenticate to the Access Point= failing to flood the AP with this
attack
Original comment by repzerow...@gmail.com
on 1 May 2014 at 12:29
no me funcionaaaaaaaaaa
Original comment by nerv...@gmail.com
on 18 Aug 2014 at 3:25
Hey repzerow, any chance you finished your script?
Greatly appreciate your work,
Cheers
Original comment by Nils.Ave...@gmail.com
on 24 Aug 2014 at 7:39
how to run the script file?
and how to get that multiplication sign in command?
Original comment by salmanar...@gmail.com
on 24 Sep 2014 at 11:51
hey guys so amtrying to hack a locked WPS is there anyway to do it or u just need to wait 5 mins so it unlock ??? thanks alot
Original issue reported on code.google.com by
shadimgh...@gmail.com
on 8 Aug 2012 at 9:03