Results 1 to 11 of 11

Thread: count the best (only) way against loked wps.

  1. #1
    Join Date
    2016-Sep
    Posts
    28

    count the best (only) way against loked wps.

    i dont want to bother with to much questions and help.
    i got this target, when i vmr-mdk it, i noticed that after 3 pins, it locks (ap rate limit).
    i also noticed its not changing the channel (stays on 11).

    so i need 2 things:
    1_ best way to jam it (using kali or bt5.r3).
    2_ best ways (you know of) to reveal the pin (since vmr-mdk wont force it to reboot).

    thank you.

    p.s.
    its a Netgear router.
    could it be that its not breakable without anyone actually touching the router?

  2. #2
    Join Date
    2013-Apr
    Location
    Kali forums
    Posts
    805
    MDK3 has a deauth mode that may work for you. If you're mounting a WPS pin attack, I would think you would want to lock the channel to whatever the router is using. However, I've not used the vmr-mdk tool, so I can't speak to that specifically.

    There are some databases scattered around the internet which have several manufacturer pins; I'd check there first. You can also try the pixie dust attack using reaver.

  3. #3
    Join Date
    2016-Sep
    Posts
    28
    Quote Originally Posted by grid View Post
    MDK3 has a deauth mode that may work for you. If you're mounting a WPS pin attack, I would think you would want to lock the channel to whatever the router is using. However, I've not used the vmr-mdk tool, so I can't speak to that specifically.

    There are some databases scattered around the internet which have several manufacturer pins; I'd check there first. You can also try the pixie dust attack using reaver.
    thank you for your reply.
    i found only 6-7 pins, thats it.
    if any of the friends knows a good pool of pins it would be great.

    this is what i found:


  4. #4
    Join Date
    2014-Mar
    Posts
    163
    Some AP firmwares are protected to most of the attacks that mdk tool does .
    If i were you , i would approach the situation differently .
    I only tested vmr-mdk 1 or 2 times sometime ago .
    You should user reaver with a delay time between pin attempts , brute force will only block the AP again .
    You should start with a delay of 180s for each pin and see where it goes , if it blocks then you should increase that value .
    Some APS block pin try after 3 wrong attempts during a specific time frame .
    Eventually when AP blocks the pin access , it will give access again after a period of time , that could be 3 minutes , 1 hour or 1 day or only give access to pin access again when the user press the wps button again on the router .
    If you already waited much time and router does not give access to wps anymore , then you should try to jam that specific AP with aireplay-ng or wifijammer , this way the owner of the AP eventually will be forced to reboot the AP because he can not establish an wifi connection to it , he will thing that there is a problem with the device , and he will reboot it .
    In alternative mode , you can make an identical AP with that name and use aireplay-ng to De-authenticate the client from original router and force him to connect to yours .
    i think that vmr-mdk does that , but i am not sure .
    Fluxion tool creates a rogue AP with target name and forces the client to connect to his AP and then prompt client to post his wifi password on a webpage . However Fluxion needs first the handshake to be captured by you , then Fluxion compares the client input wifi password on the web page with the handshake you have to make sure you got the right password .
    Just in case you want to try :
    http://www.kitploit.com/2016/10/flux...d-without.html


    You should check if pixiewps can grab the pin .

  5. #5
    Join Date
    2013-Jul
    Posts
    844
    To Pedropt

    Your suggestion to count the length of time a WPS is locked can produce results. Set the -l command to 600 ie 10 minutes and run reaver and count the number of AP locked lines between pin collection.

    VMR-MDK was not designed to reset the router. MTeams found that is some cases a small amount of DDOS usually 15 to 20 seconds caused the router to leak more pins even though locked. WE cover this in detail in the help file.

    VMR-MDK does not support rogueAP and WPA Phishing.

    Setting up a RogueAP with the same name etc and then deauthing the clients will not work in the majority of cases. This is because any associated client already has a WPA key loaded into the Wifi Management software. If you bump them off then the client cannot connect to the RogueAP because the RogueAP is either Open or is exhibiting a WPA State thru airbase-ng setups but there is no actual WPA key as airbase-ng doesnot actually support WPA encryption.

    The only way the client can connect to a Open RogueAP of same name is to remove the WPA Setup and then manually select to connect to the open RogueAP. We think this is a highly unlikely event However there is an alternative method covered in both musket versions of linset and pwnstar9 as outlined in the help files. This method does not require the client to remove the WPA wifi Setup to connect to the rogue.

    Fluxion requires a handshake so the program can test any WPA Phished thru the Rogue.


    MTeams

  6. #6
    Join Date
    2014-Mar
    Posts
    163
    VMR-MDK was not designed to reset the router. MTeams found that is some cases a small amount of DDOS usually 15 to 20 seconds caused the router to leak more pins even though locked. WE cover this in detail in the help file.
    Interesting point , never have try it .

    Setting up a RogueAP with the same name etc and then deauthing the clients will not work in the majority of cases. This is because any associated client already has a WPA key loaded into the Wifi Management software. If you bump them off then the client cannot connect to the RogueAP because the RogueAP is either Open or is exhibiting a WPA State thru airbase-ng setups but there is no actual WPA key as airbase-ng doesnot actually support WPA encryption.
    Another interesting point that i was not fully aware , thanks for the explanation .

    mmusket33 :
    did you guys try this ? :
    -Check if client is connected to AP
    -Change mac address of the wifi card to same mac as client connected
    -start wps attack .

    what is the response of the router ?
    Last edited by pedropt; 2016-10-09 at 21:47.

  7. #7
    Join Date
    2013-Jul
    Posts
    844
    To pedropt

    Thanks for the idea we will run some tests over the next few weeks and see what occurs. If anything interesting we will inform you.

    Musket Teams

  8. #8
    Join Date
    2016-Sep
    Posts
    28
    Quote Originally Posted by mmusket33 View Post
    To pedropt

    Thanks for the idea we will run some tests over the next few weeks and see what occurs. If anything interesting we will inform you.

    Musket Teams
    wow thats a lot of info.
    one logic step i thought of was the delay between the pins.
    yes, my AP is locking after 3 pins.


    can you guys write the delay command please?
    if it helps its a neatgear router.
    WPS Model: VEGN2610
    WPS Model Num' : VEGN2610
    Access Point Serial num' 3700

    -----------------------

    i will try today to change my mac to be the same as the AP.

    QUESTION:
    can i use "wifite" as a reliable tool for checking if the AP connected to Internet?


    thank you guys.. you are the best!
    and thanks for your patience

  9. #9
    Join Date
    2013-Jul
    Posts
    844
    To 1stcowgirl

    MTeam is unsure what you mean in your delay between pins question. You can set the attempt to collect pins thru the -r command in reaver.

    If you spoof your mac address thru macchanger then make sure you add that spoofed mac address to the reaver command line thru the --pin= command. Otherwise reaver may only extract the WPS pin not the WPA key.

    We have no experience with wifite and cannot comment.

    MTeams
    Last edited by mmusket33; 2016-10-15 at 09:13.

  10. #10
    Join Date
    2016-Sep
    Posts
    28
    Quote Originally Posted by mmusket33 View Post
    To 1stcowgirl

    MTeam is unsure what you mean in your delay between pins question. You can set the attempt to collect pins thru the -r command in reaver.

    If you spoof your mac address thru macchanger then make sure you add that spoofed mac address to the reaver command line thru the --pin= command. Otherwise reaver may only extract the WPS pin not the WPA key.

    MTeams

    mmusket33 :
    did you guys try this ? :
    -Check if client is connected to AP
    -Change mac address of the wifi card to same mac as client connected
    -start wps attack .

    what is the response of the router ?

    changing my mac to target mac resault in the same lock.






    OOPS SORRY.
    THE CLIENT WAS NOT CONNECTED!!!!

    (im guessing its very important for this test for him to be connected... hum, will try again and update.)
    So the above is when client is not connected.
    Last edited by 1stcowgirl; 2016-10-26 at 16:57.

  11. #11
    Join Date
    2014-Mar
    Posts
    163
    When i meant this :
    did you guys try this ? :
    -Check if client is connected to AP
    -Change mac address of the wifi card to same mac as client connected
    -start wps attack .
    I was speaking to change the mac address of your wifi card to the same mac address of someone already connected to that network , and not changing the mac address to the victim router mac .

    Anyway , it does not mean that may work in any circumstance .

Similar Threads

  1. Reaver software locks to zero in pin count
    By ggbrasil in forum TroubleShooting Archive
    Replies: 0
    Last Post: 2016-01-17, 23:52

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •