View Full Version : WPS Exploits - D-Link routers with the first six hexidecimal digits = C0:A0:BB:XX:XX

2014-04-19, 10:23
D-Link International routers having the first six hexidecimal digits = C0:A0:BB:XX:XX:XX appear to have a mac blocking feature embedded in the router firmware and other tricks.

This feature doesnot lock the WPS system, it simply doesnot allow reaver obtain data after repeated requests by reaver for WPS pins if the request are made from the same mac address. It then masks this by giving long EAPOL hangs or no association warning and no harvesting of WPS pins. This will lead you to think it is a signal strength problem or a sticky router which will eventually clear. However the minute you change the mac code normal WPS pin harvesting with reaver is restored for a short time, only to be shut down again.

We have tested this router extensively with two computer running varmacreaver1D.sh on one computer and reaver thru a command line in a terminal window on the second . We ran variable mac code requests then ran a series of single mac requests. The variable requests, changing the mac code every three minutes harvested keys. The fixed mac address test always ran normally for a period and then stopped responding and no further results thru reaver were obtained.

Next we ran two computers requesting pins at the same time. The variable mac requests harvested pins continuously while the fixed mac code approach stopped after a short time when the router refused association with reaver at the same time that the second computer that was changing its mac address every 3 minutes continued to process key requests normally. We then changed the mac address on the computer that was obtaining no real results and both computers harvested pins again normally.

Further considerations

1. If you request pins with no -r x:y considerations to slow the process while using the same mac code - the following always occured.

1. Pins are received at a fast rate for a short period of time
2. Pin completion then suddenly jumps to 90% and then the router gave
constant EAPOL hangs for many cycles then incomplete rsponses.
3. The router refuses to associate or just responds in a random manner until
you change the mac code.
4. If you employ a mac changing routine you can get the last 1000 pins out
of the router ie 90% to 99.99 % but it will simply hang at 99.99% and go
no further.

Therefore when approaching this router, should you experience similar problems try the following:

1. Use varmacreaver1D.sh or any other mac changing reaver program
2. Set it to random mac change every 180 sec
3. Set the -r x:y at -r 2:15

If the key completion jumps right at the beginning of the attack to 90 you are being sent down a dead end rabbit hole. Restart the attack at zero and slowly harvest the pins - do not try and force speed here.

This is leading us to consider bully as a possible alternative.
We have only introductory knowledge concerning bully especially best settings and the brute force option so any help or suggestions from readers would be appreciated.

2014-04-29, 19:50
I have found this system to crack the pin when it arrives at 99.99 and goes no further

echo -e "ctrl_interface=/var/run/wpa_supplicant\nctrl_interface_group=0\nupdate_con fig=1\n\n" | tee /etc/wpa_supplicant.conf
wpa_passphrase ESSID XXXXXXXX | tee -a /etc/wpa_supplicant.conf
the essid of the network and the random password can be left xxxx also works well on the new router

wpa_supplicant -D wext -i wlan0 -c /etc/wpa_supplicant.conf –B
wpa_cli status
wpa_cli wps_reg BSSID PIN
cat /etc/wpa_supplicant.conf
and run reaver
i use wicd network manager and this solution work but i was tested on Tp-link on adb and tecnicolor router

source Coltrix i not remember site when i remember i post original source

2014-04-30, 04:32
Thanxs Devil we will run some tests and see how it works against this router

2014-06-09, 17:36
nothing is a pleasure to help, I hope you add this system to your wonderful script :)