WPS lock can it be hacked ???

[GoogleCodeExporter]

hey guys so amtrying to hack a locked WPS is there anyway to do it or u just 
need to wait 5 mins so it unlock ??? thanks alot

Original issue reported on code.google.com by shadimgh...@gmail.com on 8 Aug 2012 at 9:03

[GoogleCodeExporter]

You can try with the -L command, but it's probably gonna end up stucked at 
90.90% no matter what version. I tested it thoroughly with 1.4 and now I'm 
going to try the same network with 1.3.

Original comment by dukesemt...@gmail.com on 11 Aug 2012 at 8:43

[GoogleCodeExporter]

See note 389 we just posted. We have an on going and what appears to be slow 
but successful attack aginst a Belkin router that appear to be locked.  

Original comment by muske...@yahoo.com on 27 Aug 2012 at 8:27

[GoogleCodeExporter]

Someone make somthing about WPS lock, i heard they use airplay for this,
 anyone have idea about this tell me please. :D 

Original comment by matre...@gmail.com on 29 Oct 2012 at 9:54

[GoogleCodeExporter]

yes use aireplay only to associte

then use reaver with the -A command

Original comment by abcdzo...@gmail.com on 25 Jan 2013 at 5:29

[GoogleCodeExporter]

TO: EVERYONE- EFFECTIVE WAY TO RESET A MODERN CISCO ACCESS POINT BY FLOODING 
FOR 10-20 SECONDS!
i have found a way to effectively flood a new model (either year 2012/2013 
manufactured) cisco router to make it reboot with a wps locked
status as "NO". Also i will prove that using Authentication DOS mode flooding 
has no effects of flooding THIS router!

DETAILS OF THIS ROUTER

From one of the M1 EAP packets captured from my wireless card, details of this 
router are as follows

bssid c8:d7:19:0a:bf:35
Manufacturer: Cisco
Model Number: 123
Serial Number: 12345
Model Name: WAP
Channel type: 802.11g (pure-g) (0x00c0)

I did some research using these details found found out that this access point 
was modern in age.

Behaviour of this CISCO Router

This type of router is not affected by a script changing your mac address. Also 
if you try a 3 pins the router starts
an exponential clock that rate limit another counple of pins reaver tries and 
then the router totally lock itself for one/two day.
even if i gave reaver the option to try 1 pin every 3 minutes (worthless)..

THIS LINK “https://www.youtube.com/watch?v=hHVPSJn4Fqo” HAS A VIDEO I HAVE 
DONE TO SHOW HOW I USE THE TWO ATTACKS AND WHICH ONE WAS MORE EFFECTIVE WITH 
THIS PARTICULAR AP.

BRIEF NOTES
I focused on the stated Cisco Access Point that I came across with the new 
exponential wps mechanism.

THE TWO ATTACKS I USED ARE:
1. MDK3 Authentication DOS Flood Attack- floods the AP with too much fake 
clients so that the router is overloaded
2. EAPOL Start Flood Attack- Authenticates to the AP and sends too much EAPOL 
Start requests so that the router is unable to respond to the volume of EAPOL 
requests and reboot itself.

MDK3 AUTHENTICATION DOS FLOOD ATTACK
This attack is useful on SOME routers. The important point to note is HOW I USE 
THESE ATTACKS!.
( I have three wireless adapter- AWUS036NHA, AWUS036NH and TP-LINK 722N and I 
use AWUS036NHA and AWUS036NH to carry out this attack numerous times)
HOW I ATTACKED THIS ACCESS POINT USING AUTHENTICATION DOS FLOOD ATTACK
I started my wireless card on three monitor interface, mon0, mon1 and mon2
In three terminal, I use the command line
mdk3 mon0 a –a C87:19:0A:BF:35 #TERMINAL 1
mdk3 mon1 a –a " " " # TERMINAL 2
mdk3 mon1 a –a " " " #TERMINAL 3
Note:
I ensure that the router was wps locked permanently so that I can test the 
effectiveness of the attack. Also, a point to note, I did not use one command 
line with one monitor interface since it was futile. I blasted the router on 
three monitor interfaces!.Now I am blasting away the router for hours!. After 
blasting away the Access Point is still locked! I tried this attack for days to 
convince myself!.

MDK3 EAPOL START FLOOD ATTACK
I started my wireless card on three monitor interface, mon0, mon1 and mon2
mdk3 mon1 x 0 –t C87:19:0A:BF:35 –n Riznet –s 100 #TERMINAL 1 (SEE VIDEO 
FOR REASON OF USING –S 100 FLAG)
mdk3 mon1 x 0 –t " " " –n Riznet –s 100 # TERMINAL 2
mdk3 mon1 x 0 –t " " " –n Riznet –s 100 #TERMINAL 3
Note: I tried again using 1 monitor interface to carry out the attack but it 
took hours for the router to reboot and I was not sure if the attack was the 
main reason for the router rebooting!. In this scenario I tried blasting the 
router in three terminals. This “Shock Attack” method ran for about 20 
seconds and the router reboot with wps locked status as “NO”. I TRIED THIS 
ATTACK A COUPLE MORE TIMES FOR ABOUT 20 SECONDS WITH THE ACCESS POINT REBOOTING 
AND UNLOCKING ITSELF (WPS) !!. Also packet analysis significantly helped me to 
understand the connection between EAPOL and a router behavior to open 
authentication request which makes it impossible to stick to one method for 
flooding ALL AP (see the video link above).

BASH SCRIPT WRITING
Soon I will write a bash script to execute all the steps in my video (I need 
time to chill….).

OTHER ACCESS POINTS INVESTIGATED
I Have Also Assessed The Behaviour Of Three Other Cisco Access Points That Rate 
Limit Pin In A Systematic Way But Did Not Locked Up in an exponential manner!. 
I will give gave an update if I do come across any other access points that 
behaved somewhat different. Do share your experience in relation to any new 
updates on wps! 

Original comment by repzerow...@gmail.com on 12 Apr 2014 at 12:38

[GoogleCodeExporter]

TO: EVERYONE-THREE OTHER ACCESS POINTS THAT WERE DEFEATED BY THE MDK3 EAPOL 
START ATTACK!!

I have underestimated this attack!. IT WORKS ON ALMOST ALL THE AP THAT I PICKED 
UP THAT HAS THE WPS RATE LIMITING FEATURE..Despite some AP refuses to accept to 
many eapol packets, one mdk3 authenticates it floods the AP quickly until a 
deauthentication packet is sent from the AP to break the connection.
FOR FURTHER PROOF CHECK ANOTHER VIDEO IS POST ON MY CHANNEL LINK 
https://www.youtube.com/watch?v=_uVv...ature=youtu.be

Also, instead of running three attacks in three terminal, i used one terminal 
to carry out three attacks using

EXAMPLE
#timeout <seconds> mdk3 mon0 x 0 -t <bssid> -n <essid> -s <no. of packets/sec> 
& timeout <seconds> mdk3 mon1 x 0 -t <bssid> -n <essid> -s <no. of packets/sec) 
& timeout <seconds> mdk3 mon2 x 0 -t <bssid> -n <essid> -s <no. of packets/sec>

PENDING: I AM CURRENTLY WRITTING A GENERAL INTERACTIVE BASH SCRIPT TO CARRY OUT 
ANY MDK3 ATTACK USING MY METHOD WITH REAVER! I WILL POST ONCE FULLY FINSHED.
IF ANYONE HAS A SCRIPT FOR REAVER AND MDK3 (TO CARRY OUT ANY ATTACKS) DO SHARE 
SO THAT I CAN COMPARE IT WITH MY WORK IN PROGRESS SCRIPT! 

Original comment by repzerow...@gmail.com on 17 Apr 2014 at 2:34

[GoogleCodeExporter]

check out ANOTHER video that showed how the EAPOL Start flood attack caused two 
other access points to unlock  WPS status to "NO" !

LINK 
https://www.youtube.com/watch?v=_uVvi8qf7JY

Original comment by repzerow...@gmail.com on 18 Apr 2014 at 12:26

[GoogleCodeExporter]

hello repzerow...@yahoo.com 

This doesn't work for me

Original comment by cln...@gmail.com on 28 Apr 2014 at 8:58

[GoogleCodeExporter]

TO: cln...@gmail.com

are you getting alot of "Failed authentication with the mdk3 eapol start flood 
attack? then it can be an authentication problem due to signal strength. 
failing to authenticate to the Access Point= failing to flood the AP with this 
attack

Original comment by repzerow...@gmail.com on 1 May 2014 at 12:29

[GoogleCodeExporter]

no me funcionaaaaaaaaaa

Original comment by nerv...@gmail.com on 18 Aug 2014 at 3:25

[GoogleCodeExporter]

Hey repzerow, any chance you finished your script?
Greatly appreciate your work,
Cheers

Original comment by Nils.Ave...@gmail.com on 24 Aug 2014 at 7:39

[GoogleCodeExporter]

how to run the script file?
and how to get that multiplication sign in command?

Original comment by salmanar...@gmail.com on 24 Sep 2014 at 11:51