PDA

View Full Version : [Q] How to prevent wps lock?



stiw47
2013-06-05, 10:09
Hello.

I trying to "hack" my own router TP-LINK with MAC address 90:F6:52:XX:XX:XX and wpa2 psk, but after 5 attempts, I got a permanent wps lock. I try and try so many times, with so many diferent options, but everytime is the same - wps lock after 5 pin attempts. I have a Kali amd64 hdd installed on Toshiba Satellite pro U400, and using Alfa AWUS036H for this action. My Alfa card is in monitor mode (airmon-ng start wlan1). My phisical MAC addres (wlan1) is spoofed with macchanger. It's a same like MAC address wich often connect on AP (MAC address of my second laptop). I spoofed mon0 MAC address also.

I associated on AP:


aireplay-ng mon0 -1 120 -a 90:F6:52:XX:XX:XX -e "myrouter"

I try to add delay:


reaver -i mon0 -b 90:F6:52:XX:XX:XX -vv -d 30

I try to add delay after few attempts:


reaver -i mon0 -b 90:F6:52:XX:XX:XX -vv -d 30 -r 4:120

I try to add MAC options:


reaver -i mon0 -b 90:F6:52:XX:XX:XX -vv -d 30 -r 4:120 --mac=XX:XX:XX:XX:XX:XX

I try (I think) every possible options like: --win7, --ignore-locks, --no-nacks, --dh-small, -t XX etc etc, but without succes.
I also try some crazy delays like:


reaver -i mon0 -b 90:F6:52:XX:XX:XX -d 60 -r 3:600 -vv

but without succes. Everytime, wps was locked after 5 pin attempts.

I was read on internet that newest firmwares on routers doing exactly this - permanent wps lock after few attempts, but I can not to find, how to prevent this with reaver.

Does anybody know, is it possible to prevent this, or is it posible to set dinamic MAC address in reaver and how?

Sorry cause bad bad English, thanks in advance.

b0z0dcl0wn
2013-06-05, 17:41
http://www.tp-link.com/en/article/?faqid=382

Some brands implement lockouts after a certain ammount of failed tries. Looks like TP-links one of them... I've noticed it on some netgears as well. Some brands will ban the mac, some will shutdown wps entirely. Sometimes its a temporary lockout like 24 hours, sometimes it turns it off until you turn it on again on the router. Hope that helps somewhat...

stiw47
2013-06-05, 23:37
Yeah, I know all that, but I wondering, is there any way to avoid it?

I found interesting combination wit mdk3 here (http://top-hat-sec.com/forum/index.php?topic=1014.msg23799#msg23799). May be useful for someone, but without succes for me.

0pt1k
2013-06-06, 15:50
Sometimes association through aireplay-ng has helped.

airodump-ng --bssid 00:11:22:33:44:55 -c 6 mon0

aireplay-ng -1 10 -a 00:11:22:33:44:55 mon0
Then run reaver with the -A switch.

reaver -i mon0 -a -A -b 00:11:22:33:44:55 -v
If you have another computer connected on the network
you can try spoofing that mac to see if that speeds things up.

0pt1k

stiw47
2013-06-06, 22:33
I was allready asociated with:


aireplay-ng mon0 -1 120 -a 90:F6:52:XX:XX:XX -e "myrouter"

but I was try your way also, and same thing - wps lock after 5 attempts.