markscript / reaver-wps

Automatically exported from code.google.com/p/reaver-wps
0 stars 0 forks source link

Reaver attempts 21 PINs only! #563

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
Hello peoples,

I have been attempting to crack my BT home hub 2 (Type B) using WPA2 
encryption, which has a 10 character hex password.. I know this is probably a 
futile task, but that's not what I need help with. FYI: I have cracked it using 
Aircrack-ng, changing the pw to a dictionary word... easy peezy!

Anyway, the problem I am facing is that when I run Reaver it attempts exactly 
21 PIN tries and then just continues to send and receive identity. I am fairly 
sure that this is because after a while the hub locks the WPS. I include 
--ignore-locks but this has no effect.

Does anyone know of a way to get round this?

My steps are as follows:

airmon-ng
airmon-ng start wlan0 (using an ALFA AWUS036NH btw)
wash -i mon0 --ignore-fcs (At this point WPS Locked = No)
sudo reaver -i mon0 -c 11 -a -b XX:XX:XX:XX:XX:XX -vv --ignore-locks -d 0

Reaver then attempts 21 different PINs and then just keeps sending / receiving 
identity requests / response. After several minutes I run wash cmd again to 
check WPS and it is now Locked!

How can I get round this, is it even possible?

Thanks for your help :)

Original issue reported on code.google.com by brovash...@gmail.com on 24 Sep 2013 at 8:29

GoogleCodeExporter commented 8 years ago
[deleted comment]
GoogleCodeExporter commented 8 years ago
I guess your router locks after 21 false attempts, its possible to crack that 
password since reaver is changing pins but in such cases it must be a much 
slower attack, so the router doesnt get spooked.

i suggest you increase the -d value for a start, reaver will try pins slower, i 
would begin with somethig like -d 61, 1 pin per minute and see if it passes the 
21st attempt, if so, you can start decreasing the -d value to your routers 
taste and get a faster crack. 

Also check and eventually use other delay flags with reaver.

-d, --delay=<seconds>           Set the delay between pin attempts 
-x, --fail-wait=<seconds>       Set the time to sleep after 10 unexpected 
failures
-r, --recurring-delay=<x:y>     Sleep for y seconds every x pin attempts
-t, --timeout=<seconds>         Set the receive timeout period 

I own a Technicolor that locks after the 3rd false pin attempt, in my case i 
could only get passed the 3rd attempt after increasing the -d value for a few 
minutes between each pin attempt, i never took the time to ajust it to its 
minimum, but that means it would take a good while to crack this one, and 
theres nothing wrong with reaver its the routers defence thats causing the 
issue.

hope this helps

Original comment by Troikaop...@gmail.com on 25 Sep 2013 at 4:19

GoogleCodeExporter commented 8 years ago
British Telecom Hubs are particularly tough nuts that require patience, so any 
Reaver attack has to be spread over many days. Giving you a complete tutorial & 
example won't help you learn how to pentest but I can give you a hint.. 

Try using #!bash scripting to completely start/stop the wifi card & Reaver at 
timed intervals or have a read of the documentation for the -D option 
(daemonize) and experiment with that.

Original comment by BishopPa...@gmail.com on 30 Sep 2013 at 6:32

GoogleCodeExporter commented 8 years ago
Thanks for the help guys.. sorry I've didn't respond sooner, I put this down 
for a bit but am back on it this week(end).

I will have a play and report back tomorrow / Sun.

Wish me luck! :)

Original comment by brovash...@gmail.com on 4 Oct 2013 at 6:13

GoogleCodeExporter commented 8 years ago
[deleted comment]
GoogleCodeExporter commented 8 years ago
[deleted comment]
GoogleCodeExporter commented 8 years ago
No joy yet, and keep having to get up and restart my router, to reset the WPS...

Is there a way to reset / reboot my router from BackTrack? Reaver?

Could a #!bash script do it? if so, has anyone got or know where I can get?

:)

Original comment by brovash...@gmail.com on 4 Oct 2013 at 7:55

GoogleCodeExporter commented 8 years ago
try commands attack router:
mdk3 mon0 a -i xx:xx:xx:xx:xx:xx -m -s 1024
mdk3 mon0 m -t xx:xx:xx:xx:xx:xx -j -w 1 -n 1024 -s 1024
see if force reboot....

Original comment by deltomaf...@gmail.com on 5 Oct 2013 at 3:29

GoogleCodeExporter commented 8 years ago
Thanks deltomaf,

I will give that a try now and report back.

Original comment by brovash...@gmail.com on 6 Oct 2013 at 12:06

GoogleCodeExporter commented 8 years ago
Just a quick update:

re: attack command - I run )mdk3 mon0 a -i xx:xx:xx:xx:xx:xx -m -s 1024) but it 
is only creating (I think packets) and all other info i.e. Auth / Associated / 
Got Kicked / captured / sent etc. all remain 0.
Running (mdk3 mon0 m -t xx:xx:xx:xx:xx:xx -j -w 1 -n 1024 -s 1024) attempts to 
inject QoS packets with priority flicking between 0,1 or 3! Reinjecting...
These seem to have no affect on my router, and so am still up and down from my 
chair! :(

Re: the router cracking - I have just realised that attepting this after 
setting my mac to a random mac, somthing I do out of habbit when setting my 
card to monitor mode, will prevent this from working and continuing to display 
an error - retrying last pin.
I think Troikoap's suggestion may work as by increasing -d to 61 seemed to 
allow a lot more pin attempts. I dont know if the repeated pin attempts while 
using a -r mac counted towards the WPS locking, but after this and using 3-4 
different -d values I lost count as to how many attempts where actually made... 
and mid way through restarted my machine to reste my mac to start over and 
didnt count attempts beforehand.

Im going to make a munch and start over fresh, will report back when I've found 
the optimal -d value.

If anyone can shed some light on the router attack commands to restart it from 
my seat, it would be very much appreciated.

:)

Original comment by brovash...@gmail.com on 12 Oct 2013 at 2:06

GoogleCodeExporter commented 8 years ago
ok try with:
mdk3 mon0 a -a xx:xx:xx:xx:xx:xx -m

wait until 70.000 if reboot...

Original comment by deltomaf...@gmail.com on 13 Oct 2013 at 6:47

GoogleCodeExporter commented 8 years ago
[deleted comment]
GoogleCodeExporter commented 8 years ago

Hi, 

So I guess you figured both your problems .  For reaver to pass the 21st 
attempt you should play with -d flag. Start at -d 61 and leave it overnight, if 
next morning you have progress, try decreasing to -51 next night, decrease 10 
every night until you find at what value it locks, then your left with a 10 gap 
to play and find the optimal value.

For restarting the router... If you don't have access to it, the mdk3 attack 
that delto suggested is the best way i personally know to bypass the active wps 
lock , but i found it takes a lot of time for newer routers to be confused 
enough to reboot, much more than 70.000. So it might be faster and safer for 
the router to just go there and manually restart. 
As you have access to router,  I suggest you restart via browser , access the 
admin configs page and if you dont have that option specifically, try changing 
some other configs for example the essid name or the password, router should 
restart after you save changes, Google it. 
Alternatively you can figure a way of doing it physically,  have a on/off 
switch in the electrical wire that feeds it, use electrical timer, radio 
control device that pushes the button... be creative :)

Hope it helps 

Original comment by Troikaop...@gmail.com on 27 Oct 2013 at 4:36

GoogleCodeExporter commented 8 years ago
im try in the same thing mine got stuck a few times in loops did -p998 sorted 
that reaver 1.4 btw and left in of from 3 till 12 not cracked so thourt id type 
the pin in and timed out so I have come here thanks for all that you put I 
shall go forth and try is it possebel ever 12 attempts to change the mac: of my 
pc 

Original comment by Mennis...@gmail.com on 3 Jan 2014 at 12:00

GoogleCodeExporter commented 8 years ago
reviving old thread - reaver 1.5 solves this issue. not sure how, but no lock 
outs with hh3.

Original comment by azim.hus...@gmail.com on 18 Sep 2014 at 3:02

GoogleCodeExporter commented 8 years ago
Whats hh3 and did any body manage it yet its been so long my street switched to 
talk talk I had look with a -d of 120

Original comment by Mennis...@gmail.com on 23 Jan 2015 at 2:46