markcox / reaver-wps

Automatically exported from code.google.com/p/reaver-wps
0 stars 0 forks source link

AP Lockdown Workaround #70

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. reaver -i mon0 -b[bssid] -L -vv
2.
3.

What is the expected output? What do you see instead?

Reaver associates to AP and begins injecting pins, but AP shuts down WPS 
service after about 16 failed attemps or so. This particular AP requires to be 
rebooted in order to resume WPS service. This is an AP issue, not a Reaver 
issue.
Question: Is it possible to force an AP to reboot remotely? My thought process 
is that this function could be included in Reaver as an option when it detects 
an AP lockdown, it then forces a reboot of the AP and does its 315-second wait 
before resuming the attack. 

Just wanted to throw this out there as a potential workaround for lockdowns.

Thanks for the great work!

What version of the product are you using? On what operating system?

Reaver 1.2, Linux, Backtrack 5 64-bit.

Please provide any additional information below.

Dlink AP, ath5k adapter

Original issue reported on code.google.com by brloz...@comcast.net on 4 Jan 2012 at 3:36

GoogleCodeExporter commented 9 years ago
how do you expect to reboot a device that is not under your administrative 
control remotely?

apart from DoS I don't see it happening

Original comment by jcdento...@gmail.com on 4 Jan 2012 at 3:46

GoogleCodeExporter commented 9 years ago
Yeah...I don't know of any way of doing a remote reboot without administrative 
control either. Just wanted to see if anybody out there knew if there was a 
way. Reaver is a great tool for brute-forcing WPS, but unless there is a way to 
work around lock downs, it won't be of much use with AP's that permanently 
shutdown WPS when there are too many failed attempts. That said, I don't know 
how many AP manufacturers have that function built into their devices, but I 
know there are at least a couple.

Original comment by brloz...@comcast.net on 4 Jan 2012 at 4:02

GoogleCodeExporter commented 9 years ago
There are only a couple that I have run into that permanently lock WPS. This 
appears to be specific to a certain model, not to a certain vendor (for 
example, I have several D-Links here that do not implement any type of WPS lock 
downs).

Have you tried playing with the timing options in Reaver? Sometimes APs will 
only lock if X number of failed attempts are made within a given time period. 
For example, if your AP is locking after 16 attempts within 5 minutes, you can 
tell reaver to do 10 or 15 attempts at a time, and sleep for 6 minutes in 
between. Not all APs do this though, and you'll have to experiment, so YMMV.

The only way I can think of that would work for forcing an AP to reboot would 
be some type of wireless DoS against the AP that would cause it to crash and 
reboot. This is not pretty, but it would work, and such DoS vulnerabilities 
have been found in APs before. But this would obviously be very specific to the 
AP and is likely not something that will be implemented in Reaver.

Original comment by cheff...@tacnetsol.com on 4 Jan 2012 at 4:11

GoogleCodeExporter commented 9 years ago
Ok, thanks cheff. I'll do some experimenting with my AP as you suggested, and 
I'll report back if I find anything that could be useful.

I appreciate your great work and tremendous effort!

Original comment by brloz...@comcast.net on 4 Jan 2012 at 4:22

GoogleCodeExporter commented 9 years ago
Just a Thought...
Is lock down triggered by multiple attacks from a specific MAC and does it the 
lock out everyone? If not, Reaver could spoof a different random MAC before 
each attempt.

Original comment by julian.g...@gmail.com on 22 Apr 2012 at 9:00

GoogleCodeExporter commented 9 years ago
a possible solution is in the application known as mdk3. 

If you use the "w" option to scramble router security systems, It will take 
much longer for wps to lock. It will still happen but will take longer. This 
same application can be used to reset the router if that pesky wps lock happens 
again.

Original comment by metaltu...@gmail.com on 6 Aug 2013 at 8:28

GoogleCodeExporter commented 9 years ago
I have found an effective way to flood Access Point rate limit pins by flooding 
it for 10-20 seconds.
Check the following links to see how i carried out the attacks!

https://www.youtube.com/watch?v=hHVPSJn4Fqo
https://www.youtube.com/watch?v=_uVvi8qf7JY

Original comment by repzerow...@gmail.com on 18 Apr 2014 at 4:10