Results 1 to 4 of 4

Thread: WPS Exploits - D-Link routers with the first six hexidecimal digits = C0:A0:BB:XX:XX

  1. #1
    Join Date
    2013-Jul
    Posts
    844

    WPS Exploits - D-Link routers with the first six hexidecimal digits = C0:A0:BB:XX:XX

    D-Link International routers having the first six hexidecimal digits = C0:A0:BB:XX:XX:XX appear to have a mac blocking feature embedded in the router firmware and other tricks.

    This feature doesnot lock the WPS system, it simply doesnot allow reaver obtain data after repeated requests by reaver for WPS pins if the request are made from the same mac address. It then masks this by giving long EAPOL hangs or no association warning and no harvesting of WPS pins. This will lead you to think it is a signal strength problem or a sticky router which will eventually clear. However the minute you change the mac code normal WPS pin harvesting with reaver is restored for a short time, only to be shut down again.

    We have tested this router extensively with two computer running varmacreaver1D.sh on one computer and reaver thru a command line in a terminal window on the second . We ran variable mac code requests then ran a series of single mac requests. The variable requests, changing the mac code every three minutes harvested keys. The fixed mac address test always ran normally for a period and then stopped responding and no further results thru reaver were obtained.

    Next we ran two computers requesting pins at the same time. The variable mac requests harvested pins continuously while the fixed mac code approach stopped after a short time when the router refused association with reaver at the same time that the second computer that was changing its mac address every 3 minutes continued to process key requests normally. We then changed the mac address on the computer that was obtaining no real results and both computers harvested pins again normally.

    Further considerations

    1. If you request pins with no -r x:y considerations to slow the process while using the same mac code - the following always occured.

    1. Pins are received at a fast rate for a short period of time
    2. Pin completion then suddenly jumps to 90% and then the router gave
    constant EAPOL hangs for many cycles then incomplete rsponses.
    3. The router refuses to associate or just responds in a random manner until
    you change the mac code.
    4. If you employ a mac changing routine you can get the last 1000 pins out
    of the router ie 90% to 99.99 % but it will simply hang at 99.99% and go
    no further.

    Therefore when approaching this router, should you experience similar problems try the following:

    1. Use varmacreaver1D.sh or any other mac changing reaver program
    2. Set it to random mac change every 180 sec
    3. Set the -r x:y at -r 2:15

    If the key completion jumps right at the beginning of the attack to 90 you are being sent down a dead end rabbit hole. Restart the attack at zero and slowly harvest the pins - do not try and force speed here.

    This is leading us to consider bully as a possible alternative.
    ,
    We have only introductory knowledge concerning bully especially best settings and the brute force option so any help or suggestions from readers would be appreciated.
    Last edited by mmusket33; 2014-04-19 at 10:32.

  2. #2
    Join Date
    2013-Aug
    Location
    Italy
    Posts
    65
    I have found this system to crack the pin when it arrives at 99.99 and goes no further
    Code:
    echo -e "ctrl_interface=/var/run/wpa_supplicant\nctrl_interface_group=0\nupdate_config=1\n\n" | tee /etc/wpa_supplicant.conf
    wpa_passphrase ESSID XXXXXXXX | tee -a /etc/wpa_supplicant.conf
    the essid of the network and the random password can be left xxxx also works well on the new router
    Code:
    wpa_supplicant -D wext -i wlan0 -c /etc/wpa_supplicant.conf –B
    wpa_cli status
    wpa_cli wps_reg BSSID PIN
    cat /etc/wpa_supplicant.conf
    and run reaver
    i use wicd network manager and this solution work but i was tested on Tp-link on adb and tecnicolor router

    source Coltrix i not remember site when i remember i post original source
    Last edited by Devil_D; 2014-04-29 at 20:01.
    Est modus in rebus
    cd /usr/bin/bad

  3. #3
    Join Date
    2013-Jul
    Posts
    844
    Thanxs Devil we will run some tests and see how it works against this router

  4. #4
    Join Date
    2013-Aug
    Location
    Italy
    Posts
    65
    nothing is a pleasure to help, I hope you add this system to your wonderful script
    Est modus in rebus
    cd /usr/bin/bad

Similar Threads

  1. vulnerable routers
    By mesho in forum General Archive
    Replies: 0
    Last Post: 2020-07-27, 12:07
  2. Replies: 2
    Last Post: 2014-12-03, 01:08

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •